Fixed an issue where a disabled certificate in Azure Key Vault caused keystore initialization to fail with an HTTP 403 error#49730
Conversation
… keystore initialization to fail with an HTTP 403 error
There was a problem hiding this comment.
Pull request overview
This PR fixes Azure Key Vault JCA keystore initialization failures caused by disabled certificates in a vault by filtering out explicitly disabled certificates during alias discovery, preventing downstream 403s from aborting initialization.
Changes:
- Add certificate “attributes.enabled” parsing support and an
isEnabled()helper onCertificateItem. - Skip explicitly disabled certificates in
KeyVaultClient#getAliases()and log a warning when skipping. - Add unit tests covering enabled/disabled/attributeless certificate-list responses, and record the fix in the changelog.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/implementation/KeyVaultClientTest.java | Adds tests ensuring disabled certificates are filtered out of aliases (including raw REST-shaped JSON). |
| sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/CertificateItemAttributes.java | Introduces a REST-model for certificate list attributes (currently parses enabled). |
| sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/CertificateItem.java | Adds attributes support and a helper to treat absent attributes as enabled for compatibility. |
| sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java | Filters aliases to skip disabled certificates to avoid later 403s breaking initialization. |
| sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md | Documents the bug fix in the unreleased section. |
|
Hi @g2vinay, this pr is pending for code owner approval, please help help review it. Thanks! |
prithwishlaha1996
left a comment
There was a problem hiding this comment.
Does this skip the cert load whose alias is not specified in the configuration ?
As I understand it, it should load only the certificate whose alias is specified in the configuration. However, if there are 10 enabled certificates in Key Vault, it appears to load all of them even when a specific alias is configured. Is it an expected behavior ?
spring:
ssl:
bundle:
keyvault:
apptls:
key:
alias: cert-name
|
@prithwishlaha1996 It will still load all certificates. Loading only specified certificates is a new requirement, and we need to further confirm whether to add it now. |
|
@prithwishlaha1996 let's merge this bug first, I re-opened the feature request #39487 |
Fixes #49692
Description
Please add an informative description that covers that changes made by the pull request and link all relevant issues.
If an SDK is being regenerated based on a new swagger spec, a link to the pull request containing these swagger spec changes has been included above.
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines