Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] jarsigner + jca fails to sign when key vault happens to include "certificates" in the name #42162

Closed
3 tasks done
peter-griffiths opened this issue Oct 2, 2024 · 3 comments · Fixed by #42522
Closed
3 tasks done

[BUG] jarsigner + jca fails to sign when key vault happens to include "certificates" in the name #42162

peter-griffiths opened this issue Oct 2, 2024 · 3 comments · Fixed by #42522
Assignees
@saragluna @rujche
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
2024-11

Comments

@peter-griffiths
Copy link

peter-griffiths commented Oct 2, 2024
edited by rujche
Loading

Describe the bug
The key vault JCA library is unable to sign JARs using a certificate stored in an Azure Key Vault whose name contains the string "certificates". This is due to the library being unable to extract the correct certificate alias for certificates stored in the vault. The user facing result of this silent failure is the error jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found

Exception or Stack Trace
Full command and verbose output for an attempt to sign the jar "myjar.jar" with the certificate "mycert" stored in the vault "mycertificates":

jarsigner \
-keystore NONE \
-storetype "AzureKeyVault" \
-signedjar signerjar.jar \
"myjar.jar" \
"mycert" \
-verbose  \
-storepass "" \
-J-Djava.security.properties=java.security \
-J--module-path="azure-security-keyvault-jca-2.8.2.jar" \
-J--add-modules="com.azure.security.keyvault.jca" \
-J-Dazure.keyvault.uri=https://mycertificates.vault.azure.net/ \
-J-Dazure.keyvault.tenant-id=<tenant_id> \
-J-Dazure.keyvault.client-id=<client_id> \
-J-Dazure.keyvault.client-secret=<client_secret>

Oct 02, 2024 1:43:24 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://mycertificates.vault.azure.net/
Oct 02, 2024 1:43:24 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: vault.azure.net/certificates/mycert
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://mycertificates.vault.azure.net/
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: vault.azure.net/certificates/mycert
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://mycertificates.vault.azure.net/
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Oct 02, 2024 1:43:26 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: vault.azure.net/certificates/mycert
jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found

To Reproduce
Attempt to sign a JAR using a certificate stored in an Azure vault with a name containing "certificates", e.g. "mycertificates":

jarsigner \
-keystore NONE \
-storetype "AzureKeyVault" \
-signedjar signerjar.jar \
"myjar.jar" "mycert" \
-verbose  -storepass "" \
-J-Djava.security.properties=java.security \
-J--module-path="azure-security-keyvault-jca-2.8.2.jar" \
-J--add-modules="com.azure.security.keyvault.jca" \
-J-Dazure.keyvault.uri=https://mycertificates.vault.azure.net/ \
-J-Dazure.keyvault.tenant-id=<tenant_id> \
-J-Dazure.keyvault.client-id=<client_id> \
-J-Dazure.keyvault.client-secret=<client_secret>

Code Snippet
This line in KeyVaultClient.java:

String alias = id.substring(id.indexOf("certificates") + "certificates".length() + 1);
For the string https://mycertificates.vault.azure.net/certificates/mycert results in the invalid alias vault.azure.net/certificates/mycert rather than the expected mycert

Expected behavior
The key vault name should not have any impact on the ability to code sign using certificates stored in it.

Setup (please complete the following information):

  • OS: Windows
  • Library/Libraries: com.azure:azure-security-keyvault-jca:2.8.2
  • Java version: 11/21

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 2, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 2, 2024

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@vcolin7 vcolin7 assigned rujche and saragluna and unassigned vcolin7 Oct 22, 2024
@vcolin7
Copy link
Member

vcolin7 commented Oct 22, 2024

Could you take a look at this issue when you get a chance @saragluna, @rujche? Thanks!

@rujche
Copy link
Member

rujche commented Oct 23, 2024

Could you take a look at this issue when you get a chance @saragluna, @rujche? Thanks!

@vcolin7
Sure, will do.

@rujche rujche mentioned this issue Oct 23, 2024
Merged
6 tasks
@rujche rujche added this to the 2024-11 milestone Oct 23, 2024
@rujche rujche moved this from Untriaged to In PR in Azure SDK for Key Vault Oct 23, 2024
@github-project-automation github-project-automation bot moved this from In PR to Done in Azure SDK for Key Vault Oct 23, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jan 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@saragluna saragluna

@rujche rujche

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure SDK for Key Vault
Archived in project
Milestone
2024-11
4 participants
@vcolin7 @peter-griffiths @saragluna @rujche