[FEATURE REQ] Azure Keyvault JAR Signer missing Intermediate Cert Chain

[wpabon123]

I'm using KeyVault jarsigner provider version 2.8.1. The signing works fine but when I verify the JAR file, I get the error that the chain trust cannot be verified. The code signing cert was created by DigiCert. That cert has the full chain of trust so no idea why the jarsigner is not capturing the whole chain of trust.

This is the error message I receive:
"This jar contains entries whose certificate chain is not validated."

Sounds to me this could be an issue associated with the JAVA versions used but not sure.

[ThatCheck]

Same here

@wpabon123 Are you able to solve the problem ?

[wpabon123]

I was able to validate that the jarsigner has no record of the lower level cert in the local keystore. The higher CA is fine, is present in the local keystore and it gets recognize by the -verify process. But because of new requirements that will not allow the lower level cert from leaving the KeyVault, the -verify will not see it unless you verify against the KeyVault and then the warning goes away. This is problematic since you will require to provide access to the customer to check that the code signing cert is valid.

Problem is, this defeats the purpose of protecting the code signing cert in KeyVault since the verify will try to find a trace in the local keystore. I'm researching an option to sync from Azure to the local keystore but I do not have definite results yet. I'll post more info once I complete my tests.

[joshfree]

@vcolin7 please follow up with @wpabon123 and @ThatCheck on this github issue; thank you

[vcolin7]

Adding @saragluna from the team that owns this package (com.azure:azure-security-keyvault-jca:2.8.1). Xiaolu, is there any way customers could sync the chain to verify so all certs are in the local keystore?

@wpabon123 Are you not able to get the lower-level certificate out of the Key Vault or are you not allowed to by the new requirements you mentioned?

[wpabon123]

No, per new requirements the lower stays secure in the FIPS Hardware. That is why the -verify fails with the warning for the lower level when checking the chain of trust.

[saragluna]

Yes, the cert chain valiation is missing from the library, we could add that.

[KJW812]

Did you find an anser for this? I am finding the same issue using a DigiCert code signing request that is stored in Azure Key Vault. I converted the p7b to base64 as per the Azure requirement which should have preserved the cert chain. However, when I sign a JAR file using jarsigner it only has the code signing cert in the signer when I verify. This is causing Oracle EBS to treat JARs as unsigned as the SignerCA is DigiCert on the users desktops, not my OU

[rujche]

FYI: This issue will be solved by this PR: #41303