[BUG] jarsigner + jca still reports that entries in certificate chain are invalid

[manfrede]

Describe the bug
When using a valid, DigiCert issued, non-exportable Azure Key Vault certificate to sign a .jar file with jarsigner + jca 2.10.0, jarsigner will produce a warning.

Issue seems to persist after bugfix, referencing #41832

Exception or Stack Trace
Warning: This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To Reproduce
Steps to reproduce the behavior are pretty much identical to #44085:

Create new version of a non-exportable code signing certificate from Azure Key Vault (RSA-HSM, 4096)
Sign the CSR through DigiCert
Merge the signing request with Azure Key Vault
Configure the app registration with secret, along with RBAC on Azure Key Vault for access
Open Windows Terminal and run the Code Snippet below (With environment variables declared, disregard line feeds):

jarsigner.exe
-keystore NONE
-storetype AzureKeyVault
-signedjar signed.jar original.jar xxx
-verbose
-storepass ""
-providerName AzureKeyVault
-providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider
-J--module-path="azure-security-keyvault-jca-2.10.0.jar"
-J--add-modules="com.azure.security.keyvault.jca"
-J-Dazure.keyvault.uri="https://xxx.vault.azure.net/"
-J-Dazure.keyvault.tenant-id="%TENANT%"
-J-Dazure.keyvault.client-id="%CLIENT_ID%"
-J-Dazure.keyvault.client-secret="%SECRET%"
-tsa http://timestamp.digicert.com

It will produce the following output:

Feb. 19, 2025 1:59:41 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFORMATION: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb. 19, 2025 1:59:41 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFORMATION: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb. 19, 2025 1:59:42 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFORMATION: Obtained login URI: https://login.microsoftonline.com/xxx
Feb. 19, 2025 1:59:42 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFORMATION: Getting access token using client ID / client secret
Feb. 19, 2025 1:59:43 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFORMATION: Getting key for alias: xxx
Feb. 19, 2025 1:59:43 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFORMATION: Getting certificate for alias: xxx
Feb. 19, 2025 1:59:43 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFORMATION: Getting certificate chain for alias: xxx
Feb. 19, 2025 1:59:43 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFORMATION: Getting key for alias: xxxov
Feb. 19, 2025 1:59:43 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFORMATION: Getting certificate for alias: xxxov
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFORMATION: Getting certificate chain for alias: xxxov
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFORMATION: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFORMATION: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFORMATION: Obtained login URI: https://login.microsoftonline.com/xxx
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFORMATION: Getting access token using client ID / client secret
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFORMATION: Getting key for alias: xxx
Feb. 19, 2025 1:59:44 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFORMATION: Getting certificate for alias: xxx
Feb. 19, 2025 1:59:45 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFORMATION: Getting certificate chain for alias: xxx
Feb. 19, 2025 1:59:45 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFORMATION: Getting key for alias: xxxov
Feb. 19, 2025 1:59:45 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFORMATION: Getting certificate for alias: xxxov
Feb. 19, 2025 1:59:45 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFORMATION: Getting certificate chain for alias: xxxov
Feb. 19, 2025 1:59:45 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFORMATION: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb. 19, 2025 1:59:45 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFORMATION: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb. 19, 2025 1:59:46 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFORMATION: Obtained login URI: https://login.microsoftonline.com/xxx
Feb. 19, 2025 1:59:46 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFORMATION: Getting access token using client ID / client secret
Feb. 19, 2025 1:59:46 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFORMATION: Getting key for alias: xxx
Feb. 19, 2025 1:59:46 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFORMATION: Getting certificate for alias: xxx
Feb. 19, 2025 1:59:46 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFORMATION: Getting certificate chain for alias: xxx
Feb. 19, 2025 1:59:46 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFORMATION: Getting key for alias: xxxov
Feb. 19, 2025 1:59:47 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFORMATION: Getting certificate for alias: xxxov
Feb. 19, 2025 1:59:47 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFORMATION: Getting certificate chain for alias: xxxov
requesting a signature timestamp
TSA location: http://timestamp.digicert.com
 updating: META-INF/MANIFEST.MF
   adding: META-INF/XXX.SF
   adding: META-INF/XXX.RSA
   ...

>>> Signer
    X.509, CN=XXX, XXX, L=XXX, C=AT, SERIALNUMBER=XXX, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=XXX, OID.1.3.6.1.4.1.311.60.2.1.2=Oberösterreich, OID.1.3.6.1.4.1.311.60.2.1.3=AT
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]
>>> TSA
    X.509, CN=DigiCert Timestamp 2024, O=DigiCert, C=US
    Signature algorithm: SHA256withRSA, 4096-bit key
    [certificate is valid from 26.09.24, 02:00 to 26.11.35, 00:59]
    X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
    Signature algorithm: SHA256withRSA, 4096-bit key
    [certificate is valid from 23.03.22, 01:00 to 23.03.37, 00:59]
    X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
    Signature algorithm: SHA384withRSA, 4096-bit key
    [certificate is valid from 01.08.22, 02:00 to 10.11.31, 00:59]

jar signed.

The timestamp will expire on 2031-11-10.

Code Snippet
Verify command:

jarsigner -verify signed.jar -certs -verbose

Output excerpt from a single entry:

[entry was signed on 19.02.25, 13:35]
      >>> Signer
      X.509, CN=XXX, O=XXX, L=XXX, C=AT, SERIALNUMBER=XXX, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=XXX, OID.1.3.6.1.4.1.311.60.2.1.2=Oberösterreich, OID.1.3.6.1.4.1.311.60.2.1.3=AT
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 19.02.25, 01:00 to 19.02.28, 00:59]
      [Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2024, O=DigiCert, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 26.09.24, 02:00 to 26.11.35, 00:59]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 23.03.22, 01:00 to 23.03.37, 00:59]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 01.08.22, 02:00 to 10.11.31, 00:59]

Expected behavior
jarsigner verify should not print a warning about invalid certificate chain.

Uploading an older (still valid, OV) code signing certificate with including private key with alias xxxov into keyvault and using this to sign the jar files results in a verify command without warnings:

[entry was signed on 19.02.25, 13:41]
      >>> Signer
      X.509, CN=XXX, O=XX, L=XXX, C=AT
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 18.05.23, 02:00 to 18.05.26, 01:59]
      X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 29.04.21, 02:00 to 29.04.36, 01:59]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      Signature algorithm: SHA384withRSA, 4096-bit key
      [trusted certificate]
      >>> TSA
      X.509, CN=DigiCert Timestamp 2024, O=DigiCert, C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 26.09.24, 02:00 to 26.11.35, 00:59]
      X.509, CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O="DigiCert, Inc.", C=US
      Signature algorithm: SHA256withRSA, 4096-bit key
      [certificate is valid from 23.03.22, 01:00 to 23.03.37, 00:59]
      X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
      Signature algorithm: SHA384withRSA, 4096-bit key
      [certificate is valid from 01.08.22, 02:00 to 10.11.31, 00:59]

Setup:

• OS: Windows 11 24H2
• IDE: -
• Library/Libraries: com.azure:azure-security-keystore-jca:2.10.0
• Java version: Eclipse Temurin 17.0.11, 21.0.3; Amazon Corretto 17.0.14
• App Server/Environment: -
• Frameworks: -

Additional context
I have two certificates in my keyvault:

• xxx
• xxxov

According to the output, both certificates including the chains are being downloaded by keyvault jca even though jarsigner clearly specifies only one alias. This is not the cause for this issue however, xxxov certificate was imported later on.

Also, as is visible in the output, the certificate information includes German Umlauts. From my understanding this should be safe as OIDs should be UTF8 encoded.

Furthermore, to reduce the amount of work on the client, instead of creating a new certificate we created a new version of the original in azure key vault, so currently there are two versions (old and current) visible in the overview.

From my understanding this should not have any impact on this issue but i included it for transparency.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[joshfree]

@saragluna (/cc @vcolin7) can you please follow up with @manfrede on this issue?

[manfrede]

Using AzureSignTool (6.0.1) produces a correctly signed .exe file including certificate chain using the same certificate in Azure Keyvault including the same service principal and token.

AzureSignTool.exe sign `
-fd sha256 `
-kvu https://xxx.vault.azure.net `
-kvi "$CLIENT_ID" `
-kvt "$TENANT" `
-kvs "$CLIENT_SECRET" `
-kvc xxx `
-tr http://timestamp.digicert.com `
--verbose `
file-to-sign.exe

trce: AzureSignTool.SignCommand[0]
      Retrieving current version of certificate xxx.
trce: AzureSignTool.SignCommand[0]
      Retrieved certificate with Id https://xxx.vault.azure.net/certificates/iig/29699xxx.
trce: AzureSignTool.SignCommand[0]
      Creating context
info: AzureSignTool.SignCommand[0]
      => File: file-to-sign.exe
      Signing file.
trce: AzureSignTool.SignCommand[0]
      => File: file-to-sign.exe
      Getting SIP Data
trce: AzureSignTool.SignCommand[0]
      => File: file-to-sign.exe
      Calling SignerSignEx3 with flags: SIGN_CALLBACK_UNDOCUMENTED
info: AzureSignTool.SignCommand[0]
      => File: file-to-sign.exe
      Signing completed successfully.
info: AzureSignTool.SignCommand[0]
      Successful operations: 1
info: AzureSignTool.SignCommand[0]
      Failed operations: 0

Validating with SignTool:

signtool.exe verify /pa /v .\file-to-sign.exe

Verifying: .\file-to-sign.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): A0CBAFDE249DA403483128B9E49EDE4AD48B625FCBEEF7ECDE34EA971B868D0E                                                                                               
Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Trusted Root G4
        Issued by: DigiCert Assured ID Root CA
        Expires:   Mon Nov 10 00:59:59 2031
        SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

            Issued to: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
            Issued by: DigiCert Trusted Root G4
            Expires:   Tue Apr 29 00:59:59 2036
            SHA1 hash: 7B0F360B775F76C94A12CA48445AA2D2A875701C

                Issued to: XXX
                Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
                Expires:   Sat Feb 19 00:59:59 2028
                SHA1 hash: 2BFE12DCA2C58C400BFAAF388551F5F925A83383

The signature is timestamped: Thu Feb 27 15:33:26 2025
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Trusted Root G4
        Issued by: DigiCert Assured ID Root CA
        Expires:   Mon Nov 10 00:59:59 2031
        SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

            Issued to: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
            Issued by: DigiCert Trusted Root G4
            Expires:   Mon Mar 23 00:59:59 2037
            SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

                Issued to: DigiCert Timestamp 2024
                Issued by: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Expires:   Mon Nov 26 00:59:59 2035
                SHA1 hash: DBD385EE62DBD23E7BE4F67148508724D5865B45


Successfully verified: .\file-to-sign.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

So in regard of the recent discoveries in #44085 AzureSignTool is able to extract and append certificate chain but the jca provider seems not to.