This guide provides a straightforward approach to integrating the KeyVault JCA provider with Jarsigner, ensuring a seamless process for users.
Before beginning, ensure you have the following:
- An Azure subscription - create one for free.
- Java Development Kit (JDK) version 8 or higher.
- Azure CLI
- jq - a lightweight and flexible command-line JSON processor.
- Ensure you are using one of the following supported algorithms: DSA, RSA, or ECDSA.
- Download the JCA Provider Jar.
- If you are using Java8, you need to add the JCA provider jar to the class path.
- If you are using Java9 or higher, just place the jar in a folder that jarsigner can access.
Follow these steps carefully to achieve successful integration:
- Prepare your parameters
DATE_STRING=$(date +%H%M%S)
RESOURCE_GROUP_NAME=jarsigner-rg-$DATE_STRING
KEYVAULT_NAME=jarsiner-kv-$DATE_STRING
CERT_NAME=jarsiner-cert-$DATE_STRING
SERVICE_PRINCIPAL_NAME=jarsiner-sp-$DATE_STRING
- Create a resource group
az group create --name $RESOURCE_GROUP_NAME --location "EastUS"
- Create a key vault
az keyvault create --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --location "EastUS"
- Get the key vault uri
KEYVAULT_URL=$(az keyvault show --name $KEYVAULT_NAME --query "properties.vaultUri" --resource-group $RESOURCE_GROUP_NAME -o tsv| tr -d '\r\n')
echo $KEYVAULT_URL
Note the output as kv_uri for later use.
- Add a certificate to Key Vault
az keyvault certificate create --vault-name $KEYVAULT_NAME -n $CERT_NAME -p "$(az keyvault certificate get-default-policy)"
- Create a Service Principal
SP_JSON=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME)
CLIENT_ID=$(echo $SP_JSON | jq -r '.appId')
CLIENT_SECRET=$(echo $SP_JSON | jq -r '.password')
TENANT=$(echo $SP_JSON | jq -r '.tenant')
echo "CLIENT_ID:"$CLIENT_ID
echo "CLIENT_SECRET:"$CLIENT_SECRET
echo "TENANT:"$TENANT
Note the appId and password from the output, you'll need them later.
- Get the objectId
OBJECTID=$(az ad sp show --id "$CLIENT_ID" --query id -o tsv | tr -d '\r\n')
echo $OBJECTID
- Assign Permissions to Service Principal:
az keyvault set-policy --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --object-id $OBJECTID --secret-permissions get
az keyvault set-policy --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --object-id $OBJECTID --certificate-permissions get list
-
Prepare Your Jar: Have the jar file you wish to sign ready.
-
Execute Jarsigner: Use the Jarsigner tool with the KeyVault JCA provider to sign your jar file.
You need to update the parameters with the actuall values.Parameter Description Example PARAM_YOUR_JAR_FILE_PATH The path to your jar file you wish to sign. /path/to/your/jarfile.jar PARAM_JCA_PROVIDER_JAR_PATH The path to the jca provider jar file. /path/to/your/azure-security-keyvault-jca-2.8.1.jar -
If you are using Java8, try to sign the jar using below command
jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \ -verbose -storepass "" \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -J-Dazure.keyvault.uri=${KEYVAULT_URL} \ -J-Dazure.keyvault.tenant-id=${TENANT} \ -J-Dazure.keyvault.client-id=${CLIENT_ID} \ -J-Dazure.keyvault.client-secret=${CLIENT_SECRET}
-
If you are using Java9 or higher, try to sign the jar using below command
jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \ -verbose -storepass "" \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -J--module-path="${PARAM_JCA_PROVIDER_JAR_PATH}" \ -J--add-modules="com.azure.security.keyvault.jca" \ -J-Dazure.keyvault.uri=${KEYVAULT_URL} \ -J-Dazure.keyvault.tenant-id=${TENANT} \ -J-Dazure.keyvault.client-id=${CLIENT_ID} \ -J-Dazure.keyvault.client-secret=${CLIENT_SECRET}
-
-
Check your output, the output may look like this
You can verify the signed jar using the following Jarsigner command.
jarsigner -verify -verbose -certs signerjar.jar
By following these steps, you can easily integrate KeyVault JCA provider with Jarsigner. This method ensures a secure and efficient signing process using Azure KeyVault.
To avoid Azure charges, you should clean up unnecessary resources.
az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
az ad app delete --id $CLIENT_ID