Azure Trusted Signing support

README.md

@@ -32,6 +32,7 @@ Jsign is free to use and licensed under the [Apache License version 2.0](https:/
   * Cloud key management systems:
     * [AWS KMS](https://aws.amazon.com/kms/)
     * [Azure Key Vault](https://azure.microsoft.com/services/key-vault/)
+    * [Azure Trusted Signing](https://learn.microsoft.com/en-us/azure/trusted-signing/)
     * [DigiCert ONE](https://one.digicert.com)
     * [Google Cloud KMS](https://cloud.google.com/security-key-management)
     * [HashiCorp Vault](https://www.vaultproject.io/)
@@ -51,6 +52,7 @@ See https://ebourg.github.io/jsign for more information.
 
 #### Version 6.1 (in development)
 
+* The Azure Trusted Signing service has been integrated
 * The Oracle Cloud signing service has been integrated
 * Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
 * Jsign now checks if the certificate subject matches the app manifest publisher before signing APPX/MSIX packages

docs/index.html

@@ -70,6 +70,7 @@ <h3 id="features">Features</h3>
         <ul>
           <li><a href="https://aws.amazon.com/kms/">AWS KMS</a></li>
           <li><a href="https://azure.microsoft.com/services/key-vault/">Azure Key Vault</a></li>
+          <li><a href="https://learn.microsoft.com/en-us/azure/trusted-signing/">Azure Trusted Signing</a></li>
           <li><a href="https://one.digicert.com">DigiCert ONE</a></li>
           <li><a href="https://cloud.google.com/security-key-management">Google Cloud KMS</a></li>
           <li><a href="https://www.vaultproject.io">HashiCorp Vault</a></li>
@@ -198,6 +199,7 @@ <h4 id="attributes" class="mobile-only">Attributes</h4>
           <li><code>GOOGLECLOUD</code>: Google Cloud KMS</li>
           <li><code>HASHICORPVAULT</code>: Google Cloud KMS via HashiCorp Vault</li>
           <li><code>ORACLECLOUD</code>: Oracle Cloud Key Management Service</li>
+          <li><code>TRUSTEDSIGNING</code>: Azure Trusted Signing</li>
         </ul>
       </td>
       <td class="required">No, automatically detected for file based keystores.</td>
@@ -472,6 +474,7 @@ <h3 id="cli">Command Line Tool</h3>
                              - GOOGLECLOUD: Google Cloud KMS
                              - HASHICORPVAULT: Google Cloud KMS via HashiCorp Vault
                              - ORACLECLOUD: Oracle Cloud Key Management Service
+                             - TRUSTEDSIGNING: Azure Trusted Signing
   -a,--alias &lt;NAME>          The alias of the certificate used for signing in the keystore.
      --keypass &lt;PASSWORD>    The password of the private key. When using a keystore,
                              this parameter can be omitted if the keystore shares the
@@ -641,6 +644,35 @@ <h4 id="example-azurekeyvault">Signing with Azure Key Vault</h4>
 
 <p>The Azure account used must have the <em>"Key Vault Crypto User"</em> and <em>"Key Vault Certificate User"</em> roles.</p>
 
+<h4 id="example-trustedsigning">Signing with Azure Trusted Signing</h4>
+
+<p>With the Azure <a href="https://learn.microsoft.com/en-us/azure/trusted-signing/overview">Trusted Signing</a> service
+the <code>keystore</code> parameter specifies the endpoint URI, and the <code>alias</code> combines the account name and
+the certificate profile. The Azure API access token is used as the keystore password.</p>
+
+<pre>
+ jsign --storetype TRUSTEDSIGNING \
+       --keystore weu.codesigning.azure.net \
+       --storepass &lt;api-access-token&gt; \
+       --alias &lt;account&gt;/&lt;profile&gt; application.exe
+</pre>
+
+<p>The access token can be obtained with the <a href="https://learn.microsoft.com/en-us/cli/azure/">Azure CLI</a>:</p>
+
+<pre>
+ az account get-access-token --resource https://codesigning.azure.net
+</pre>
+
+<p>The Azure account used must have the <em>"Code Signing Certificate Profile Signer"</em> role.</p>
+
+<p>The certificates issued by Azure Trusted Signing have a lifetime of 3 days only, and timestamping is necessary to
+ensure the long term validity of the signature. For this reason timestamping is automatically enabled when signing
+with this service.</p>
+
+<p>Implementation note: Jsign performs an extra call to the signing API to retrieve the current certificate chain before
+signing. When signing multiple files it's recommended to invoke Jsign only once with the list of files to avoid doubling
+the quota usage.</p>
+
 <h4 id="example-digicertone">Signing with DigiCert ONE</h4>
 
 <p>Certificates and keys stored in the <a href="https://one.digicert.com">DigiCert ONE</a> Secure Software Manager

jsign-cli/src/main/java/net/jsign/JsignCLI.java

@@ -78,7 +78,8 @@ public static void main(String... args) {
                         + "- ESIGNER: SSL.com eSigner\n"
                         + "- GOOGLECLOUD: Google Cloud KMS\n"
                         + "- HASHICORPVAULT: Google Cloud KMS via HashiCorp Vault\n"
-                        + "- ORACLECLOUD: Oracle Cloud Key Management Service\n").build());
+                        + "- ORACLECLOUD: Oracle Cloud Key Management Service\n"
+                        + "- TRUSTEDSIGNING: Azure Trusted Signing\n").build());
         options.addOption(Option.builder("a").hasArg().longOpt(PARAM_ALIAS).argName("NAME").desc("The alias of the certificate used for signing in the keystore.").build());
         options.addOption(Option.builder().hasArg().longOpt(PARAM_KEYPASS).argName("PASSWORD").desc("The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password.").build());
         options.addOption(Option.builder().hasArg().longOpt(PARAM_KEYFILE).argName("FILE").desc("The file containing the private key. PEM and PVK files are supported. ").type(File.class).build());

jsign-core/src/main/java/net/jsign/KeyStoreType.java

@@ -37,6 +37,7 @@
 import net.jsign.jca.AmazonCredentials;
 import net.jsign.jca.AmazonSigningService;
 import net.jsign.jca.AzureKeyVaultSigningService;
+import net.jsign.jca.AzureTrustedSigningService;
 import net.jsign.jca.DigiCertOneSigningService;
 import net.jsign.jca.ESignerSigningService;
 import net.jsign.jca.GoogleCloudSigningService;
@@ -469,6 +470,30 @@ Provider getProvider(KeyStoreBuilder params) {
             }
             return new SigningServiceJcaProvider(new OracleCloudSigningService(credentials, getCertificateStore(params)));
         }
+    },
+
+    /**
+     * Azure Trusted Signing Service. The keystore parameter specifies the API endpoint (for example
+     * <code>weu.codesigning.azure.net</code>). The Azure API access token is used as the keystore password,
+     * it can be obtained using the Azure CLI with:
+     *
+     * <pre>  az account get-access-token --resource https://codesigning.azure.net</pre>
+     */
+    TRUSTEDSIGNING(false, false, false) {
+        @Override
+        void validate(KeyStoreBuilder params) {
+            if (params.keystore() == null) {
+                throw new IllegalArgumentException("keystore " + params.parameterName() + " must specify the Azure endpoint (<region>.codesigning.azure.net)");
+            }
+            if (params.storepass() == null) {
+                throw new IllegalArgumentException("storepass " + params.parameterName() + " must specify the Azure API access token");
+            }
+        }
+
+        @Override
+        Provider getProvider(KeyStoreBuilder params) {
+            return new SigningServiceJcaProvider(new AzureTrustedSigningService(params.keystore(), params.storepass()));
+        }
     };
 
 

jsign-core/src/main/java/net/jsign/SignerHelper.java

@@ -384,6 +384,13 @@ private AuthenticodeSigner build() throws SignerException {
         } catch (Exception e) {
             throw new SignerException("Couldn't initialize proxy", e);
         }
+
+        // enable timestamping with Azure Trusted Signing
+        if (tsaurl == null && storetype == KeyStoreType.TRUSTEDSIGNING) {
+            tsaurl = "http://timestamp.acs.microsoft.com/";
+            tsmode = TimestampingMode.RFC3161.name();
+            tsretries = 3;
+        }
 
         // configure the signer
         return new AuthenticodeSigner(chain, privateKey)

jsign-core/src/main/java/net/jsign/jca/AzureTrustedSigningService.java

@@ -0,0 +1,189 @@
+/**
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign.jca;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStoreException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import com.cedarsoftware.util.io.JsonWriter;
+
+import net.jsign.DigestAlgorithm;
+
+/**
+ * Signing service using the Azure Trusted Signing API.
+ *
+ * @since 6.1
+ */
+public class AzureTrustedSigningService implements SigningService {
+
+    /** Cache of certificate chains indexed by alias */
+    private final Map<String, Certificate[]> certificates = new HashMap<>();
+
+    private final RESTClient client;
+
+    /** Timeout in seconds for the signing operation */
+    private long timeout = 60;
+
+    /**
+     * Mapping between Java and Azure signing algorithms.
+     * @see <a href="https://docs.microsoft.com/en-us/rest/api/keyvault/sign/sign#jsonwebkeysignaturealgorithm">Key Vault API - JonWebKeySignatureAlgorithm</a>
+     */
+    private final Map<String, String> algorithmMapping = new HashMap<>();
+    {
+        algorithmMapping.put("SHA256withRSA", "RS256");
+        algorithmMapping.put("SHA384withRSA", "RS384");
+        algorithmMapping.put("SHA512withRSA", "RS512");
+        algorithmMapping.put("SHA256withECDSA", "ES256");
+        algorithmMapping.put("SHA384withECDSA", "ES384");
+        algorithmMapping.put("SHA512withECDSA", "ES512");
+        algorithmMapping.put("SHA256withRSA/PSS", "PS256");
+        algorithmMapping.put("SHA384withRSA/PSS", "PS384");
+        algorithmMapping.put("SHA512withRSA/PSS", "PS512");
+    }
+
+    public AzureTrustedSigningService(String endpoint, String token) {
+        if (!endpoint.startsWith("http")) {
+            endpoint = "https://" + endpoint;
+        }
+        client = new RESTClient(endpoint, conn -> conn.setRequestProperty("Authorization", "Bearer " + token));
+    }
+
+    void setTimeout(int timeout) {
+        this.timeout = timeout;
+    }
+
+    @Override
+    public String getName() {
+        return "TrustedSigning";
+    }
+
+    @Override
+    public List<String> aliases() throws KeyStoreException {
+        return new ArrayList<>();
+    }
+
+    @Override
+    public Certificate[] getCertificateChain(String alias) throws KeyStoreException {
+        if (!certificates.containsKey(alias)) {
+            try {
+                String account = alias.substring(0, alias.indexOf('/'));
+                String profile = alias.substring(alias.indexOf('/') + 1);
+                SignStatus status = sign(account, profile, "RS256", new byte[32]);
+                certificates.put(alias, status.getCertificateChain().toArray(new Certificate[0]));
+            } catch (Exception e) {
+                throw new KeyStoreException("Unable to retrieve the certificate chain '" + alias + "'", e);
+            }
+        }
+
+        return certificates.get(alias);
+    }
+
+    @Override
+    public SigningServicePrivateKey getPrivateKey(String alias, char[] password) throws UnrecoverableKeyException {
+        return new SigningServicePrivateKey(alias, "RSA", this);
+    }
+
+    @Override
+    public byte[] sign(SigningServicePrivateKey privateKey, String algorithm, byte[] data) throws GeneralSecurityException {
+        String alg = algorithmMapping.get(algorithm);
+        if (alg == null) {
+            throw new InvalidAlgorithmParameterException("Unsupported signing algorithm: " + algorithm);
+        }
+
+        DigestAlgorithm digestAlgorithm = DigestAlgorithm.of(algorithm.substring(0, algorithm.toLowerCase().indexOf("with")));
+        data = digestAlgorithm.getMessageDigest().digest(data);
+
+        String alias = privateKey.getId();
+        String account = alias.substring(0, alias.indexOf('/'));
+        String profile = alias.substring(alias.indexOf('/') + 1);
+        try {
+            SignStatus status = sign(account, profile, alg, data);
+            return status.signature;
+        } catch (IOException e) {
+            throw new GeneralSecurityException(e);
+        }
+    }
+
+    private SignStatus sign(String account, String profile, String algorithm, byte[] data) throws IOException {
+        Map<String, Object> request = new HashMap<>();
+        request.put("signatureAlgorithm", algorithm);
+        request.put("digest", Base64.getEncoder().encodeToString(data));
+
+        Map<String, Object> args = new HashMap<>();
+        args.put(JsonWriter.TYPE, "false");
+
+        Map<String, ?> response = client.post("/codesigningaccounts/" + account + "/certificateprofiles/" + profile + "/sign?api-version=2022-06-15-preview", JsonWriter.objectToJson(request, args));
+
+        String operationId = (String) response.get("operationId");
+
+        // poll until the operation is completed
+        long startTime = System.currentTimeMillis();
+        int i = 0;
+        while (System.currentTimeMillis() - startTime < timeout * 1000) {
+            try {
+                Thread.sleep(Math.min(1000, 50 + 10 * i++));
+            } catch (InterruptedException e) {
+                break;
+            }
+            response = client.get("/codesigningaccounts/" + account + "/certificateprofiles/" + profile + "/sign/" + operationId + "?api-version=2022-06-15-preview");
+            String status = (String) response.get("status");
+            if ("InProgress".equals(status)) {
+                continue;
+            }
+            if ("Succeeded".equals(status)) {
+                break;
+            }
+
+            throw new IOException("Signing operation " + operationId + " failed: " + status);
+        }
+
+        if (!"Succeeded".equals(response.get("status"))) {
+            throw new IOException("Signing operation " + operationId + " timed out");
+        }
+
+        SignStatus status = new SignStatus();
+        status.signature = Base64.getDecoder().decode((String) response.get("signature"));
+        status.signingCertificate = new String(Base64.getDecoder().decode((String) response.get("signingCertificate")));
+
+        return status;
+    }
+
+    private static class SignStatus {
+        public byte[] signature;
+        public String signingCertificate;
+
+        public Collection<? extends Certificate> getCertificateChain() throws CertificateException {
+            byte[] cerbin = Base64.getMimeDecoder().decode(signingCertificate);
+
+            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+            return certificateFactory.generateCertificates(new ByteArrayInputStream(cerbin));
+        }
+    }
+}

jsign-core/src/main/java/net/jsign/jca/RESTClient.java

@@ -26,6 +26,7 @@
 import java.util.function.Consumer;
 
 import com.cedarsoftware.util.io.JsonReader;
+import com.cedarsoftware.util.io.JsonWriter;
 import org.apache.commons.io.IOUtils;
 
 class RESTClient {
@@ -136,6 +137,10 @@ private String getErrorMessage(Map<String, ?> response) {
             String error = (String) response.get("__type");
             String description = (String) response.get("message");
             message.append(error).append(": ").append(description);
+        } else if (response.containsKey("title") && response.containsKey("errors")) {
+            // error from Azure Code Signing API
+            String errors = JsonWriter.objectToJson(response.get("errors"));
+            message.append(response.get("status")).append(" - ").append(response.get("title")).append(": ").append(errors);
         } else if (response.containsKey("code") && response.containsKey("message")) {
             // error from OCI API
             message.append(response.get("code")).append(": ").append(response.get("message"));

jsign-core/src/test/java/net/jsign/KeyStoreBuilderTest.java

@@ -329,6 +329,32 @@ public void testBuildOracleCloud() throws Exception {
         assertNotNull("keystore", keystore);
     }
 
+    @Test
+    public void testBuildTrustedSigning() throws Exception {
+        KeyStoreBuilder builder = new KeyStoreBuilder().storetype(TRUSTEDSIGNING);
+
+        try {
+            builder.build();
+            fail("Exception not thrown");
+        } catch (IllegalArgumentException e) {
+            assertEquals("message", "keystore parameter must specify the Azure endpoint (<region>.codesigning.azure.net)", e.getMessage());
+        }
+
+        builder.keystore("https://weu.codesigning.azure.net");
+
+        try {
+            builder.build();
+            fail("Exception not thrown");
+        } catch (IllegalArgumentException e) {
+            assertEquals("message", "storepass parameter must specify the Azure API access token", e.getMessage());
+        }
+
+        builder.storepass("0123456789ABCDEF");
+
+        KeyStore keystore = builder.build();
+        assertNotNull("keystore", keystore);
+    }
+
     @Test
     public void testBuildJKS() throws Exception {
         KeyStoreBuilder builder = new KeyStoreBuilder().storetype(JKS);