Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
09c2470
Initial plan
Copilot Feb 11, 2026
e350f9c
Add test to verify certificate chain ordering
Copilot Feb 11, 2026
abd4b84
Implement certificate chain ordering fix for jarsigner compatibility
Copilot Feb 11, 2026
20d4789
Address code review feedback - improve test assertions
Copilot Feb 11, 2026
10558b6
Fix SpotBugs warning - remove redundant null check
Copilot Feb 11, 2026
8a27801
Merge branch 'main' into copilot/fix-jarsigner-certificate-chain-issue
rujche Jul 8, 2026
ced0c80
Complete certificate chain via AIA extension for non-exportable certi…
rujche Jul 8, 2026
b617925
Update CHANGELOG for AIA certificate chain fix
rujche Jul 8, 2026
48a456b
Add INFO/WARNING logs for AIA chain completion cases
rujche Jul 8, 2026
9c41b3a
Address code review feedback
rujche Jul 8, 2026
8d600da
fix: Apply code review feedback on certificate chain completion
rujche Jul 8, 2026
b20362f
fix: Rename test methods to follow camelCase naming convention
rujche Jul 8, 2026
a21661b
refactor: Change AIA chain completion logs to DEBUG level
rujche Jul 8, 2026
b36c3b3
feat: Add debug logging for certificate chains
rujche Jul 8, 2026
89369d8
fix: Address security and accuracy issues in certificate chain comple…
rujche Jul 8, 2026
b329fec
fix: Handle cross-signed certificates and improve exception handling
rujche Jul 8, 2026
a450155
fix: Address remaining Checkstyle and design issues in certificate ch…
rujche Jul 8, 2026
7bf6cd2
fix: Properly handle extra certificates in AIA chain completion
rujche Jul 8, 2026
1ba3cc7
fix: Correct duplicate certificate detection in AIA chain completion
rujche Jul 8, 2026
f259b3e
fix: Improve leaf certificate selection to avoid order-dependency
rujche Jul 8, 2026
422793c
fix: Add system property to disable AIA chain completion for security
rujche Jul 8, 2026
ec732c8
docs: Update CHANGELOG and README with AIA disable option
rujche Jul 8, 2026
69b3afc
style: Rename system property to use hyphens for consistency
rujche Jul 8, 2026
a8d0ee2
test: Add unit test for disable-aia-download system property
rujche Jul 8, 2026
e32635b
fix: Address review comments - heading hierarchy and improved JavaDoc
rujche Jul 8, 2026
40c913a
fix: Wrap long JavaDoc line to comply with 120-char line limit
rujche Jul 8, 2026
cc0b5da
fix: Improve error handling and eliminate property name duplication
rujche Jul 8, 2026
dfb602c
fix: Improve duplicate detection and DN comparison in logging
rujche Jul 8, 2026
c8e8ac4
fix: Use signature-based issuer check instead of subject-DN-only dupl…
rujche Jul 8, 2026
9431d0b
fix: Add GoodLoggingCheck suppression for CertificateUtil.java
rujche Jul 8, 2026
012218b
fix: Remove string concatenation from LOGGER.log calls; restore suppr…
rujche Jul 8, 2026
f783342
fix: Log caught exception in getBytes() to aid AIA failure diagnosis
rujche Jul 8, 2026
afa848c
fix: Improve orderCertificateChain to handle incomplete [root, leaf] …
rujche Jul 8, 2026
f854c12
fix: Add @AfterEach cleanup for system property in AiaCertificateChai…
rujche Jul 8, 2026
6e692c4
fix: Improve leaf selection and chain ordering with signature-based v…
rujche Jul 8, 2026
192126b
fix: Address Copilot review comments on maxDownloads logic and logging
rujche Jul 8, 2026
5029434
fix: Force sequential execution in AiaCertificateChainTest to prevent…
rujche Jul 8, 2026
23dd9a3
fix: Address Copilot review comments - remove unused variables, log e…
rujche Jul 8, 2026
f7ec169
fix: Address Copilot review comments - remove unused variables, log e…
rujche Jul 8, 2026
f63c3f2
fix: validate issuer key usage and select matching cert from AIA bundles
rujche Jul 9, 2026
180037f
fix: align certificate chain self-signed diagnostics with verification
rujche Jul 9, 2026
1af60d6
fix: narrow issuer validation catch for spotbugs
rujche Jul 9, 2026
13b16b1
fix: split long AIA log messages for checkstyle line length
rujche Jul 9, 2026
4e6727f
fix: align chain-end docs and strengthen single-cert edge-case test
rujche Jul 9, 2026
85af4f9
Merge branch 'main' into copilot/fix-jarsigner-certificate-chain-issue
rujche Jul 14, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,14 @@
### Breaking Changes

### Bugs Fixed
- Fixed bug: `jarsigner` reports invalid certificate chain (`PKIX path building failed: unable to find valid certification path to requested target`) when using a non-exportable Azure Key Vault certificate. The fix downloads missing intermediate CA certificates at runtime using the CA Issuers URL in the AIA (Authority Information Access) extension of each certificate. ([#44267](https://github.com/Azure/azure-sdk-for-java/issues/44267))
- Fixed an issue where a disabled certificate in Azure Key Vault caused keystore initialization to fail with an HTTP 403 error. Disabled certificates are now skipped when loading aliases and a warning is logged for each skipped certificate. [#49730](https://github.com/Azure/azure-sdk-for-java/pull/49730)

### Other Changes
- Added system property `azure.keyvault.jca.disable-aia-download` to disable automatic AIA chain completion. This allows locked-down environments to prevent outbound HTTP(S) requests triggered by embedded certificate AIA extensions, mitigating potential SSRF-like attack vectors when loading untrusted certificates. Set to `true` to disable (defaults to `false` for backward compatibility).

### Security Advisory
- **AIA Chain Completion**: The AIA chain completion feature downloads certificates from URLs embedded in certificate extensions. In locked-down environments or when processing untrusted certificates, set `azure.keyvault.jca.disable-aia-download=true` to disable this feature and prevent unexpected network requests.

## 2.11.0 (2026-02-28)

Expand Down
1 change: 1 addition & 0 deletions sdk/keyvault/azure-security-keyvault-jca/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ The JCA library supports configuring the following options:
* `azure.keyvault.jca.certificates-refresh-interval`: The refresh interval time.
* `azure.keyvault.jca.certificates-refresh-interval-in-ms`: The refresh interval time.
* `azure.keyvault.disable-challenge-resource-verification`: Indicates whether to disable verification that the authentication challenge resource matches the Key Vault or Managed HSM domain.
* `azure.keyvault.jca.disable-aia-download`: Set to `true` to disable automatic AIA (Authority Information Access) certificate chain completion. When disabled, the provider will return certificate chains as provided by Azure Key Vault without downloading missing intermediate CA certificates. Use this in locked-down environments or when processing untrusted certificates to prevent outbound HTTP(S) requests to URLs embedded in certificate extensions. Defaults to `false` for backward compatibility.

You can configure these properties using:
```java
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
<suppress files="com.azure.security.keyvault.jca.implementation.certificates.JreCertificates.java" checks="io.clientcore.linting.extensions.checkstyle.checks.GoodLoggingCheck" />
<suppress files="com.azure.security.keyvault.jca.implementation.certificates.SpecificPathCertificates.java" checks="io.clientcore.linting.extensions.checkstyle.checks.GoodLoggingCheck" />
<suppress files="com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil.java" checks="io.clientcore.linting.extensions.checkstyle.checks.GoodLoggingCheck" />
<suppress files="com.azure.security.keyvault.jca.implementation.utils.CertificateUtil.java" checks="io.clientcore.linting.extensions.checkstyle.checks.GoodLoggingCheck" />
Comment thread
rujche marked this conversation as resolved.
Comment thread
rujche marked this conversation as resolved.
Comment thread
rujche marked this conversation as resolved.
<suppress files="com.azure.security.keyvault.jca.implementation.utils.HttpUtil.java" checks="io.clientcore.linting.extensions.checkstyle.checks.GoodLoggingCheck" />
<suppress files="com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil.java" checks="io.clientcore.linting.extensions.checkstyle.checks.GoodLoggingCheck" />
<suppress files="com.azure.security.keyvault.jca.KeyVaultTrustManager.java" checks="io.clientcore.linting.extensions.checkstyle.checks.ThrowFromClientLoggerCheck" />
Expand Down
Loading
Loading