Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] jarsigner + jca does not report 403 returned during sign with RSA-HSM key #42859

Open
3 tasks done
d-richter-qdt opened this issue Nov 8, 2024 · 1 comment
Open
3 tasks done

[BUG] jarsigner + jca does not report 403 returned during sign with RSA-HSM key #42859

d-richter-qdt opened this issue Nov 8, 2024 · 1 comment
Assignees
@vcolin7
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@d-richter-qdt
Copy link

Describe the bug

  • If service provider is missing permission for signing (Key Vault Crypto User role) but have permission to read certificate (Key Vault Certificate User role) signing finishes successfully but signature is not valid.

To Reproduce

  • certificate with advanced policy config in Key vault:
Extended Key Usages: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3
X.509 Key Usage flags: Digital Signature, Key Encipherment
Reuse key on renewal: NO
Exportable Private Key: NO
Key Type: RSA-HSM
Key Size: 3072
Enable Cert Transparency: NO
  • sign jar with jarsigner and jca provider:
jarsigner \
  -J-Djava.security.debug=jar \
  -keystore NONE \
  -storetype AzureKeyVault \
  -signedjar signed.jar $1 "REDACTED" \
  -verbose \
  -storepass "" \
  -providerName AzureKeyVault \
  -providerPath azure-security-keyvault-jca-2.9.0.jar \
  -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \
  -J-Dazure.keyvault.uri=https://REDACTED.vault.azure.net/ \
  -J-Dazure.keyvault.tenant-id=REDACTED \
  -J-Dazure.keyvault.client-id=REDACTED \
  -J-Dazure.keyvault.client-secret=REDACTED
  • verify signature
jarsigner \
  -J-Djava.security.debug=jar \
  -verify \
  -verbose $1

...
jar: beginEntry META-INF/<REDACTED>.RSA
jar: processEntry: processing block
jar: processEntry caught: java.security.SignatureException: Bad signature length: got 0 but was expecting 384
jar: done with meta!
...
WARNING: Signature is either not parsable or not verifiable, and the jar will be treated as unsigned. For more information, re-run jarsigner with debug enabled (-J-Djava.security.debug=jar).

Expected behavior

  • ideally signing fails with hint about missing permission or at least logs error about receiving 403

Setup

  • OS: Ubuntu 22.04
  • IDE: bash
  • Library/Libraries: com.azure:azure-security-keyvault-jca:2.9.0
  • Java version: Zulu 21.0.5

Additional context

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 8, 2024

Thank you for your feedback. Tagging and routing to the team member best able to assist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vcolin7 vcolin7

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure SDK for Key Vault
Status: Untriaged
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vcolin7 @d-richter-qdt