[BUG] jarsigner + jca does not report 403 returned during sign with RSA-HSM key

[d-richter-qdt]

Describe the bug

• If service provider is missing permission for signing (Key Vault Crypto User role) but have permission to read certificate (Key Vault Certificate User role) signing finishes successfully but signature is not valid.

To Reproduce

• certificate with advanced policy config in Key vault:

  Extended Key Usages: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3
  X.509 Key Usage flags: Digital Signature, Key Encipherment
  Reuse key on renewal: NO
  Exportable Private Key: NO
  Key Type: RSA-HSM
  Key Size: 3072
  Enable Cert Transparency: NO

• sign jar with jarsigner and jca provider:

  jarsigner \
  -J-Djava.security.debug=jar \
  -keystore NONE \
  -storetype AzureKeyVault \
  -signedjar signed.jar $1 "REDACTED" \
  -verbose \
  -storepass "" \
  -providerName AzureKeyVault \
  -providerPath azure-security-keyvault-jca-2.9.0.jar \
  -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \
  -J-Dazure.keyvault.uri=https://REDACTED.vault.azure.net/ \
  -J-Dazure.keyvault.tenant-id=REDACTED \
  -J-Dazure.keyvault.client-id=REDACTED \
  -J-Dazure.keyvault.client-secret=REDACTED

• verify signature

  jarsigner \
  -J-Djava.security.debug=jar \
  -verify \
  -verbose $1

  ...
  jar: beginEntry META-INF/<REDACTED>.RSA
  jar: processEntry: processing block
  jar: processEntry caught: java.security.SignatureException: Bad signature length: got 0 but was expecting 384
  jar: done with meta!
  ...
  WARNING: Signature is either not parsable or not verifiable, and the jar will be treated as unsigned. For more information, re-run jarsigner with debug enabled (-J-Djava.security.debug=jar).

Expected behavior

• ideally signing fails with hint about missing permission or at least logs error about receiving 403

Setup

• OS: Ubuntu 22.04
• IDE: bash
• Library/Libraries: com.azure:azure-security-keyvault-jca:2.9.0
• Java version: Zulu 21.0.5

Additional context

• it is caused by silently ignoring 403 response here:
  • https://github.com/Azure/azure-sdk-for-java/blob/ab2fdccc08946c9571424558700fce253118f4da/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/HttpUtil.java#L144

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• [x] Bug Description Added
• [x] Repro Steps Added
• [x] Setup information Added

[github-actions[bot]]

Thank you for your feedback. Tagging and routing to the team member best able to assist.