Azure Key Vault authentication fails with S2S12005 error while using valid credentials

[TDYMueller]

Issue Description

When attempting to use Jsign with Azure Key Vault, authentication fails with error S2S12005, even though the same credentials work correctly with AzureSignTool.

Steps to Reproduce

1. Install Jsign 7.1
2. Run the following command:

jsign \
  --storetype AZUREKEYVAULT \
  --keystore https://[vault-name].vault.azure.net \
  --alias "[certificate-name]" \
  --storepass "tenantId=[tenant-id],clientId=[client-id],clientSecret=[client-secret]" \
  --debug \
  test.js

Current Behavior

• Jsign attempts to access Key Vault directly without first obtaining an Azure AD token
• Returns 401 Unauthorized with error code S2S12005
• Debug output shows:

GET https://[vault-name].vault.azure.net/certificates/[cert-name]?api-version=7.2
Response Code: 401
Error: {"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}

Expected Behavior

• Jsign should first obtain an OAuth token from login.microsoftonline.com
• Then use that token to authenticate with Azure Key Vault
• Successfully access the certificate (as AzureSignTool does with the same credentials)

Evidence

1. The same credentials work perfectly with AzureSignTool:

azuresigntool sign --kvu https://[vault-name].vault.azure.net/ --kvc [cert-name] \
  --azure-key-vault-client-id [client-id] \
  --azure-key-vault-tenant-id [tenant-id] \
  --kvs [client-secret] \
  --timestamp-rfc3161 http://timestamp.digicert.com ./test.js

2. Azure Key Vault logs show:

• Authentication attempt results in 401
• No prior token acquisition attempt
• Operation logs confirm missing OAuth token

Environment

• OS: Linux
• Jsign version: 7.1

Additional Notes

The issue appears to be in Jsign's Azure authentication implementation. AzureSignTool uses the official Azure Identity libraries which handle the complete OAuth flow, while Jsign seems to be attempting direct access without proper token acquisition.

[ebourg]

The command used isn't the one documented, the access token should be passed to the --storepass parameter, Jsign doesn't support the "tenantId=[tenant-id],clientId=[client-id],clientSecret=[client-secret]" syntax. That may be a nice improvement though.

[TDYMueller]

jsign --storetype AZUREKEYVAULT --keystore "Keystore URL" --storepass [REDACTED] --alias "Cert Name" test.js --debug

I still get the same error: Caused by: java.io.IOException: Unauthorized: [BearerReadAccessTokenFailed] Error validating token: 'S2S12005'.

[TDYMueller]

I found the solution. The key is to obtain a proper OAuth2 token first, rather than using the client secret directly as the storepass.

Here's the working approach:

```bash
# First, obtain an Azure OAuth token
TOKEN=$(curl -X POST "https://login.microsoftonline.com/<TENANT_ID>/oauth2/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&resource=https://vault.azure.net" \
    | jq -r '.access_token')

# Then use the token with jsign
jsign --storetype AZUREKEYVAULT \
    --keystore "https://<YOUR_KEYVAULT>.vault.azure.net" \
    --storepass "$TOKEN" \
    --alias "<YOUR_CERT_NAME>" \
    your_file.js
```

Required Azure configuration:
* Valid Azure tenant ID
* Application (client) ID with permissions to access the Key Vault
* Client secret for authentication
* Key Vault with proper access policies configured

[TDYMueller]

Closed, this is complete, I hope this might help someone in the future.