-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate chain not found with jarsigner and Azure Key Vault #222
Comments
Does it work if you set the |
I've not tried this. What should I set it to? I was under the impression I could sign solely using the certificate from the key vault (which itself has been signed against my 3rd party certificate from an external provider) |
Set it to a file containing your signing certificate.
Yes that's how it should work, but there is an issue somewhere, it doesn't help that jarsigner hides the details (the exception thrown by JsignJcaProvider is swallowed). Providing the certificate on the command line will allow to check if the key can be used. You could also try signing a random .exe file with Jsign and see if a more explicit error message appears. Try this:
|
Well I tried this first, and it signs the exe perfectly, no warnings/errors. I then downloaded the certificate in
Adding the
I also have the option to download the cert from Azure as a PFX/PEM file (although if this one contains the private key, surely this defeats the point of keeping the private keys only on an HSM in the first place)? I get the same error as above from jarsign when using the PFX file with
|
Good, at least it rules out wrong keystore/storepass/alias parameters.
Don't worry the certificate contains only the public key, the private key is locked in the HSM.
Could you send these certificate files to ebourg@apache.org please? I'd like to investigate why they fail to load. |
Unfortunately i'm unable to send you the certificates directly. What I can tell you is that if I open the I used the following settings on GlobalSign's website to create my certificate in the Key vault: https://support.globalsign.com/digital-certificates/digital-certificate-installation/Code-Signing-certificate-setup-in-Azure-Key-vault
|
I've made some progress. From my certificate provider, i've noticed they've given me the full chain in a p7b file. I can sign with jarsigner & jsign (with it talking to azure as required):
I don't get the previous warning I was getting with the prior PEM about: However when I then do |
I've figured out this error, a pfx files is a PKCS#12 keystore, but Jsign expects either a PEM file or a PKCS#7 file (p7b).
I guess you also have to set the |
I don't think so, that's well supported by currents JDKs. You may get some useful details by verifying with the |
Thanks. This is the tail end of that log - does this shed any more info on it to you?
|
@ebourg I've got permission to email you the public key files now, so i'll send those across 🙂 |
I have this issue with the same certification chain, |
That's indeed a root certificate issue. "GlobalSign GCC R45 CodeSigning CA 2020" is an intermediate certificate, the root is "GlobalSign Code Signing Root R45" and it isn't included in the OpenJDK truststore (at least not in OpenJDK 17.0.11). GlobalSign provide a cross signed variant of this certificate which is signed by "GlobalSign Root CA - R3", and this one is included in the JDK. So I think adding this certificate to the chain will solve the issue. |
@ebourg do you know how I would do that? I'm not sure on the exact openssl command. Or do I have to go back to globalsign and get them to issue me with a new certificate signed by the correct root? |
@ebourg Actually, i've created my own chain now, however from what I can see the cross-signed version is the one in my original p7b file from them. |
Ok, let's recap:
If you didn't regenerate the jar file between your attempts, I suggest doing so and trying again with |
Extract the |
Yes, the chain is identical. What was COVER.RSA is 4kb bigger than the original file though - but all 3 certificates seem to match when I view them in both Windows & Keystore explorer |
Yes COVER.RSA is larger because it contains the signature in addition to the certificate store. Looking at the JDK code, the exception is thrown here: The You can try to call this method directly in a test class and debug step by step to understand why it returns null. |
Debugger can be attached to jarsigner too. |
It returns false in RSASignature.verify for me. Btw, signersInfo in PKCS7.verify() contains only GlobalSign R3 certificate I was truing different certificate chains. When i try full chain GlobalSign R3 -> GlobalSign Code Signing Root R45 -> GlobalSign GCC R45 CodeSigning CA 2020 -> my cert, jarsigner shows warning "The signer certificate's KeyUsage extension doesn't allow code signing.
|
@ebourg @TheNormalnij Yes, I find it odd that both the non-cross-signing Code Signing R3 certificates, and the Cross-signed version apparently don't allow code signing :/ Anyway, I created a chain like so:
But in reverse order - with my certificate at the start of thefile, and the root at the bottom of the file, and
Is reversing the order like this OK? I mean jarsigner & the keystore explorer certainly aren't complaining any more. If I open the jar in keystore explorer, it shows the chain in the correct order, with root at the top. |
I don't know if jarsigner expects a specific order, it doesn't seem to be documented. But if it works I guess that's fine. |
Happy to close this now, and sorry for the wild goose chase! |
I'm using the following jarsigner command with 6.1-SNAPSHOT to work around #221.
jarsigner -J-cp "-Jjsign-6.1-SNAPSHOT.jar -J--add-modules -Jjava.sql -providerClass net.jsign.jca.JsignJcaProvider -providerArg [vault-name] -keystore NONE -storetype AZUREKEYVAULT -storepass [access-token] application.jar [cert]
I've confirmed my access token is valid.
And I get
jarsigner: Certificate chain not found for: [cert]. [cert] must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
I have a valid certificate named
[cert]
inside my keystore, so what am I doing wrong?The text was updated successfully, but these errors were encountered: