Support intermediate certs in keyvault jca #41303

rujche · 2024-07-26T13:57:01Z

Description

Fix #39715, #39590

Reproduce the issue

Create certificate chain (root -> intermediate -> leaf). Refs: https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/
Add root cert into ${JAVA_HOME}/lib/security/cacerts.
Create leaf-bundle by leaf private key, leaf certificate, intermediate certificate, root certificate. download-from-keyvault.pem is just an example of leaf-bundle
Upload leaf-bundle to Key Vault.
Sign and validate a jar file by leaf-bundle. Refs: 1. Integrate KeyVault JCA provider with Jarsigner, 2. jarsigner.
Confirm that this log appears: This jar contains entries whose certificate chain is not validated..

Confirm issue fixed

Build azure-security-keyvault-jca-2.9.0-beta.3.jar with the changes in this PR.
Sign and validate jar as before, the log (This jar contains entries whose certificate chain is not validated.) not exist anymore.
The whole process example can be seen below: Support intermediate certs in keyvault jca #41303 (comment)

About Key Vault endpoint

After upload the leaf-bundle to Key Vault, the certificate endpoint response (CertificateBundle#cer) only contains 1 certificate (the leaf certificate in leaf-bundle).
The secret endpoint response (SecretBundle#value) contains all certificates (leaf, intermediate, root).
The SecretBundle#value has 2 types: application/x-pem-file and application/x-pkcs12. I added the response sample in this PR for test purpose: download-from-keyvault.pem and download-from-keyvault.pfx.txt.

Why add dependency bcpkix-lts8on?

Please refer to 88dbeaf, without this commit, certificate chain in SecretBundle.value/pkcs12-non-exportable-key.pfx can not be loaded.

Why add java.security.Provider

It's used to make KeyVaultJcaProvider can be searched by ServiceLoader. Refs: How to Implement a Provider

Why `exports com.azure.security.keyvault.jca.implementation.signature to java.base;`?

To fix #39590. Without this line, it will have error when create related instance. Here is the screenshot:

Confirmed that the issue will be fixed after exports com.azure.security.keyvault.jca.implementation.signature to java.base.

About test files

All test files in src/test/resources/certificate-util/SecretBundle.value folder contain the (base64-encoded) text returned by (SecretBundle#value) endpoint.
The 4 test files named by pem/pkcs12 and exportable/non-exportable are mapping to related configuration in Azure Portal. They are mainly used to test these kinds of certificates can be handled successfully.

3-certificates-in-chain.pem and 3-certificates-in-chain.pfx12 are created manually, then upload to Azure Key Vault, then retrieved by (SecretBundle#value) endpoint. They have 3 certificates in certificate chain. They are mainly used to test all certificates in certificate chain can be loaded successfully.

Test files in src/test/resources/certificate-util/downloaded-from-portal are downloaded from portal

pem-exportable-key.pem and pem-non-exportable-key.pem under downloaded-from-portal folder are identical the same-name files in SecretBundle.value folder.
pkcs12-exportable-key.pfx and pkcs12-non-exportable-key.pfx under downloaded-from-portal are binary file. same-name files in SecretBundle.value folder are (base64-encoded) text files. So they are NOT identical.

All SDK Contribution checklist:

The pull request does not introduce [breaking changes]
CHANGELOG is updated for new features, bug fixes or other significant changes.
I have read the contribution guidelines.

General Guidelines and Best Practices

Title of the pull request is clear and informative.
There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

Pull request includes test coverage for the included changes.

…assPath, SpecificPath.

rujche · 2024-07-26T14:01:46Z

/azp run java - keyvault - tests

azure-pipelines · 2024-07-26T14:02:06Z

Azure Pipelines successfully started running 1 pipeline(s).

azure-sdk · 2024-07-26T14:12:48Z

API change check

APIView has identified API level changes in this PR and created following API reviews.

com.azure:azure-security-keyvault-jca

rujche · 2024-07-27T01:45:13Z

The failure of java - keyvault - tests is not caused by this PR. The main branch is keep failing for more than one week for the same reason.

Link to pipeline.

Screenshot:

Hi, @g2vinay .
Could you please help to fix the failure of java - keyvault - tests in main branch?

…hen cert has un-exportable key.

rujche · 2024-07-30T02:12:01Z

The whole process of verify:

Import root certificate.

$ keytool -import -alias rootCA -keystore "C:\Program Files\Microsoft\jdk-17.0.11.9-hotspot\lib\security\cacerts" -file myCA/rootCA/certs/ca.cert.pem
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:  xxx
Owner: CN=Root CA, OU=IT Department, O=Example Corp, L=Sam Francisco, ST=California, C=US
Issuer: CN=Root CA, OU=IT Department, O=Example Corp, L=Sam Francisco, ST=California, C=US
Serial number: 24bb2a6692662129063fd2cf572da11c634ee489
Valid from: Wed Jul 24 21:02:30 CST 2024 until: Tue Jul 19 21:02:30 CST 2044
Certificate fingerprints:
         SHA1: CD:46:CB:C0:8C:A6:D0:CF:AB:C1:31:11:FA:67:24:37:70:B7:8D:A2
         SHA256: DC:F8:58:89:0B:9D:AE:7A:0F:33:AD:03:85:C9:F4:BC:9C:F0:8E:69:2E:98:D5:C7:43:31:09:DF:B1:8D:55:7D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0C C7 9E BC D0 DE EE 00   99 2C F8 20 5D 94 35 14  .........,. ].5.
0010: BE 63 88 52                                        .c.R
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen: no limit
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0C C7 9E BC D0 DE EE 00   99 2C F8 20 5D 94 35 14  .........,. ].5.
0010: BE 63 88 52                                        .c.R
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Sign.

$ jarsigner \
    -keystore NONE \
    -storetype AzureKeyVault \
    -signedjar signedjar.jar \
    unsigned.jar pfxchain \
    -verbose  \
    -storepass "" \
    -providerName AzureKeyVault \
    -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \
    -J--module-path="." \
    -J--add-modules="com.azure.security.keyvault.jca" \
    -J-Dazure.keyvault.uri=https://rujchekeyvault.vault.azure.net/ \
    -J-Dazure.keyvault.tenant-id=xxx \
    -J-Dazure.keyvault.client-id=xxx \
    -J-Dazure.keyvault.client-secret=xxx
Jul 30, 2024 10:01:55 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://rujchekeyvault.vault.azure.net/
Jul 30, 2024 10:01:55 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://rujchekeyvault.vault.azure.net/certificates?api-version=7.1
Jul 30, 2024 10:01:57 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/4c144ff2-e2e0-49b2-8dcf-00fb87794406
Jul 30, 2024 10:01:57 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Jul 30, 2024 10:01:59 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: pfxchain
Jul 30, 2024 10:02:01 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: pfxchain
Jul 30, 2024 10:02:02 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: pfxchain
Jul 30, 2024 10:02:04 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://rujchekeyvault.vault.azure.net/
Jul 30, 2024 10:02:04 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://rujchekeyvault.vault.azure.net/certificates?api-version=7.1
Jul 30, 2024 10:02:05 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/4c144ff2-e2e0-49b2-8dcf-00fb87794406
Jul 30, 2024 10:02:05 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Jul 30, 2024 10:02:06 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: pfxchain
Jul 30, 2024 10:02:08 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: pfxchain
Jul 30, 2024 10:02:09 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: pfxchain
Jul 30, 2024 10:02:11 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://rujchekeyvault.vault.azure.net/
Jul 30, 2024 10:02:11 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://rujchekeyvault.vault.azure.net/certificates?api-version=7.1
Jul 30, 2024 10:02:12 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/4c144ff2-e2e0-49b2-8dcf-00fb87794406
Jul 30, 2024 10:02:12 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Jul 30, 2024 10:02:13 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: pfxchain
Jul 30, 2024 10:02:16 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: pfxchain
Jul 30, 2024 10:02:17 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: pfxchain
 updating: META-INF/MANIFEST.MF
   adding: META-INF/PFXCHAIN.SF
   adding: META-INF/PFXCHAIN.RSA
  signing: META-INF/native-image/com.azure/azure-security-keyvault-keys/proxy-config.json
  signing: META-INF/native-image/com.azure/azure-security-keyvault-keys/reflect-config.json
  signing: META-INF/native-image/com.azure/azure-security-keyvault-keys/resource-config.json
  signing: META-INF/maven/com.azure/azure-security-keyvault-keys/pom.xml
  signing: META-INF/maven/com.azure/azure-security-keyvault-keys/pom.properties
   adding: com/
   adding: com/azure/
   adding: com/azure/security/
   adding: com/azure/security/keyvault/
   adding: com/azure/security/keyvault/keys/
   adding: com/azure/security/keyvault/keys/cryptography/
   adding: com/azure/security/keyvault/keys/cryptography/implementation/
   adding: com/azure/security/keyvault/keys/cryptography/models/
   adding: com/azure/security/keyvault/keys/implementation/
   adding: com/azure/security/keyvault/keys/implementation/models/
   adding: com/azure/security/keyvault/keys/models/
  signing: azure-key-vault-keys.properties
  signing: com/azure/security/keyvault/keys/cryptography/CryptographyAsyncClient.class
 ...
  signing: com/azure/security/keyvault/keys/models/ReleaseKeyResult.class
  signing: module-info.class

>>> Signer
    X.509, CN=signer, OU=IT Department, O=Example Corp, L=San Francisco, ST=California, C=US
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]
    X.509, CN=Intermediate CA, OU=IT Department, O=Example Corp, ST=California, C=US
    Signature algorithm: SHA256withRSA, 4096-bit key
    [certificate is valid from 24/07/2024, 9:03 pm to 22/07/2034, 9:03 pm]
    X.509, CN=Root CA, OU=IT Department, O=Example Corp, L=Sam Francisco, ST=California, C=US
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]

jar signed.

Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2034-07-22).

The signer certificate will expire on 2034-07-22.

Verify.

$ jarsigner -verify -verbose -certs signedjar.jar

s      26366 Tue Jul 30 10:02:18 CST 2024 META-INF/MANIFEST.MF

      >>> Signer
      X.509, CN=signer, OU=IT Department, O=Example Corp, L=San Francisco, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 25/07/2024, 10:21 am to 23/07/2034, 10:21 am]
      X.509, CN=Intermediate CA, OU=IT Department, O=Example Corp, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 24/07/2024, 9:03 pm to 22/07/2034, 9:03 pm]
      X.509, CN=Root CA, OU=IT Department, O=Example Corp, L=Sam Francisco, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [trusted certificate]

       26349 Tue Jul 30 10:02:18 CST 2024 META-INF/PFXCHAIN.SF
        5428 Tue Jul 30 10:02:18 CST 2024 META-INF/PFXCHAIN.RSA
           0 Tue Jul 23 21:54:28 CST 2024 META-INF/
           0 Tue Jul 23 21:54:04 CST 2024 META-INF/native-image/
           0 Tue Jul 23 21:54:04 CST 2024 META-INF/native-image/com.azure/
           0 Tue Jul 23 21:54:04 CST 2024 META-INF/native-image/com.azure/azure-security-keyvault-keys/
           0 Tue Jul 23 21:54:28 CST 2024 META-INF/maven/
           0 Tue Jul 23 21:54:28 CST 2024 META-INF/maven/com.azure/
           0 Tue Jul 23 21:54:28 CST 2024 META-INF/maven/com.azure/azure-security-keyvault-keys/
           0 Tue Jul 23 21:54:10 CST 2024 com/
           0 Tue Jul 23 21:54:10 CST 2024 com/azure/
           0 Tue Jul 23 21:54:10 CST 2024 com/azure/security/
           0 Tue Jul 23 21:54:10 CST 2024 com/azure/security/keyvault/
           0 Tue Jul 23 21:54:14 CST 2024 com/azure/security/keyvault/keys/
           0 Tue Jul 23 21:54:14 CST 2024 com/azure/security/keyvault/keys/cryptography/
           0 Tue Jul 23 21:54:14 CST 2024 com/azure/security/keyvault/keys/cryptography/implementation/
           0 Tue Jul 23 21:54:12 CST 2024 com/azure/security/keyvault/keys/cryptography/models/
           0 Tue Jul 23 21:54:14 CST 2024 com/azure/security/keyvault/keys/implementation/
           0 Tue Jul 23 21:54:14 CST 2024 com/azure/security/keyvault/keys/implementation/models/
           0 Tue Jul 23 21:54:14 CST 2024 com/azure/security/keyvault/keys/models/
sm        96 Tue Jun 11 15:21:16 CST 2024 META-INF/native-image/com.azure/azure-security-keyvault-keys/proxy-config.json

      >>> Signer
      X.509, CN=signer, OU=IT Department, O=Example Corp, L=San Francisco, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 25/07/2024, 10:21 am to 23/07/2034, 10:21 am]
      X.509, CN=Intermediate CA, OU=IT Department, O=Example Corp, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 24/07/2024, 9:03 pm to 22/07/2034, 9:03 pm]
      X.509, CN=Root CA, OU=IT Department, O=Example Corp, L=Sam Francisco, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [trusted certificate]
...
sm       772 Tue Jul 23 21:54:28 CST 2024 module-info.class

      >>> Signer
      X.509, CN=signer, OU=IT Department, O=Example Corp, L=San Francisco, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 25/07/2024, 10:21 am to 23/07/2034, 10:21 am]
      X.509, CN=Intermediate CA, OU=IT Department, O=Example Corp, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 24/07/2024, 9:03 pm to 22/07/2034, 9:03 pm]
      X.509, CN=Root CA, OU=IT Department, O=Example Corp, L=Sam Francisco, ST=California, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [trusted certificate]


  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=signer, OU=IT Department, O=Example Corp, L=San Francisco, ST=California, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key

jar verified.

Warning:
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2034-07-22).

The signer certificate will expire on 2034-07-22.

Delete root certificate.

$ keytool -delete -alias rootCA -keystore "C:\Program Files\Microsoft\jdk-17.0.11.9-hotspot\lib\security\cacerts"
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:  xxx

$ keytool -list -keystore "C:\Program Files\Microsoft\jdk-17.0.11.9-hotspot\lib\security\cacerts"
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:  xxx

Compare jar file before and after sign.

…hed by java.util.ServiceLoader.

rujche · 2024-07-30T12:11:06Z

Hi, @saragluna , please help to review this PR.

...-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/CertificateUtil.java

...ault/azure-security-keyvault-jca/src/main/resources/META-INF/services/java.security.Provider

rujche · 2024-08-04T13:01:06Z

Hi, @saragluna , please help to review this PR.

3millionminds · 2024-09-05T12:21:23Z

Any ETA on merging this?
jarsigner is unable to sign anything with non-exportable keys without this fix

Thanks,

sdk/keyvault/.gitignore

3millionminds · 2024-09-09T06:57:02Z

I tried building this PR and looks like there's a problem still with signing.

┌─╼[azure-sdk-for-java] [intermediate-cert-in-jca ●] 
└────╼ pwd
/home/alex/Documents/azure-sdk-for-java

┌─╼[azure-sdk-for-java] [intermediate-cert-in-jca ●] 
└────╼ mvn -X clean install -f eng/code-quality-reports/pom.xml >> ~/cqr.log

cqr.log
build.log

jarsigner   -keystore NONE -storetype AzureKeyVault \
            -signedjar signedjar.jar SignMe.jar "███████████" \
            -verbose  -storepass "" \
            -providerName AzureKeyVault \
            -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \
            -J--module-path="./azure-security-keyvault-jca-2.9.0-beta.3.jar" \
            -J--add-modules="com.azure.security.keyvault.jca" \
            -J-Dazure.keyvault.uri="███████████" \
            -J-Dazure.keyvault.tenant-id="███████████" \
            -J-Dazure.keyvault.client-id="███████████" \
            -J-Dazure.keyvault.client-secret="███████████"

Sep 09, 2024 9:51:48 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://███████████.vault.azure.net/
Sep 09, 2024 9:51:48 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://███████████.vault.azure.net/certificates?api-version=7.1
Sep 09, 2024 9:51:48 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/███████████
Sep 09, 2024 9:51:48 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getAccessTokenByHttpRequest
WARNING: Could not obtain access token to authenticate with.
java.lang.IllegalAccessError: class com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory (in module com.azure.security.keyvault.jca) cannot access class org.w3c.dom.Node (in module java.xml) because module com.azure.security.keyvault.jca does not read module java.xml
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory.<clinit>(OptionalHandlerFactory.java:56)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findOptionalStdDeserializer(BasicDeserializerFactory.java:1850)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findDefaultDeserializer(BasicDeserializerFactory.java:2151)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.findStdDeserializer(BeanDeserializerFactory.java:183)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:131)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:450)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:394)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:295)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:273)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:173)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:669)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:5036)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4906)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3848)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3816)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil.fromJson(JsonConverterUtil.java:38)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.getAccessToken(AccessTokenUtil.java:146)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessTokenByHttpRequest(KeyVaultClient.java:201)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:175)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:223)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:156)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:145)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:104)
        at [email protected]/com.azure.security.keyvault.jca.KeyVaultKeyStore.<init>(KeyVaultKeyStore.java:151)
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
        at java.base/java.security.Provider$Service.newInstanceOf(Provider.java:1938)
        at java.base/java.security.Provider$Service.newInstanceUtil(Provider.java:1945)
        at java.base/java.security.Provider$Service.newInstance(Provider.java:1920)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:1799)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:1709)
        at java.base/sun.security.tools.KeyStoreUtil.getCacertsKeyStore(KeyStoreUtil.java:137)
        at jdk.jartool/sun.security.tools.jarsigner.Main.loadKeyStore(Main.java:2189)
        at jdk.jartool/sun.security.tools.jarsigner.Main.run(Main.java:303)
        at jdk.jartool/sun.security.tools.jarsigner.Main.main(Main.java:138)

Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://███████████.vault.azure.net/
Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://███████████.vault.azure.net/certificates?api-version=7.1
Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/███████████
Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getAccessTokenByHttpRequest
WARNING: Could not obtain access token to authenticate with.
java.lang.NoClassDefFoundError: Could not initialize class com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findOptionalStdDeserializer(BasicDeserializerFactory.java:1850)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findDefaultDeserializer(BasicDeserializerFactory.java:2151)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.findStdDeserializer(BeanDeserializerFactory.java:183)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:131)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:450)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:394)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:295)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:273)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:173)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:669)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:5036)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4906)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3848)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3816)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil.fromJson(JsonConverterUtil.java:38)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.getAccessToken(AccessTokenUtil.java:146)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessTokenByHttpRequest(KeyVaultClient.java:201)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:175)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:223)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:156)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:145)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:104)
        at [email protected]/com.azure.security.keyvault.jca.KeyVaultKeyStore.<init>(KeyVaultKeyStore.java:151)
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
        at java.base/java.security.Provider$Service.newInstanceOf(Provider.java:1938)
        at java.base/java.security.Provider$Service.newInstanceUtil(Provider.java:1945)
        at java.base/java.security.Provider$Service.newInstance(Provider.java:1920)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:1799)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:1709)
        at java.base/sun.security.tools.KeyStoreUtil.getCacertsKeyStore(KeyStoreUtil.java:137)
        at jdk.jartool/sun.security.tools.jarsigner.Main.loadKeyStore(Main.java:2189)
        at jdk.jartool/sun.security.tools.jarsigner.Main.run(Main.java:303)
        at jdk.jartool/sun.security.tools.jarsigner.Main.main(Main.java:138)
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.IllegalAccessError: class com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory (in module com.azure.security.keyvault.jca) cannot access class org.w3c.dom.Node (in module java.xml) because module com.azure.security.keyvault.jca does not read module java.xml [in thread "main"]
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory.<clinit>(OptionalHandlerFactory.java:56)
        ... 35 more

Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://███████████.vault.azure.net/
Sep 09, 2024 9:51:49 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://███████████.vault.azure.net/certificates?api-version=7.1
Sep 09, 2024 9:51:50 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/███████████
Sep 09, 2024 9:51:50 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Sep 09, 2024 9:51:50 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient getAccessTokenByHttpRequest
WARNING: Could not obtain access token to authenticate with.
java.lang.NoClassDefFoundError: Could not initialize class com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findOptionalStdDeserializer(BasicDeserializerFactory.java:1850)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findDefaultDeserializer(BasicDeserializerFactory.java:2151)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.findStdDeserializer(BeanDeserializerFactory.java:183)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:131)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:450)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:394)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:295)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:273)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:173)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:669)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:5036)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4906)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3848)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3816)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil.fromJson(JsonConverterUtil.java:38)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.getAccessToken(AccessTokenUtil.java:146)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessTokenByHttpRequest(KeyVaultClient.java:201)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:175)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:223)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:156)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:145)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:104)
        at [email protected]/com.azure.security.keyvault.jca.KeyVaultKeyStore.<init>(KeyVaultKeyStore.java:151)
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
        at java.base/java.security.Provider$Service.newInstanceOf(Provider.java:1938)
        at java.base/java.security.Provider$Service.newInstanceUtil(Provider.java:1945)
        at java.base/java.security.Provider$Service.newInstance(Provider.java:1920)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
        at java.base/java.security.Security.getImpl(Security.java:658)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:919)
        at jdk.jartool/sun.security.tools.jarsigner.Main.loadKeyStore(Main.java:2208)
        at jdk.jartool/sun.security.tools.jarsigner.Main.run(Main.java:303)
        at jdk.jartool/sun.security.tools.jarsigner.Main.main(Main.java:138)
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.IllegalAccessError: class com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory (in module com.azure.security.keyvault.jca) cannot access class org.w3c.dom.Node (in module java.xml) because module com.azure.security.keyvault.jca does not read module java.xml [in thread "main"]
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ext.OptionalHandlerFactory.<clinit>(OptionalHandlerFactory.java:56)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findOptionalStdDeserializer(BasicDeserializerFactory.java:1850)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findDefaultDeserializer(BasicDeserializerFactory.java:2151)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.findStdDeserializer(BeanDeserializerFactory.java:183)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:131)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:450)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:394)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:295)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:273)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:173)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:669)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:5036)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4906)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3848)
        at [email protected]/com.azure.security.keyvault.jca.implementation.shaded.com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3816)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil.fromJson(JsonConverterUtil.java:38)
        at [email protected]/com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.getAccessToken(AccessTokenUtil.java:146)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessTokenByHttpRequest(KeyVaultClient.java:201)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:175)
        at [email protected]/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:223)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:156)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:145)
        at [email protected]/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:104)
        at [email protected]/com.azure.security.keyvault.jca.KeyVaultKeyStore.<init>(KeyVaultKeyStore.java:151)
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
        at java.base/java.security.Provider$Service.newInstanceOf(Provider.java:1938)
        at java.base/java.security.Provider$Service.newInstanceUtil(Provider.java:1945)
        at java.base/java.security.Provider$Service.newInstance(Provider.java:1920)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:1799)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:1709)
        at java.base/sun.security.tools.KeyStoreUtil.getCacertsKeyStore(KeyStoreUtil.java:137)
        at jdk.jartool/sun.security.tools.jarsigner.Main.loadKeyStore(Main.java:2189)
        ... 2 more

jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found

…t/.gitignore to sdk/keyvault/azure-security-keyvault-jca/.gitignore.

… module java.xml" by adding "requires java.xml" in module-info.java.

rujche · 2024-09-10T05:54:06Z

Hi, @3millionminds .
Thank for the detailed information about the problem.

Now the problem has been reproduced and fixed in f403bdf

...eyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java

eponerine · 2024-11-18T22:07:26Z

@rujche - sorry to reopen this issue, but can you confirm that this PR was actually included in the 2.9.0 release? I don't see any reference to java.xml in 2.9.0's classes and we are still getting the error jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found

For reference, this is the commit:
f403bdf

I think it'll be included in the 2.10.0 release? Any idea when we can expect this to show up in Maven?
https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md

rujche · 2024-11-19T01:42:16Z

@rujche - sorry to reopen this issue, but can you confirm that this PR was actually included in the 2.9.0 release? I don't see any reference to java.xml in 2.9.0's classes and we are still getting the error jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found

For reference, this is the commit: f403bdf

I think it'll be included in the 2.10.0 release? Any idea when we can expect this to show up in Maven? https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md

Hi, @eponerine
Our current plan is to release 2.9.1 around the end of this month, which will include the bug fix.

And of course, the bug fix will be included in 2.10.0. But now there is no plan about when to release 2.10.0.

eponerine · 2024-11-19T01:50:50Z

OK thank you very much. We'll keep our eyes open for the new release. Feel free to close this again.

rujche · 2024-11-30T06:46:49Z

Hi, @eponerine
FYI: Now 2.10.0 has been releases.
Refs: https://mvnrepository.com/artifact/com.azure/azure-security-keyvault-jca/2.10.0

rujche added 3 commits July 26, 2024 17:33

Construct the whole cert chain for the certs stored in Key Vault.

d111396

Update test: SpecificPathCertificatesTest

b683db5

Support intermediate certificate for other 3 types of source: JRE, Cl…

6ef5a80

…assPath, SpecificPath.

rujche requested review from Netyyyy, saragluna and moarychan as code owners July 26, 2024 13:57

github-actions bot added the azure-spring All azure-spring related issues label Jul 26, 2024

Delete useless java doc.

fb771e6

Add test files retrieve from Azure Key Vault.

e8e850b

rujche requested review from vcolin7, g2vinay and a team as code owners July 28, 2024 11:34

rujche added 2 commits July 29, 2024 22:51

Resolve problem: loadCertificatesFromSecretBundleValuePKCS12 failed w…

88dbeaf

…hen cert has un-exportable key.

Fix version error reported by .\pom_file_version_scanner.ps1.

90a94b1

rujche added 2 commits July 30, 2024 15:54

Make com.azure.security.keyvault.jca.KeyVaultJcaProvider can be searc…

f1b8f1c

…hed by java.util.ServiceLoader.

Fix Azure#39590

2a5621e

rujche mentioned this pull request Jul 30, 2024

[BUG] jarsigner sign failed when using certs with non-exportable key #39590

Closed

3 tasks

saragluna self-assigned this Jul 31, 2024

saragluna added this to the 2024-09 milestone Jul 31, 2024

saragluna reviewed Jul 31, 2024

View reviewed changes

...-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/CertificateUtil.java Outdated Show resolved Hide resolved

saragluna reviewed Jul 31, 2024

View reviewed changes

...ault/azure-security-keyvault-jca/src/main/resources/META-INF/services/java.security.Provider Show resolved Hide resolved

rujche changed the title ~~Fix bug: Intermediate certs not loaded in keyvault jca~~ Support intermediate certs in keyvault jca Jul 31, 2024

rujche mentioned this pull request Aug 1, 2024

[FEATURE REQ] Azure Keyvault JAR Signer missing Intermediate Cert Chain #39715

Closed

Change some methods from "public" to privater".

f70396c

Merge branch 'main' into intermediate-cert-in-jca

e6def01

saragluna mentioned this pull request Aug 20, 2024

Migrated Key Vault JCA library to use azure-json serialization/deserialization #41508

Merged

saragluna approved these changes Sep 6, 2024

View reviewed changes

rujche commented Sep 6, 2024

View reviewed changes

sdk/keyvault/.gitignore Outdated Show resolved Hide resolved

rujche added 4 commits September 10, 2024 09:40

Move test pfx files related git ignore configuration from sdk/keyvaul…

62122d7

…t/.gitignore to sdk/keyvault/azure-security-keyvault-jca/.gitignore.

Fix error about "module com.azure.security.keyvault.jca does not read…

f403bdf

… module java.xml" by adding "requires java.xml" in module-info.java.

Throw NullPointerException if secrets response is null.

c7b4229

Merge branch 'main' into intermediate-cert-in-jca

1214809

saragluna reviewed Sep 10, 2024

View reviewed changes

...eyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java Show resolved Hide resolved

saragluna approved these changes Sep 10, 2024

View reviewed changes

rujche merged commit ba6a04f into Azure:main Sep 10, 2024
19 checks passed

rujche deleted the intermediate-cert-in-jca branch September 10, 2024 06:44

This was referenced Sep 11, 2024

Rename test cert file suffix to avoid alert #41784

Closed

[BUG] jarsigner + jca reports that entries in certificate chain are invalid #41832

Closed

mssfang pushed a commit that referenced this pull request Sep 13, 2024

Support intermediate certs in keyvault jca (#41303)

22dfa90

rujche mentioned this pull request Sep 19, 2024

Intermediate certificate not loaded from the keyvault using JCA in tomcat #41906

Closed

jairmyree pushed a commit to jairmyree/azure-sdk-for-java that referenced this pull request Sep 23, 2024

Support intermediate certs in keyvault jca (Azure#41303)

906d510

backwind1233 mentioned this pull request Nov 21, 2024

jarsigner: Certificate chain not found for: <certificate>. <certificate> must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain. backwind1233/AzureDocs#4

Open

rujche added the azure-spring-jca label Nov 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support intermediate certs in keyvault jca #41303

Support intermediate certs in keyvault jca #41303

rujche commented Jul 26, 2024 •

edited by saragluna

Loading

rujche commented Jul 26, 2024

azure-pipelines bot commented Jul 26, 2024

azure-sdk commented Jul 26, 2024 •

edited

Loading

rujche commented Jul 27, 2024

rujche commented Jul 30, 2024

rujche commented Jul 30, 2024

rujche commented Aug 4, 2024

3millionminds commented Sep 5, 2024

3millionminds commented Sep 9, 2024

rujche commented Sep 10, 2024

eponerine commented Nov 18, 2024

rujche commented Nov 19, 2024

eponerine commented Nov 19, 2024

rujche commented Nov 30, 2024

Support intermediate certs in keyvault jca #41303

Support intermediate certs in keyvault jca #41303

Conversation

rujche commented Jul 26, 2024 • edited by saragluna Loading

Description

Reproduce the issue

Confirm issue fixed

About Key Vault endpoint

Why add dependency bcpkix-lts8on?

Why add java.security.Provider

Why exports com.azure.security.keyvault.jca.implementation.signature to java.base;?

About test files

All SDK Contribution checklist:

General Guidelines and Best Practices

Testing Guidelines

rujche commented Jul 26, 2024

azure-pipelines bot commented Jul 26, 2024

azure-sdk commented Jul 26, 2024 • edited Loading

rujche commented Jul 27, 2024

rujche commented Jul 30, 2024

rujche commented Jul 30, 2024

rujche commented Aug 4, 2024

3millionminds commented Sep 5, 2024

3millionminds commented Sep 9, 2024

rujche commented Sep 10, 2024

eponerine commented Nov 18, 2024

rujche commented Nov 19, 2024

eponerine commented Nov 19, 2024

rujche commented Nov 30, 2024

rujche commented Jul 26, 2024 •

edited by saragluna

Loading

Why `exports com.azure.security.keyvault.jca.implementation.signature to java.base;`?

azure-sdk commented Jul 26, 2024 •

edited

Loading