Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Static way of using Azure key vault #23591

Closed
michaelqi793 opened this issue Aug 16, 2021 · 1 comment · Fixed by #23923
Closed

[BUG] Static way of using Azure key vault #23591

michaelqi793 opened this issue Aug 16, 2021 · 1 comment · Fixed by #23923
Assignees
@michaelqi793
Labels
azure-spring All azure-spring related issues azure-spring-jca bug This issue requires a change to an existing behavior in the product in order to be resolved. KeyVault Service This issue points to a problem in the service.
Milestone
[2021] October

Comments

@michaelqi793
Copy link
Contributor

michaelqi793 commented Aug 16, 2021
edited

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Every time I need use Azure key vault key store, for example, I want to program an https web client. I have to program like this:

 KeyStore azureKeyVaultKeyStore = KeyStore.getInstance("AzureKeyVault");
        KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
            System.getProperty("azure.keyvault.uri"),
            System.getProperty("azure.keyvault.tenant-id"),
            System.getProperty("azure.keyvault.client-id"),
            System.getProperty("azure.keyvault.client-secret"));
        azureKeyVaultKeyStore.load(parameter);
        SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                                           .loadTrustMaterial(azureKeyVaultKeyStore, null)
                                           .build();

This means 1 My code can only work with Azure key vault key store in runtime. 2 I have to code for Azure key vault. All are frustrating!

Describe the solution you'd like
A clear and concise description of what you want to happen.
My code has nothing to do with Azure key vault key store in development.
For example, the above code is changed to remain like this:

 SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                                           .loadTrustMaterial(null, null)
                                           .build();

This code can work with Azure key vault key store in runtime if I run my code via command line and add proper system properties via -D. So please support the static way of using Azure Key vault key store. Please refer to https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
I tried to my code via command line to connect an https web server that uses key vault key store:
java --module-path ./azure-security-keyvault-jca-2.0.0-beta.1.jar --add-modules com.azure.security.keyvault.jca -Dsecurity.overridePropertiesFile=true -Djava.security.properties==./java.security -Djavax.net.ssl.trustStoreType=AzureKeyVault -Dazure.keyvault.uri=<mykeyvaultURI> -Dazure.keyvault.tenant-id=<myTeanantID> -Dazure.keyvault.client-id=<myClientID> -Dazure.keyvault.client-secret=<mySecretValue> MyCodeMainClass. But i got the following dead loop:

        ...
	at java.base/sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:88)
	at java.base/javax.net.ssl.SSLContext.init(SSLContext.java:297)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.ssl.SSLContexts.createDefault(SSLContexts.java:52)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:977)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.shaded.org.apache.http.impl.client.HttpClients.createDefault(HttpClients.java:56)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.utils.HttpUtil.post(HttpUtil.java:70)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.utils.HttpUtil.post(HttpUtil.java:53)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.getAccessToken(AccessTokenUtil.java:107)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:195)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:215)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:142)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:130)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:100)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.KeyVaultKeyStore.getAllAliases(KeyVaultKeyStore.java:283)
	at com.azure.security.keyvault.jca@2.0.0-beta.1/com.azure.security.keyvault.jca.KeyVaultKeyStore.engineAliases(KeyVaultKeyStore.java:168)
	at java.base/java.security.KeyStore.aliases(KeyStore.java:1269)
	at java.base/sun.security.validator.TrustStoreUtil.getTrustedCerts(TrustStoreUtil.java:56)
	at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadTrustedCerts(TrustStoreManager.java:390)
	at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:321)
	at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:55)
	at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
	at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:278)
	at java.base/sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:88)
	at java.base/javax.net.ssl.SSLContext.init(SSLContext.java:297)
        ...

Additional context
Add any other context or screenshots about the feature request here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [Yes ] Description Added
  • [Yes] Expected solution specified
@michaelqi793 michaelqi793 added KeyVault feature-request This issue requires a new behavior in the product in order be resolved. Service This issue points to a problem in the service. azure-spring All azure-spring related issues azure-spring-jca labels Aug 16, 2021
@michaelqi793 michaelqi793 added this to the [2021] October milestone Aug 16, 2021
@michaelqi793 michaelqi793 mentioned this issue Aug 16, 2021
Closed
@chenrujun chenrujun removed their assignment Aug 20, 2021
@michaelqi793 michaelqi793 added bug This issue requires a change to an existing behavior in the product in order to be resolved. and removed feature-request This issue requires a new behavior in the product in order be resolved. labels Aug 20, 2021
@michaelqi793 michaelqi793 changed the title [FEATURE REQ] Static way of using Azure key vault [BUG] Static way of using Azure key vault Aug 20, 2021
@michaelqi793 michaelqi793 mentioned this issue Aug 20, 2021
Merged
@michaelqi793
Copy link
Contributor Author

Root cause found: the first sslcontext need instantiate trust manager which then instantiates AzureKeyVault and invokes the AzureKeyVault's getAliases, AzureKeyVault's getAliases then also needs ssl connection and instantiates sslcontext, hence a dead loop.

@michaelqi793 michaelqi793 linked a pull request Aug 25, 2021 that will close this issue
Add jdk default trust manager to KeyVaultTrustManager #23758
Closed
@michaelqi793 michaelqi793 mentioned this issue Sep 6, 2021
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@michaelqi793 michaelqi793

Labels
azure-spring All azure-spring related issues azure-spring-jca bug This issue requires a change to an existing behavior in the product in order to be resolved. KeyVault Service This issue points to a problem in the service.
Projects
None yet
Milestone
[2021] October
2 participants
@chenrujun @michaelqi793