User Scenario and Benefits
In today's cloud-driven world, securely managing and signing applications is crucial, particularly in the context of Software Supply Chain Security. The integration of the KeyVault JCA provider with Jarsigner helps ensure that your software supply chain remains secure by leveraging Azure KeyVault for key management.
Consider a development team responsible for a microservices-based application deployed on Azure Container Apps. They need to sign their Java archive (JAR) files to ensure the integrity and authenticity of their software artifacts before deployment. Integrating Azure KeyVault JCA provider with Jarsigner offers a streamlined approach to securely manage and use cryptographic keys stored in Azure KeyVault, mitigating the risks associated with key management and distribution in the software supply chain.
Prerequisites
Before beginning, ensure you have the following:
-
An Azure subscription - .
-
version 8, 9, 11 or 17.
-
-
- a lightweight and flexible command-line JSON processor.
-
Ensure you are using one of the following supported algorithms: DSA, RSA, or ECDSA.
Step 1: Download and Configure JCA Provider Jar
-
Download the Provider Jar.
-
If you are using Java8, you need to add the JCA provider jar to the class path.
-
Place the jar under the folder
${JAVA_HOME}/jre/lib/ext
-
- If you are using Java9 or higher, just place the jar in a folder that jarsigner can access.
Step 2: Prepare Azure Resources
Follow these steps carefully to achieve successful integration:
-
Prepare your parameters
DATE_STRING=$(date +%H%M%S) RESOURCE_GROUP_NAME=jarsigner-rg-$DATE_STRING KEYVAULT_NAME=jarsiner-kv-$DATE_STRING CERT_NAME=jarsiner-cert-$DATE_STRING SERVICE_PRINCIPAL_NAME=jarsiner-sp-$DATE_STRING SUBSCRIPTION_ID=$(az account show --query id -o tsv) - Create a resource group
az group create --name $RESOURCE_GROUP_NAME --location "EastUS" -
Create a key vault
az keyvault create --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --location "EastUS" - Assign role to create certificates in the Key Vault
# Get your user object ID (if you're using a user account) USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv) # Or if you're using a service principal, get its object ID # SP_OBJECTID=$(az ad sp show --id <your-sp-id> --query id -o tsv) # Assign Key Vault Certificates Officer role az role assignment create \ --role "Key Vault Certificates Officer" \ --assignee $USER_OBJECTID \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME" -
Get the Key Vault URL
KEYVAULT_URL=$(az keyvault show --name $KEYVAULT_NAME --query "properties.vaultUri" --resource-group $RESOURCE_GROUP_NAME -o tsv| tr -d '\r\n') echo $KEYVAULT_URL -
Add a certificate to Key Vault
az keyvault certificate create --vault-name $KEYVAULT_NAME -n $CERT_NAME -p "$(az keyvault certificate get-default-policy)" -
Create a Service Principal
SP_JSON=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME) CLIENT_ID=$(echo $SP_JSON | jq -r '.appId') CLIENT_SECRET=$(echo $SP_JSON | jq -r '.password') TENANT=$(echo $SP_JSON | jq -r '.tenant') echo "CLIENT_ID:"$CLIENT_ID echo "CLIENT_SECRET:"$CLIENT_SECRET echo "TENANT:"$TENANT -
Get the objectId
OBJECTID=$(az ad sp show --id "$CLIENT_ID" --query id -o tsv | tr -d '\r\n') echo $OBJECTID -
Assign Roles to Service Principal:
# Assign Key Vault Secrets Officer role to Service Principal az role assignment create \ --role "Key Vault Secrets Officer" \ --assignee $OBJECTID \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME" # Assign Key Vault Certificates Officer role Service Principal az role assignment create \ --role "Key Vault Certificates Officer" \ --assignee $OBJECTID \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME"
Step 3: Sign with Jarsigner
-
Prepare Your Jar: Have the jar file you wish to sign ready.
-
Execute Jarsigner: Use the Jarsigner tool with the KeyVault JCA provider to sign your jar file. You need to update the parameters with the actuall values.
Parameter Description Example PARAM_YOUR_JAR_FILE_PATH The path to your jar file you wish to sign. /path/to/your/jarfile.jar PARAM_JCA_PROVIDER_JAR_PATH The path to the jca provider jar file. /path/to/your/azure-security-keyvault-jca-2.8.1.jar -
If you are using Java8, try to sign the jar using below command
jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \ -verbose -storepass "" \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -J-Dazure.keyvault.uri=${KEYVAULT_URL} \ -J-Dazure.keyvault.tenant-id=${TENANT} \ -J-Dazure.keyvault.client-id=${CLIENT_ID} \ -J-Dazure.keyvault.client-secret=${CLIENT_SECRET} -
If you are using Java9 or higher, try to sign the jar using below command
jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \ -verbose -storepass "" \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -J--module-path="${PARAM_JCA_PROVIDER_JAR_PATH}" \ -J--add-modules="com.azure.security.keyvault.jca" \ -J-Dazure.keyvault.uri=${KEYVAULT_URL} \ -J-Dazure.keyvault.tenant-id=${TENANT} \ -J-Dazure.keyvault.client-id=${CLIENT_ID} \ -J-Dazure.keyvault.client-secret=${CLIENT_SECRET}
-
-
Check your output, the output may look like this
Step 4: Verify with Jarsigner
You can verify the signed jar using the following Jarsigner command.
jarsigner -verify -verbose -certs signerjar.jar
The output may look like this
Conclusion
By following these steps, you can easily integrate KeyVault JCA provider with Jarsigner. This method ensures a secure and efficient signing process using Azure KeyVault.
Clean up resources
To avoid Azure charges, you should clean up unnecessary resources.
az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait az ad app delete --id $CLIENT_ID
Next step
- You can learn more Java experiences on Azure Container Apps on Azure Container Apps Overview.
Microsoft
