When using kmsp11 for Java signing via SunPKCS11, the certificate chain is resolved by querying the PKCS#11 library implementation for each certificate up to and including the self-signed root certificate.
While it is possible to specify multiple certificates in the kmsp11 library configuration, the kmsp11 library implementation appears to refuse to serve certificates via the PKCS#11 interface for certificates that do not have a matching Cloud KMS Crypto Key in the key_ring identified in the config.
As a result, signatures generated by jarsigner with kmsp11 (via SunPKCS11) are created with an incomplete set of certificates included in the signature metadata and it is not possible to verify the generated signature without manually importing the intermediate and root certificate into the Java Keystore at the time of verification.
When using kmsp11 for Java signing via SunPKCS11, the certificate chain is resolved by querying the PKCS#11 library implementation for each certificate up to and including the self-signed root certificate.
While it is possible to specify multiple certificates in the kmsp11 library configuration, the kmsp11 library implementation appears to refuse to serve certificates via the PKCS#11 interface for certificates that do not have a matching Cloud KMS Crypto Key in the key_ring identified in the config.
As a result, signatures generated by jarsigner with kmsp11 (via SunPKCS11) are created with an incomplete set of certificates included in the signature metadata and it is not possible to verify the generated signature without manually importing the intermediate and root certificate into the Java Keystore at the time of verification.