Add a storetype for Azure KeyVault about jsign HOT 15 CLOSED

Anyone could confirm if this approach is possible ?

from jsign.

If there is a java.security.KeyStore implementation wrapping the Azure KeyVault service (or a PKCS#11 interface) that would be trivial to integrate it with Jsign.

from jsign.

The Azure SDK has a JCA provider:
https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-jca

from jsign.

The Azure SDK has a JCA provider:
https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-jca

Good to know ! Their example only use it to fetch certificate and key. In the signing scenario (with an EV cert for example), your key is defined as not exportable, so you can never know it. Maybe they also suppurt virtualy signing using jca API.

Anyone could try to implement something ? I can help for tests and the approach, but my java knowledge doesn't permit to do it by myself.

from jsign.

The Azure JCA provider is missing a Signature service, it looks like it is insufficient for signing files.

from jsign.

Great !! 🎉

from jsign.

@gillg Could you give it a try? I hope I got it right.

from jsign.

Yes definitely ! Maybe not today, but I keep you in touch.
Could you just give me a valid jar release ?

from jsign.

You can generate one with "mvn package -DskipTests", the jar to use is in jsign/target/jsign/jsign-4.0-SNAPSHOT.jar

from jsign.

Hello @ebourg !

I can test it and it seems almost working 👍

Calls to Azure seems OK

java -jar .\jsign-4.0-SNAPSHOT.jar `
  --storetype AZUREKEYVAULT `
  --keystore "$Vault" `
  --alias "$Certif" `
  --tsaurl "http://rfc3161timestamp.globalsign.com/advanced" `
  --tsmode RFC3161 `
  --alg SHA-256 `
  --storepass "$(az account get-access-token --resource "https://vault.azure.net" --tenant $Tenant | ConvertFrom-Json | Select-Object -ExpandProperty accessToken)" `
  --name "xxxxxxxxx" `
  --url "https://www.xxxxxxxx.com" `
  '.\Downloads\xxxxxxxxxxxxxxxxxx-v1.3.exe'

Adding Authenticode signature to .\Downloads\xxxxxxxxxxxxxxxx-v1.3.exe
jsign: Couldn't sign .\Downloads\xxxxxxxxxxxxxxxxxxxxxx-v1.3.exe
java.lang.IllegalArgumentException: Unknown signature type requested: SHA256WITHRSA-HSM
        at net.jsign.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder.generate(Unknown Source)
        at net.jsign.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder.find(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)
        at net.jsign.AuthenticodeSigner.createSignedDataGenerator(AuthenticodeSigner.java:403)
        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:366)
        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:338)
        at net.jsign.SignerHelper.sign(SignerHelper.java:474)
        at net.jsign.JsignCLI.execute(JsignCLI.java:113)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)

I don't know how, but maybe just map "SHA256WITHRSA-HSM" to "SHA256WITHRSA" should work. In fact it's just the same thing hosted in an HSM hardware... 🤞

One other remark, I'm not sure it's a good idea to hardcode .vault.azure.net in --keystore. I'm not sure it can change but in official tools you have to provide it, and microsoft is pretty fan of "on-premise" solutions with custom tenants and URLs.

from jsign.

Could you try again with this change please?

--- a/jsign-core/src/main/java/net/jsign/jca/AzureKeyVaultSigningService.java
+++ b/jsign-core/src/main/java/net/jsign/jca/AzureKeyVaultSigningService.java
@@ -126,7 +126,7 @@ public class AzureKeyVaultSigningService implements SigningService {
             String kid = (String) response.get("kid");
             Map policy = (Map) response.get("policy");
             Map keyprops = (Map) policy.get("key_props");
-            String algorithm = (String) keyprops.get("kty");
+            String algorithm = ((String) keyprops.get("kty")).replace("-HSM", "");

             return new SigningServicePrivateKey(kid, algorithm);
         } catch (AzureException | IOException e) {

Regarding the vault name you are probably right. I think I'll add support for an URL in addition to the short form.

from jsign.

Could you push it in one of your branch 🙏 ?
It's a pretty complex to test it, I don't have a java dev env localy, so I build it on a build server and I can't change code online...

from jsign.

You can try with the azure branch

from jsign.

Perfect ! No errors during the process.
You can merge it if you want :)

But I have another issue now... I will create another issue to avoid mixing problems.

from jsign.

Great! That's merged now. Many thanks for your help.

from jsign.