Apply the proxy settings before accessing the cloud signing services (Fixes #324)

ebourg · ebourg · commit 3d339493f39c · 2025-10-02T16:50:30.000+02:00
diff --git a/README.md b/README.md
@@ -68,6 +68,7 @@ See https://ebourg.github.io/jsign for more information.
 
 * Multiple signatures are now supported for EFI files
 * Self-signed certificates are no longer removed from the certificate store embedded in the signature (contributed by Christian Renz)
+* The proxy settings are now applied to the connections to the cloud signing services
 * API changes:
   * New `Signable.setSignatures(List<CMSSignedData>)` method to set multiple signatures (nesting is handled automatically)
   * `SignatureUtils.getSignatures()` now removes the nested signatures from the first signature in the list
diff --git a/jsign-cli/pom.xml b/jsign-cli/pom.xml
@@ -40,6 +40,13 @@
       <version>2.0.22</version> <!-- last version supporting Java 8 -->
       <scope>test</scope>
     </dependency>
+
+    <dependency>
+      <groupId>net.jadler</groupId>
+      <artifactId>jadler-all</artifactId>
+      <version>1.3.1</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/jsign-cli/src/test/java/net/jsign/JsignCLITest.java b/jsign-cli/src/test/java/net/jsign/JsignCLITest.java
@@ -18,6 +18,7 @@
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.FileReader;
 import java.net.ProxySelector;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -28,6 +29,7 @@
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import io.netty.handler.codec.http.HttpRequest;
+import net.jadler.Jadler;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.io.ByteOrderMark;
 import org.apache.commons.io.FileUtils;
@@ -481,6 +483,52 @@ public String getRealm() {
         }
     }
 
+    @Test
+    public void testSigningWithProxy() throws Exception {
+        Jadler.initJadler().withDefaultResponseStatus(404);
+        Jadler.onRequest()
+                .havingMethodEqualTo("GET")
+                .havingPathEqualTo("/certificates/test1")
+                .havingHeaderEqualTo("Via", "1.1 JsignProxy")
+                .respond()
+                .withStatus(200)
+                .withBody(IOUtils.toString(new FileReader("../jsign-crypto/src/test/resources/services/azure-certificate.json")).replaceAll("https://jsigntestkeyvault.vault.azure.net", "http://localhost:" + Jadler.port()));
+
+        Jadler.onRequest()
+                .havingMethodEqualTo("POST")
+                .havingPathEqualTo("/keys/test1/38ca3e3560b94086ac604c5dd21aa055/sign")
+                .havingHeaderEqualTo("Via", "1.1 JsignProxy")
+                .havingBodyEqualTo("{\"alg\":\"RS256\",\"value\":\"kSBZhCngz7tfmw+l3j1W5vHMMcGYvpijTm++fl8zANY=\"}")
+                .respond()
+                .withStatus(200)
+                .withBody("{\"kid\":\"https://jsigntestkeyvault.vault.azure.net/keys/test1/38ca3e3560b94086ac604c5dd21aa055\",\"value\":\"CzDTijE0vOEDJTzbzhaMuF5mN-yO59DI5DaA35U8Rldj1mwwmHvH2yyLn2UA_dn2U5KjjmI5CXjf_gWa_-WZDmTxr6w-yNRUlJ4TJZBUF7tdi5MI70maZgcY3MGkXzWeAxXiKf57ZLMfJWLNGxXMrMQRJDi6XlDfmwIApxK-0gsUlZhq2GjlBZWGf7IPBr1Mk6ZeOUfPzFTrPXgFs5CBS5FMYGuujePGjVDRY-ODbs2l9JpQW-wv6lRX0bFXgzn4LwVqHOM_P-_kxBLbIV37hfnBnV_uYF3aDEYkE3I-wni8JPRr3hFsqRY5wea_HzzropDD1zQ5TNLJXdbLro0S7A\"}");
+
+        HttpProxyServer proxy = DefaultHttpProxyServer.bootstrap()
+                .withPort(12543)
+                .withProxyAlias("JsignProxy")
+                .start();
+
+        try {
+            File targetFile2 = new File("target/test-classes/wineyes-signed-with-cli-proxy.exe");
+            FileUtils.copyFile(sourceFile, targetFile2);
+            cli.execute("--storetype=AZUREKEYVAULT",
+                    "--keystore=http://localhost:" + Jadler.port(),
+                    "--storepass=token",
+                    "--alias=test1",
+                    "--proxyUrl=localhost:" + proxy.getListenAddress().getPort(),
+                    "" + targetFile2);
+
+            assertTrue("The file " + targetFile2 + " wasn't changed", SOURCE_FILE_CRC32 != FileUtils.checksumCRC32(targetFile2));
+
+            try (PEFile peFile = new PEFile(targetFile2)) {
+                SignatureAssert.assertSigned(peFile, SHA256);
+            }
+        } finally {
+            proxy.stop();
+            Jadler.closeJadler();
+        }
+    }
+
     @Test
     public void testReplaceSignature() throws Exception {
         File targetFile2 = new File("target/test-classes/wineyes-re-signed.exe");
diff --git a/jsign-core/src/main/java/net/jsign/SignerHelper.java b/jsign-core/src/main/java/net/jsign/SignerHelper.java
@@ -342,6 +342,12 @@ public void execute(File file) throws SignerException {
     }
 
     private AuthenticodeSigner build() throws SignerException {
+        try {
+            initializeProxy(proxyUrl, proxyUser, proxyPass);
+        } catch (Exception e) {
+            throw new SignerException("Couldn't initialize proxy", e);
+        }
+
         KeyStore ks;
         try {
             ks = ksparams.build();
@@ -416,12 +422,6 @@ private AuthenticodeSigner build() throws SignerException {
             throw new SignerException("The digest algorithm " + alg + " is not supported");
         }
 
-        try {
-            initializeProxy(proxyUrl, proxyUser, proxyPass);
-        } catch (Exception e) {
-            throw new SignerException("Couldn't initialize proxy", e);
-        }
-
         // enable timestamping with Azure Trusted Signing
         if (tsaurl == null && storetype == KeyStoreType.TRUSTEDSIGNING) {
             tsaurl = "http://timestamp.acs.microsoft.com/";
diff --git a/jsign-crypto/src/test/java/net/jsign/jca/AzureKeyVaultSigningServiceTest.java b/jsign-crypto/src/test/java/net/jsign/jca/AzureKeyVaultSigningServiceTest.java
@@ -118,7 +118,7 @@ public void testGetCertificateChain() throws Exception {
         Certificate[] chain = service.getCertificateChain("test1");
         assertNotNull("chain", chain);
         assertEquals("number of certificates", 1, chain.length);
-        assertEquals("subject name", "CN=Jsign Test Certificate", ((X509Certificate) chain[0]).getSubjectDN().getName());
+        assertEquals("subject name", "CN=Jsign Code Signing Test Certificate 2024 (RSA)", ((X509Certificate) chain[0]).getSubjectDN().getName());
 
         // check if the certificate is cached
         Certificate[] chain2 = service.getCertificateChain("test1");
diff --git a/jsign-crypto/src/test/resources/services/azure-certificate.json b/jsign-crypto/src/test/resources/services/azure-certificate.json
@@ -3,7 +3,7 @@
   "kid": "https://jsigntestkeyvault.vault.azure.net/keys/test1/38ca3e3560b94086ac604c5dd21aa055",
   "sid": "https://jsigntestkeyvault.vault.azure.net/secrets/test1/38ca3e3560b94086ac604c5dd21aa055",
   "x5t": "v0sWC5lKV5G4k4UdqPWBo1PhBqs",
-  "cer": "MIIDSDCCAjCgAwIBAgIQI+1K7AuPQaOHuA2AcfOx1zANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZKc2lnbiBUZXN0IENlcnRpZmljYXRlMB4XDTIxMDYxMjA4MjcwOVoXDTIyMDYxMjA4MzcwOVowITEfMB0GA1UEAxMWSnNpZ24gVGVzdCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+hb3oSz3Dmpsua/hdchodcxPVoC0Edc3yyYeXPyU15eZJggxmKFSbtuhhuMSCnyy/U5IdkwGL1Itb9Z0JkNbCuz0Qoj2US3lO1zG6BWLYATQzLI0P8gcC77MRFTolkCs8Db4zF/fm7887XjlnBIDKxxSaSFxXKMCRnnYkS71IxrmhcEI8UO9jaP6c5aux61nPEqn/eO64WEYp5FkjHrsmKz9T98MijLorMSCKnClniGBpJDOMy2koLNuWjYhjU5dwBcP0EaydZWm8ithVxQNgxFQTeaNf4q4kwZggULSlaIst9zLlXz1DDQSPrTJNIHs3TataFehpVpaezb+b4bPECAwEAAaN8MHowDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPdrIYZz5JtpoVDDU9rGMSNHwjkEMB0GA1UdDgQWBBT3ayGGc+SbaaFQw1PaxjEjR8I5BDANBgkqhkiG9w0BAQsFAAOCAQEAHDS/9U5nYwnDDEZ5V0wSNnGSfO5MuOINeD/5qiQx7v4K+6mvx+tX9cKRaNsf7zHv6lEcuuwZgGS61dyl3RItKURrGQxpAk07oEEuNgj+8EcShfwZ7Flufk1DGaawYklBCY7JNvUctUqOGeZ56Vy94r42rleh2w9FPWcoA7ZypnYq1Z7aM6AWQwQ7AJuPxrp49ATBQFUTG17QrVh8EX8b3gG6D/IV3WhrFr9BX3DOcACdgKT82oLyTfFQOZRxM4hZzhLlBQWu5oBe1ZcGGhhz3GwIFSScuxxCJkA9FiiU31COaW/4Zmj86JM/sHzO9ntn9UKqpbB7bI964v8EKPo/Pg==",
+  "cer": "MIID9zCCAt+gAwIBAgIUIyrnR0Owrk2nS+rhU4dkSvbKegMwDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAwwaSnNpZ24gQ29kZSBTaWduaW5nIENBIDIwMjQwHhcNMjQwNTEwMTMwODIwWhcNNDQwNTEwMTMwODIwWjA5MTcwNQYDVQQDDC5Kc2lnbiBDb2RlIFNpZ25pbmcgVGVzdCBDZXJ0aWZpY2F0ZSAyMDI0IChSU0EpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAppBS5ZCsecfKOR2HBZ2pP5bSD23q9OdCZTjL9emDnCwXU1EyHa6MuPs9DH76Xt9knHe8LUknX9EzoJUUFi5rMvB8OOXj82PieCWK36KM4m1ecHFIYikplNo5HD1phwwi8dGLFkWqlUh8DQjuCMQH9aQjoer54+7RkYA2iuCAnH9A/kiEE/MpKa/7zdxAD3ngk3wSN3K4zNWzZKo7KBRso1qLiOWaK0RTIoH/b2T2mj732kncpRB74EeWLd/IQU3NR0/2cHoVTD72Sjjz8LSruop6sqSdhbfKxnAPvRYx3jRr/hTVwAFIVtW/IhUBrh3FGhyjnYaS37HUaE4LO0u1DwIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFBLEig5vFkfxsh/Oey8w5icoMTSTMB8GA1UdIwQYMBaAFOJxSqNT6Vgqe5REPTuuigHU5QT9MIGVBggrBgEFBQcBAQSBiDCBhTCBggYIKwYBBQUHMAKGdmh0dHA6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2Vib3VyZy9qc2lnbi9tYXN0ZXIvanNpZ24tY29yZS9zcmMvdGVzdC9yZXNvdXJjZXMva2V5c3RvcmVzL2pzaWduLWNvZGUtc2lnbmluZy1jYS5jZXIwDQYJKoZIhvcNAQELBQADggEBADX+jVZK5h+GrFNpM1LtjIxOaBSMTJpByreAGswx6sU0tMrdKRmSJwA48qahbKH2Xwl/dMBfOEbHIfqqW8tXJ6NTIqaAw2Tn0kUPH6bzy7vLXOhR1fIdrEsAVyR3dk19Du2IJa44rB0qrVWIXsVVPSWj3PeOj3MocPh1jFMnA83ZY2/lJSOJ6BByILtTPuiUckfB6K1y/f4KMAh67esxF9jYE2s0mqtxqNN9HSASfcf2Cw6hnTx5p5VwbOiP5Z3C42Fy9tjNt9ccb6PaP1yn72tQSfZC4XcRmbiQauhjph4Qop1t1urU1gdlF8gD2vDdNaIgKIX2Hnj1eZNP5R9VC08=",
   "attributes": {
     "enabled": true,
     "nbf": 1623486429,
