Uploaded image for project: 'SignServer'
  1. SignServer
  2. DSS-2064

Initial support for Azure Key Vault


    • Epic Link:
    • Sprint:
      SignServer-Sprint-117-Azure1, SignServer-Sprint-118-Azure2


      Migrate the EJBCA CryptoToken for Azure Key Vault from EJBCA (added in ECA-7278 and later updated).



      • Step 1: ML, () MS, MK: Check review of the EJBCA code (in ECA-7278 and/or later)
      • Step 2: Make a first attempt to integrate it to SignServer code base and make it compile
        • MK: Add the required JSON library
        • ML: Maybe create our own AzureKeyVaultCryptoToken class delegating to the EJBCA/CESeCore AzureCryptoToken class like we do for PKCS11CryptoToken?
      • Step 3: () ML: Test that it runs (using our test account DSSINTER-484)
        • Add support for AlgorithmParameterSpec for key-pair generation. Update: Not needed
        • Generate CSR
        • ML: Sign with signer
        • ML: CryptoWorker activation + auto-activation
        • MK: Test key operation: Need to change KeyStoreDelegator as there is no dummy cert
        • MK: NPE in org.signserver.server.signers.BaseSigner.containsCertificate(BaseSigner.java:388) when viewing status of workers that has not yet got a certificate
        • PGP Signing is not supported as the implementation uses the dates from the dummy certificate and the AzureCryptoToken currently does not provide such: DSS-2127
        • Implement key removal
        • ML: Fill in key type and key spec when searching for token entries and additional information
        • Test with all algorithms: DSS-2132
          • Key gen
          • Test key
          • Generate CSR
          • Sign with signer
        • ML: Key generation failure on missing key vault type: Give error message in init on missing key_vault_type
      Caused by: java.lang.NullPointerException
      	at org.cesecore.keys.token.AzureCryptoToken.generateKeyPair(AzureCryptoToken.java:482)
      	at org.signserver.server.cryptotokens.AzureKeyVaultCryptoToken.generateKeyPair(AzureKeyVaultCryptoToken.java:259)
      	at org.signserver.server.cryptotokens.AzureKeyVaultCryptoToken.generateKey(AzureKeyVaultCryptoToken.java:362)
      	at org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:655)
      	at org.signserver.ejb.WorkerSessionBean.generateSignerKey(WorkerSessionBean.java:476)
        • ...
      • Step 4: Make real implementation (based on step 2 code or rewritten in better way)
        • ML: Add info about the JSON library to jars/projects-list (see EJBCA lib/readme.txt etc.)
        • Add a azurekeyvault-crypto.properties sample configuration template file
        •   Add checks for required and optional properties in our AzureKeyVaultCryptoToken.init() as the names are different in our case
      • Step 5: Implement tests and documentation
      • Additional:
        • Register ticket to upgrade to the CESeCore version (TBD) which has the AzureCryptoToken implementation and then to remove our forked version of it
          • MK: Check so we have not made any changes to the branched CESeCore classes: Only differences is that we have removed one method implementation that is for a method introduced in a later version of CESeCore's BaseCryptoToken. After upgrading CESeCore this change is not needed and instead the stock AzureCryptoToken can be used.
          • DSS-2129


      • Migrate EJBCA crypto token to a SignServer crypto token
      • Manual Testing
        • Get access to KeyVault: DSSINTER-484
        • Setup crypto token
        • Generate keys
        • Perform signing with various signers
      • Documentation
        • Reference page for the new crypto token
        • Some KeyVault how-to in operations guide?
      • Automatic tests
        • We already have SunPKCS11 and P11NG flavor of the P11 tests, see if we can add KeyVault as an other flavor and run our tests
        • test-config.properties for azure credentials


          Issue Links



              marcus.lundblad@primekey.se Marcus Lundblad
              markus Markus Kilås
              Verified by:
              Markus Kilås
              1 Vote for this issue
              3 Start watching this issue



                  Time Tracking

                  Original Estimate - 1 week, 4 hours
                  1w 4h
                  Remaining Estimate - 0 minutes
                  Time Spent - 4 days, 38 minutes Time Not Required
                  4d 38m