azure-sdk-for-java: Jarsigner error with Azure Key Vault JCA
Query/Question Hi, We are trying to use jarsigner to sign a jar file using the certificate from Azure Key Vault Premium but getting the below error.
We have followed the instructions as it is but still doesn’t work. It is a self signed certificate generated using keytool. I was successful in signing locally using keystore.jks with jarsigner for the same certificate. But failing when trying to do via Azure Key Vault provider. Can you help me identify what am I missing? This will really help us build out a code signing workflow
Why is this not a Bug or a feature Request? There is a document on how to do this - https://github.com/backwind1233/AzureDocs/blob/main/AzureJavaSDK/JCA/integrate_keyvault_JCA_provider_with_jarsigner.md I want to understand what am I missing or doing incorrectly as I am getting an error when signing.
My command:
jarsigner -keystore NONE -storetype AzureKeyVault
-signedjar signerjar.jar <my_jar_file.jar>
-verbose -storepass ""
-providerName AzureKeyVault
-providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider
-J-Dazure.keyvault.uri=https://.vault.azure.net/
-J-Dazure.keyvault.tenant-id=***********
-J-Dazure.keyvault.client-id=************
-J-Dazure.keyvault.client-secret=*********************
Output and Error:
Picked up JAVA_TOOL_OPTIONS: -Djava.vendor="Sun Microsystems Inc."
Sep 20, 2023 1:28:38 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient
INFO: Using Azure Key Vault: https://.vault.azure.net/
Sep 20, 2023 1:28:38 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Sep 20, 2023 1:28:39 PM com.azure.security.keyvault.jca.implementation.utils.HttpUtil post
WARNING: Unable to finish the http post request.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)
at com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)
at com.azure.security.keyvault.jca.implementation.utils.HttpUtil.post(HttpUtil.java:95)
at com.azure.security.keyvault.jca.implementation.utils.HttpUtil.post(HttpUtil.java:70)
at com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.getAccessToken(AccessTokenUtil.java:107)
at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessTokenByHttpRequest(KeyVaultClient.java:213)
at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:194)
at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:233)
at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:142)
at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:130)
at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:100)
at com.azure.security.keyvault.jca.KeyVaultKeyStore.(KeyVaultKeyStore.java:144)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.security.Provider$Service.newInstance(Provider.java:1595)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
at java.security.Security.getImpl(Security.java:698)
at java.security.KeyStore.getInstance(KeyStore.java:896)
at sun.security.tools.jarsigner.Main.loadKeyStore(Main.java:2038)
at sun.security.tools.jarsigner.Main.run(Main.java:273)
at sun.security.tools.jarsigner.Main.main(Main.java:128)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 43 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 49 more
jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Comments: 23 (11 by maintainers)
Here are the steps that I followed leading up to the error:
Error:
Could you try with this repo https://github.com/saragluna/azure-security-kv-jca-fork/tree/main to see if the error still occurs? With the repo, you can either build the jar directly and use the jarsigner command, or try the code in one of the IDEs
I figured that the SSL handshake error that I was getting is due to my company TLS inspection and now I have imported the cert into JRE keystore and that error is resolved. Now I am getting a different error message as below:
Picked up JAVA_TOOL_OPTIONS: -Djava.vendor="Sun Microsystems Inc." Sep 22, 2023 11:59:56 AM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init> INFO: Using Azure Key Vault: https://appsecvault.vault.azure.net/ Sep 22, 2023 11:59:56 AM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken INFO: Getting access token using client ID / client secret jarsigner: Certificate chain not found for: codesigntest. codesigntest must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.