Comments (15)
Anyone could confirm if this approach is possible ?
from jsign.
If there is a java.security.KeyStore implementation wrapping the Azure KeyVault service (or a PKCS#11 interface) that would be trivial to integrate it with Jsign.
from jsign.
The Azure SDK has a JCA provider:
https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-jca
from jsign.
The Azure SDK has a JCA provider:
https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-jca
Good to know ! Their example only use it to fetch certificate and key. In the signing scenario (with an EV cert for example), your key is defined as not exportable, so you can never know it. Maybe they also suppurt virtualy signing using jca API.
Anyone could try to implement something ? I can help for tests and the approach, but my java knowledge doesn't permit to do it by myself.
from jsign.
The Azure JCA provider is missing a Signature service, it looks like it is insufficient for signing files.
from jsign.
Great !! 🎉
from jsign.
@gillg Could you give it a try? I hope I got it right.
from jsign.
Yes definitely ! Maybe not today, but I keep you in touch.
Could you just give me a valid jar release ?
from jsign.
You can generate one with "mvn package -DskipTests", the jar to use is in jsign/target/jsign/jsign-4.0-SNAPSHOT.jar
from jsign.
Hello @ebourg !
I can test it and it seems almost working 👍
Calls to Azure seems OK
java -jar .\jsign-4.0-SNAPSHOT.jar `
--storetype AZUREKEYVAULT `
--keystore "$Vault" `
--alias "$Certif" `
--tsaurl "http://rfc3161timestamp.globalsign.com/advanced" `
--tsmode RFC3161 `
--alg SHA-256 `
--storepass "$(az account get-access-token --resource "https://vault.azure.net" --tenant $Tenant | ConvertFrom-Json | Select-Object -ExpandProperty accessToken)" `
--name "xxxxxxxxx" `
--url "https://www.xxxxxxxx.com" `
'.\Downloads\xxxxxxxxxxxxxxxxxx-v1.3.exe'
Adding Authenticode signature to .\Downloads\xxxxxxxxxxxxxxxx-v1.3.exe
jsign: Couldn't sign .\Downloads\xxxxxxxxxxxxxxxxxxxxxx-v1.3.exe
java.lang.IllegalArgumentException: Unknown signature type requested: SHA256WITHRSA-HSM
at net.jsign.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder.generate(Unknown Source)
at net.jsign.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder.find(Unknown Source)
at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)
at net.jsign.AuthenticodeSigner.createSignedDataGenerator(AuthenticodeSigner.java:403)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:366)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:338)
at net.jsign.SignerHelper.sign(SignerHelper.java:474)
at net.jsign.JsignCLI.execute(JsignCLI.java:113)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
I don't know how, but maybe just map "SHA256WITHRSA-HSM" to "SHA256WITHRSA" should work. In fact it's just the same thing hosted in an HSM hardware... 🤞
One other remark, I'm not sure it's a good idea to hardcode .vault.azure.net
in --keystore. I'm not sure it can change but in official tools you have to provide it, and microsoft is pretty fan of "on-premise" solutions with custom tenants and URLs.
from jsign.
Could you try again with this change please?
--- a/jsign-core/src/main/java/net/jsign/jca/AzureKeyVaultSigningService.java
+++ b/jsign-core/src/main/java/net/jsign/jca/AzureKeyVaultSigningService.java
@@ -126,7 +126,7 @@ public class AzureKeyVaultSigningService implements SigningService {
String kid = (String) response.get("kid");
Map policy = (Map) response.get("policy");
Map keyprops = (Map) policy.get("key_props");
- String algorithm = (String) keyprops.get("kty");
+ String algorithm = ((String) keyprops.get("kty")).replace("-HSM", "");
return new SigningServicePrivateKey(kid, algorithm);
} catch (AzureException | IOException e) {
Regarding the vault name you are probably right. I think I'll add support for an URL in addition to the short form.
from jsign.
Could you push it in one of your branch 🙏 ?
It's a pretty complex to test it, I don't have a java dev env localy, so I build it on a build server and I can't change code online...
from jsign.
You can try with the azure
branch
from jsign.
Perfect ! No errors during the process.
You can merge it if you want :)
But I have another issue now... I will create another issue to avoid mixing problems.
from jsign.
Great! That's merged now. Many thanks for your help.
from jsign.
Related Issues (20)
- Help with sign jar files
- Support for AWS CloudHSM HOT 3
- CVE-2023-34610 & CVE-2023-33201 vulnerabilities in dependencies HOT 2
- KeystoreExplorer GUI HOT 1
- Code signing from multiple build machines against one dongle HOT 1
- Support for AWSCredentialProviderChain for KMS based signing HOT 8
- github actions + virtualhere client + safenet token + jsign failed HOT 4
- Automatic-Module-Name HOT 3
- Jar Signing with Safenet Etoken - not working? HOT 15
- jca/jarsigner IllegalArgumentException with private and public algorithm mismatch when specifying algorithm in Google Cloud KMS keyalias HOT 2
- Dead URL in POM HOT 1
- --replace option not working for msix installer HOT 5
- More replace options HOT 6
- Contradictory error message if no storepass is provided HOT 2
- Signature verification failed, the private key doesn't match the certificate HOT 8
- Doubt about Google HSM changes
- Support for Office files HOT 1
- Unsupported File ".exe" HOT 10
- Support for Oracle OCI Vault HOT 19
- BattlEye validation issue due to missing intermediate certificates HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jsign.