Closed grant-arqit closed 3 weeks ago
@chenrujun @moarychan @netyyyy @saragluna
Thank you for your feedback. Tagging and routing to the team member best able to assist.
In addition, the keytype I am testing with in the vault is RSA-HSM. Have re-run CLI and code solution tests again with RSASSA-PSS
sign algorithm as per README.md, but am seeing the same outcome.
Hi, We ran into the same problem today. Will this be fixed in the near future? Thanks!
Sorry for the late response.
I use the following code and it sign successfully:
KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
Security.addProvider(provider);
String alias = "signer240727";
PrivateKey privateKey = (PrivateKey) keyVaultClient.getKey(alias, null);
Certificate certificate = keyVaultClient.getCertificate(alias);
JarSigner jarSigner = new JarSigner.Builder(new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{certificate}))
.digestAlgorithm("SHA-256")
.signatureAlgorithm("SHA256withRSA")
.build();
ZipFile inZip = new ZipFile("C:\\Users\\rujche\\Work\\problem-investigation\\jca\\unsigned.jar");
OutputStream outputStream = new FileOutputStream("C:\\Users\\rujche\\Work\\problem-investigation\\jca\\signedJar.jar");
jarSigner.sign(inZip, outputStream);
With out the following 2 lines, I faced this error: No installed provider supports this key: com.azure.security.keyvault.jca.implementation.KeyVaultPrivateKey
.
KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
Security.addProvider(provider);
Hi @rujche,
I am still running into the same Problem. We have an Azure Key Vault with an older certificate + key pair which works completely fine. A few weeks ago we got a new, keyless certificate. This one still works with the AzuerSignTool but not anymore with the jarsigner.
I am using this command: jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar C:\Users\generic\Desktop\testjar_after.jar C:\Users\generic\Desktop\testjar.jar "REDACTED" \ -verbose -J-Djava.security.debug=jar \ -storepass "" -sigalg SHA256withRSA \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -tsa http://timestamp.globalsign.com/tsa/r6advanced1 \ -J--module-path="C:\utl\java\azure-security-keyvault-jca-2.8.1.jar" \ -J--add-modules="com.azure.security.keyvault.jca" \ -J-Dazure.keyvault.uri=REDACTED \ -J-Dazure.keyvault.tenant-id=REDACTED \ -J-Dazure.keyvault.client-id=REDACTED \ -J-Dazure.keyvault.client-secret=REDACTED
Which yields: jarsigner: unable to sign jar: java.security.InvalidKeyException: No installed provider supports this key: com.azure.security.keyvault.jca.implementation.KeyVaultPrivateKey
The Key Type is RSA-HSM, The Key Size is 4096.
Any advice would be greatly appreciated.
As show above, this is a bug which will be fixed by this commit in https://github.com/Azure/azure-sdk-for-java/pull/41303
Hi, @rujche Thanks so much!
Describe the bug I have an issue using signing jars with the
com.azure.security.keyvault.jca.KeyVaultJcaProvider
provider using a certificate with a non-exportable keyException or Stack Trace Using the jarsigner cli tool I get the following error
From the coded solution
To Reproduce Following the steps documented in https://github.com/backwind1233/AzureDocs/blob/main/AzureJavaSDK/JCA/integrate_keyvault_JCA_provider_with_jarsigner.md
I'm using the
SHA256withRSA
signature algorithmSee the same issue in JDK 17 and 21
I see the same error with the coded solution (snippet below).
Debugging this code, it would appear that the
KeyVaultPrivateKey
is not a supported key type. The methodsupportsKeyClass
inside thejava.security.Provider
module of the JDK expects keys to implement one of the following interfacesinterface java.security.interfaces.RSAPrivateKey interface java.security.interfaces.RSAPublicKey
Code Snippet Test code
Expected behavior I would expect KeyValutPrivateKey to be recognised as a valid key class and for signing inside the key vault to be actioned.
Screenshots If applicable, add screenshots to help explain your problem.
Setup (please complete the following information):
Additional context N/A
Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report