How does this tool work behind the scene.

[umarbaba]

I was debugging it and trying to find how it works. My understanding is it retrieves the public certificate from the key vault and stores it in the local certStore and uses SignerSignEX3 dll to perform the signing.
I just want to know how does it take the private key.

[vcsjones]

I just want to know how does it take the private key.

It doesn't. AST never sees the private key which is why this works with non-extractable in hardware private key.

It basically goes:

1. AST: "Hey, SignerSignEx3. I want to sign a file.
2. SSEX3: "Okay. I will sign this file. I need a two things at minimum. The certificate which contains the public key, and a callback where you do the actual signing"
3. AST: "Okay, here's the certificate. And you should use SignCallback as the callback."
4. SSEX3: "Okay. I have a digest (hash) that I need signed. I am going to call SignCallback with that hash. Please sign that hash."
   1. AST: "Okay. I got that hash. Hey, Azure Key Vault. I got a hash. Can you please sign it?"
   2. AKV: "Totally. I signed that digest you asked me to sign using my HSM"
5. AST: "Hey, SSEX3. Thanks for waiting. Here's that signature you asked for."
6. SSEX3: "Great. I am going to use that signature to build up a CMS signature an embed it in the file."

[umarbaba]

Thanks a lot Kevin Jones.

Actually i wanted to sign the .jar file using the certificate stored in AKV. I was exploring AST so that i could get understanding how it works, and then I could write my own wrapper to sign jar file using azure key vault.
Any suggestions would be highly appreciated. Thanks in advance.

[umarbaba]

Hi Kevin,
Any suggestions on how we can use AKV to sign jar file. Or any approach where we could make use of certificate stored in AKV to sign the .jar file.

Thanks.