ThatCheck
commented
6 months ago Same here
@wpabon123 Are you able to solve the problem ?
Closed wpabon123 closed 1 month ago
ThatCheck
commented
6 months ago Same here
@wpabon123 Are you able to solve the problem ?
wpabon123
commented
6 months ago I was able to validate that the jarsigner has no record of the lower level cert in the local keystore. The higher CA is fine, is present in the local keystore and it gets recognize by the -verify process. But because of new requirements that will not allow the lower level cert from leaving the KeyVault, the -verify will not see it unless you verify against the KeyVault and then the warning goes away. This is problematic since you will require to provide access to the customer to check that the code signing cert is valid.
Problem is, this defeats the purpose of protecting the code signing cert in KeyVault since the verify will try to find a trace in the local keystore. I'm researching an option to sync from Azure to the local keystore but I do not have definite results yet. I'll post more info once I complete my tests.
joshfree
commented
5 months ago @vcolin7 please follow up with @wpabon123 and @ThatCheck on this github issue; thank you
vcolin7
commented
5 months ago Adding @saragluna from the team that owns this package (com.azure:azure-security-keyvault-jca:2.8.1). Xiaolu, is there any way customers could sync the chain to verify so all certs are in the local keystore?
@wpabon123 Are you not able to get the lower-level certificate out of the Key Vault or are you not allowed to by the new requirements you mentioned?
wpabon123
commented
5 months ago No, per new requirements the lower stays secure in the FIPS Hardware. That is why the -verify fails with the warning for the lower level when checking the chain of trust.
saragluna
commented
5 months ago Yes, the cert chain valiation is missing from the library, we could add that.
KJW812
commented
3 months ago Did you find an anser for this? I am finding the same issue using a DigiCert code signing request that is stored in Azure Key Vault. I converted the p7b to base64 as per the Azure requirement which should have preserved the cert chain. However, when I sign a JAR file using jarsigner it only has the code signing cert in the signer when I verify. This is causing Oracle EBS to treat JARs as unsigned as the SignerCA is DigiCert on the users desktops, not my OU
rujche
commented
2 months ago FYI: This issue will be solved by this PR: https://github.com/Azure/azure-sdk-for-java/pull/41303
I'm using KeyVault jarsigner provider version 2.8.1. The signing works fine but when I verify the JAR file, I get the error that the chain trust cannot be verified. The code signing cert was created by DigiCert. That cert has the full chain of trust so no idea why the jarsigner is not capturing the whole chain of trust.
This is the error message I receive: "This jar contains entries whose certificate chain is not validated."
Sounds to me this could be an issue associated with the JAVA versions used but not sure.