Align Key Vault JCA authentication with other KV libraries

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java

@@ -7,16 +7,15 @@
 import com.azure.security.keyvault.jca.implementation.certificates.JreCertificates;
 import com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates;
 import com.azure.security.keyvault.jca.implementation.certificates.SpecificPathCertificates;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.security.Key;
 import java.security.KeyStore;
-import java.security.KeyStoreException;
 import java.security.KeyStoreSpi;
 import java.security.NoSuchAlgorithmException;
+import java.security.KeyStoreException;
 import java.security.UnrecoverableEntryException;
+import java.security.Key;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
@@ -26,8 +25,8 @@
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.Objects;
+import java.util.Map;
 import java.util.Optional;
 import java.util.logging.Logger;
 import java.util.stream.Stream;
@@ -124,11 +123,12 @@ public KeyVaultKeyStore() {
         LOGGER.log(FINE, "Constructing KeyVaultKeyStore.");
         creationDate = new Date();
         String keyVaultUri = System.getProperty("azure.keyvault.uri");
-        String loginUri = System.getProperty("azure.login.uri");
         String tenantId = System.getProperty("azure.keyvault.tenant-id");
         String clientId = System.getProperty("azure.keyvault.client-id");
         String clientSecret = System.getProperty("azure.keyvault.client-secret");
         String managedIdentity = System.getProperty("azure.keyvault.managed-identity");
+        boolean disableChallengeResourceVerification =
+            Boolean.parseBoolean(System.getProperty("azure.keyvault.disable-challenge-resource-verification"));
         long refreshInterval = getRefreshInterval();
         refreshCertificatesWhenHaveUnTrustCertificate =
             Optional.of("azure.keyvault.jca.refresh-certificates-when-have-un-trust-certificate")
@@ -142,7 +142,7 @@ public KeyVaultKeyStore() {
         customCertificates = SpecificPathCertificates.getSpecificPathCertificates(customPath);
         LOGGER.log(FINE, String.format("Loaded custom certificates: %s.", customCertificates.getAliases()));
         keyVaultCertificates = new KeyVaultCertificates(
-            refreshInterval, keyVaultUri, loginUri, tenantId, clientId, clientSecret, managedIdentity);
+            refreshInterval, keyVaultUri, tenantId, clientId, clientSecret, managedIdentity, disableChallengeResourceVerification);
         LOGGER.log(FINE, String.format("Loaded Key Vault certificates: %s.", keyVaultCertificates.getAliases()));
         classpathCertificates = new ClasspathCertificates();
         LOGGER.log(FINE, String.format("Loaded classpath certificates: %s.", classpathCertificates.getAliases()));
@@ -173,14 +173,12 @@ public static KeyStore getKeyVaultKeyStoreBySystemProperty() throws CertificateE
         KeyStore keyStore = KeyStore.getInstance(KeyVaultJcaProvider.PROVIDER_NAME);
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
-            System.getProperty("azure.login.uri"),
             System.getProperty("azure.keyvault.tenant-id"),
             System.getProperty("azure.keyvault.client-id"),
             System.getProperty("azure.keyvault.client-secret"),
-            System.getProperty("azure.keyvault.managed-identity"));
-
+            System.getProperty("azure.keyvault.managed-identity"),
+            Boolean.parseBoolean(System.getProperty("azure.keyvault.disable-challenge-resource-verification")));
         keyStore.load(parameter);
-
         return keyStore;
     }
 
@@ -368,17 +366,18 @@ public boolean engineIsKeyEntry(String alias) {
     /**
      * Loads the keystore using the given {@code KeyStore.LoadStoreParameter}.
      *
-     * @param param the {@code KeyStore.LoadStoreParameter} that specifies how to load the keystore, which may be
-     * {@code null}.
+     * @param param the {@code KeyStore.LoadStoreParameter}
+     *          that specifies how to load the keystore,
+     *          which may be {@code null}
      */
     @Override
     public void engineLoad(KeyStore.LoadStoreParameter param) {
         if (param instanceof KeyVaultLoadStoreParameter) {
             KeyVaultLoadStoreParameter parameter = (KeyVaultLoadStoreParameter) param;
 
-            keyVaultCertificates.updateKeyVaultClient(
-                parameter.getUri(), parameter.getLoginUri(), parameter.getTenantId(), parameter.getClientId(),
-                parameter.getClientSecret(), parameter.getManagedIdentity());
+            keyVaultCertificates.updateKeyVaultClient(parameter.getUri(), parameter.getTenantId(),
+                parameter.getClientId(), parameter.getClientSecret(), parameter.getManagedIdentity(),
+                parameter.isChallengeResourceVerificationDisabled());
         }
 
         classpathCertificates.loadCertificatesFromClasspath();

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java

@@ -11,24 +11,18 @@
  * @see KeyStore.LoadStoreParameter
  */
 public final class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
-
     /**
-     * Stores the Key Vault URI.
+     * Stores the URI.
      */
-    private final String keyVaultUri;
-
-    /**
-     * Stores the Azure login URI.
-     */
-    private final String loginUri;
+    private final String uri;
 
     /**
      * Stores the tenant id.
      */
     private final String tenantId;
 
     /**
-     * Stores the client id.
+     * Stores the client ID.
      */
     private final String clientId;
 
@@ -38,77 +32,86 @@ public final class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParam
     private final String clientSecret;
 
     /**
-     * Stores the user-assigned Managed Identity.
+     * Stores the user-assigned identity.
      */
     private final String managedIdentity;
 
+    /**
+     * Stored a flag indicating id challenge resource verification should be disabled.
+     */
+    private boolean disableChallengeResourceVerification;
+
     /**
      * Constructor.
      *
-     * @param keyVaultUri The Azure Key Vault URI.
+     * @param uri The Azure Key Vault URI.
      */
-    public KeyVaultLoadStoreParameter(String keyVaultUri) {
-        this(keyVaultUri, null, null, null, null, null);
+    public KeyVaultLoadStoreParameter(String uri) {
+        this(uri, null, null, null, null);
     }
 
     /**
      * Constructor.
      *
-     * @param keyVaultUri the Azure Key Vault URI.
-     * @param managedIdentity The Managed Identity.
+     * @param uri The Azure Key Vault URI.
+     * @param managedIdentity The managed identity.
      */
-    public KeyVaultLoadStoreParameter(String keyVaultUri, String managedIdentity) {
-        this(keyVaultUri, null, null, null, null, managedIdentity);
+    public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
+        this(uri, null, null, null, managedIdentity);
     }
 
     /**
      * Constructor.
      *
-     * @param keyVaultUri the Azure Key Vault URI.
-     * @param tenantId The tenant id.
-     * @param clientId The client id.
+     * @param uri The Azure Key Vault URI.
+     * @param tenantId The tenant ID.
+     * @param clientId The client ID.
      * @param clientSecret The client secret.
      */
-    public KeyVaultLoadStoreParameter(String keyVaultUri, String tenantId, String clientId, String clientSecret) {
-        this(keyVaultUri, null, tenantId, clientId, clientSecret, null);
+    public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret) {
+        this(uri, tenantId, clientId, clientSecret, null);
     }
 
     /**
      * Constructor.
      *
-     * @param keyVaultUri the Azure Key Vault URI.
-     * @param tenantId The tenant id.
-     * @param clientId The client id.
+     * @param uri The Azure Key Vault URI.
+     * @param tenantId The tenant ID.
+     * @param clientId The client ID.
      * @param clientSecret The client secret.
-     * @param managedIdentity The Managed Identity.
+     * @param managedIdentity The managed identity.
      */
-    public KeyVaultLoadStoreParameter(String keyVaultUri, String tenantId, String clientId, String clientSecret, String managedIdentity) {
-        this(keyVaultUri, null, tenantId, clientId, clientSecret, managedIdentity);
+    public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret,
+        String managedIdentity) {
+
+        this(uri, tenantId, clientId, clientSecret, managedIdentity, false);
     }
 
     /**
      * Constructor.
      *
-     * @param keyVaultUri the Azure Key Vault URI.
-     * @param loginUri The Azure login URI.
-     * @param tenantId The tenant id.
-     * @param clientId The client id.
+     * @param uri The Azure Key Vault URI.
+     * @param tenantId The tenant ID.
+     * @param clientId The client ID.
      * @param clientSecret The client secret.
-     * @param managedIdentity The Managed Identity.
+     * @param managedIdentity The managed identity.
+     * @param disableChallengeResourceVerification Indicates if challenge resource verification should be disabled.
      */
-    public KeyVaultLoadStoreParameter(String keyVaultUri, String loginUri, String tenantId, String clientId, String clientSecret, String managedIdentity) {
-        this.keyVaultUri = keyVaultUri;
-        this.loginUri = loginUri;
+    public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret,
+        String managedIdentity, boolean disableChallengeResourceVerification) {
+
+        this.uri = uri;
         this.tenantId = tenantId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.managedIdentity = managedIdentity;
+        this.disableChallengeResourceVerification = disableChallengeResourceVerification;
     }
 
     /**
      * Get the protection parameter.
      *
-     * @return {@code null}.
+     * @return null
      */
     @Override
     public KeyStore.ProtectionParameter getProtectionParameter() {
@@ -118,7 +121,7 @@ public KeyStore.ProtectionParameter getProtectionParameter() {
     /**
      * Get the client id.
      *
-     * @return The client id.
+     * @return the client id.
      */
     public String getClientId() {
         return clientId;
@@ -127,7 +130,7 @@ public String getClientId() {
     /**
      * Get the client secret.
      *
-     * @return The client secret.
+     * @return the client secret.
      */
     public String getClientSecret() {
         return clientSecret;
@@ -136,7 +139,7 @@ public String getClientSecret() {
     /**
      * Get the managed identity.
      *
-     * @return The Managed Identity.
+     * @return the managed identity.
      */
     public String getManagedIdentity() {
         return managedIdentity;
@@ -145,27 +148,27 @@ public String getManagedIdentity() {
     /**
      * Get the tenant id.
      *
-     * @return The tenant id.
+     * @return the tenant id.
      */
     public String getTenantId() {
         return tenantId;
     }
 
     /**
-     * Get the Azure Key Vault URI.
+     * Get the uri.
      *
-     * @return The Azure Key Vault URI.
+     * @return the URI.
      */
     public String getUri() {
-        return keyVaultUri;
+        return uri;
     }
 
     /**
-     * Get the Azure login URI.
+     * Get a value indicating if challenge resource verification is disabled.
      *
-     * @return The Azure login URI.
+     * @return A value indicating if challenge resource verification is disabled.
      */
-    public String getLoginUri() {
-        return loginUri;
+    public boolean isChallengeResourceVerificationDisabled() {
+        return disableChallengeResourceVerification;
     }
 }