azure-sdk-for-java icon indicating copy to clipboard operation
azure-sdk-for-java copied to clipboard
verified publisher icon Azure

Azure Keyvault JAR Signer missing Intermediate Cert Chain

Open wpabon123 opened this issue 1 year ago • 6 comments

I'm using KeyVault jarsigner provider version 2.8.1. The signing works fine but when I verify the JAR file, I get the error that the chain trust cannot be verified. The code signing cert was created by DigiCert. That cert has the full chain of trust so no idea why the jarsigner is not capturing the whole chain of trust.

This is the error message I receive: "This jar contains entries whose certificate chain is not validated."

Sounds to me this could be an issue associated with the JAVA versions used but not sure.

wpabon123 avatar Apr 15 '24 17:04 wpabon123

Same here

@wpabon123 Are you able to solve the problem ?

ThatCheck avatar Apr 23 '24 12:04 ThatCheck

I was able to validate that the jarsigner has no record of the lower level cert in the local keystore. The higher CA is fine, is present in the local keystore and it gets recognize by the -verify process. But because of new requirements that will not allow the lower level cert from leaving the KeyVault, the -verify will not see it unless you verify against the KeyVault and then the warning goes away. This is problematic since you will require to provide access to the customer to check that the code signing cert is valid.

Problem is, this defeats the purpose of protecting the code signing cert in KeyVault since the verify will try to find a trace in the local keystore. I'm researching an option to sync from Azure to the local keystore but I do not have definite results yet. I'll post more info once I complete my tests.

wpabon123 avatar Apr 23 '24 12:04 wpabon123

@vcolin7 please follow up with @wpabon123 and @ThatCheck on this github issue; thank you

joshfree avatar May 06 '24 16:05 joshfree

Adding @saragluna from the team that owns this package (com.azure:azure-security-keyvault-jca:2.8.1). Xiaolu, is there any way customers could sync the chain to verify so all certs are in the local keystore?

@wpabon123 Are you not able to get the lower-level certificate out of the Key Vault or are you not allowed to by the new requirements you mentioned?

vcolin7 avatar May 09 '24 19:05 vcolin7

No, per new requirements the lower stays secure in the FIPS Hardware. That is why the -verify fails with the warning for the lower level when checking the chain of trust.

wpabon123 avatar May 09 '24 19:05 wpabon123

Yes, the cert chain valiation is missing from the library, we could add that.

saragluna avatar May 16 '24 12:05 saragluna

Did you find an anser for this? I am finding the same issue using a DigiCert code signing request that is stored in Azure Key Vault. I converted the p7b to base64 as per the Azure requirement which should have preserved the cert chain. However, when I sign a JAR file using jarsigner it only has the code signing cert in the signer when I verify. This is causing Oracle EBS to treat JARs as unsigned as the SignerCA is DigiCert on the users desktops, not my OU

KJW812 avatar Jul 23 '24 18:07 KJW812

FYI: This issue will be solved by this PR: https://github.com/Azure/azure-sdk-for-java/pull/41303

rujche avatar Aug 01 '24 12:08 rujche