esig · apisteme · Apr 10, 2026
diff --git a/dss-azure-key-vault/README.md b/dss-azure-key-vault/README.md
@@ -0,0 +1,155 @@
+# DSS Azure Key Vault Based Token
+
+This module provides Azure Key Vault based signing support for DSS signing, including two runnable shaded JARs:
+
+- `managed-identity-signer.jar` signing using managed identity authentication and signing 
+- `client-secret-signer.jar` for signing using client secret authentication
+
+## Maven dependency
+
+Add this module as a dependency in your Maven project:
+
+```xml
+<dependency>
+  <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+  <artifactId>dss-azure-key-vault</artifactId>
+  <version>6.4</version>
+</dependency>
+```
+
+The `groupId` and `version` are inherited from the parent `sd-dss` project.
+
+## Build
+
+From the module folder:
+
+```bash
+mvn clean package
+```
+
+Or from the root of the multi-module repository:
+
+```bash
+mvn -pl dss-azure-key-vault -am clean package
+```
+
+After a successful build, the shaded executable JARs are available in `target/`.
+
+## Shaded JARs
+
+The module produces two shaded JARs:
+
+- `target/dss-azure-key-vault-6.4-managed-identity-signer.jar`
+- `target/dss-azure-key-vault-6.4-client-secret-signer.jar`
+
+Each JAR contains all required dependencies and a `Main-Class` entrypoint.
+
+## Run the shaded JARs
+
+### Managed Identity
+
+```bash
+java -jar target/dss-azure-key-vault-6.4-managed-identity-signer.jar \
+  https://<your-vault-name>.vault.azure.net/ \
+  <keyId> \
+  <certName> \
+  <inputFile> \
+  [<outputFile>] \
+  [<clientId>]
+```
+
+Example:
+
+```bash
+java -jar target/dss-azure-key-vault-6.4-managed-identity-signer.jar \
+  https://myvault.vault.azure.net/ \
+  myKeyId \
+  myCert \
+  trustedlist.xml \
+  signed.xml
+```
+
+If you need to target a specific user-assigned managed identity, pass `<clientId>` as the sixth argument.
+
+### Client Secret
+
+```bash
+java -jar target/dss-azure-key-vault-6.4-client-secret-signer.jar \
+  https://<your-vault-name>.vault.azure.net/ \
+  <keyId> \
+  <certName> \
+  <inputFile> \
+  <outputFile> \
+  <tenantId> \
+  <clientId> \
+  <clientSecret>
+```
+
+Example:
+
+```bash
+java -jar target/dss-azure-key-vault-6.4-client-secret-signer.jar\
+  https://myvault.vault.azure.net/ \
+  myKeyId \
+  myCert \
+  trustedlist.xml \
+  signed.xml \
+  myTenantId \
+  myClientId \
+  myClientSecret
+```
+
+## Library usage
+
+If you use this module as a dependency, the main signing entrypoints are:
+
+- `eu.europa.esig.dss.azure.kv.ManagedIdentityCredentialProvider`
+- `eu.europa.esig.dss.azure.kv.ClientSecretCredentialProvider`
+- `eu.europa.esig.dss.azure.kv.TlSigner`
+
+Example:
+
+```java
+Path inputPath = Paths.get("trustedlist.xml");
+Path outputPath = Paths.get("signed.xml");
+
+AzureCredentialProvider provider = new ManagedIdentityCredentialProvider();
+// or for client secret authentication:
+// AzureCredentialProvider provider = new ClientSecretCredentialProvider(tenantId, clientId, clientSecret);
+
+TlSigner signer = new TlSigner(vaultUrl, keyId, certName, provider);
+signer.signTrustedList(inputPath, outputPath);
+```
+
+## Azure Key Vault prerequisites
+
+- The Key Vault must contain the target key and certificate referenced by `keyId` and `certName`.
+- The identity used for signing must have Key Vault access to read keys and certificates.
+- For managed identity:
+  - assign the managed identity access to the Key Vault, either via an access policy or Azure RBAC role such as `Key Vault Crypto Service Encryption User` / `Key Vault Certificates Officer`.
+  - if using a user-assigned managed identity, obtain the client ID from Azure and pass it as the optional sixth argument to `dss-azure-key-vault-6.4-managed-identity-signer.jar`.
+
+    Example Azure CLI command:
+
+    ```bash
+    az identity show --name <user-assigned-identity-name> --resource-group <resource-group> --query clientId -o tsv
+    ```
+
+    Then run:
+
+    ```bash
+    java -jar target/dss-azure-key-vault-6.4-managed-identity-signer.jar \
+      https://<your-vault-name>.vault.azure.net/ \
+      <keyId> \
+      <certName> \
+      <inputFile> \
+      [<outputFile>] \
+      <clientId>
+    ```
+- For client secret authentication:
+  - create a service principal in Azure AD, grant it Key Vault key and certificate permissions, and pass `tenantId`, `clientId`, and `clientSecret` to `dss-azure-key-vault-6.4-client-secret-signer.jar`.
+
+## Notes
+
+- `managed-identity-signer.jar` is intended for Azure managed identity scenarios.(Recommended)
+- `client-secret-signer.jar` is intended for service principal authentication with a client secret.
diff --git a/dss-azure-key-vault/pom.xml b/dss-azure-key-vault/pom.xml
@@ -0,0 +1,213 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                             http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>sd-dss</artifactId>
+			<version>6.4</version>
+  </parent>
+  <artifactId>dss-azure-key-vault</artifactId>
+  <name>DSS Azure Key Vault Based Token</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>dss-service</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>dss-xml-common</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-security-keyvault-keys</artifactId>
+      <version>4.8.0</version>
+      <exclusions>
+        <exclusion>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-core-http-netty</artifactId>
+        </exclusion>
+        <exclusion>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-core</artifactId>
+        </exclusion>
+      </exclusions>
+
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-security-keyvault-certificates</artifactId>
+      <version>4.5.0</version>
+      <exclusions>
+        <exclusion>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-core-http-netty</artifactId>
+        </exclusion>
+          <exclusion>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-core</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-identity</artifactId>
+      <version>1.11.3</version>
+      <exclusions>
+        <exclusion>
+            <groupId>com.microsoft.azure</groupId>
+            <artifactId>msal4j</artifactId>
+        </exclusion>
+        <exclusion>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-core</artifactId>
+        </exclusion>
+        <exclusion>
+            <groupId>net.java.dev.jna</groupId>
+            <artifactId>jna-platform</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <!-- Azure dependencies -->
+    <dependency>
+        <groupId>com.azure</groupId>
+        <artifactId>azure-core</artifactId>
+        <version>1.47.0</version>
+        <exclusions>
+          <exclusion>
+              <groupId>com.fasterxml.jackson.core</groupId>
+              <artifactId>jackson-databind</artifactId>
+          </exclusion>
+        </exclusions>
+    </dependency>
+    <dependency>
+        <groupId>com.azure</groupId>
+        <artifactId>azure-core-http-netty</artifactId>
+        <version>1.14.1</version>
+    </dependency>
+    <dependency>
+        <groupId>com.microsoft.azure</groupId>
+        <artifactId>msal4j</artifactId>
+        <version>1.14.0</version>
+        <exclusions>
+          <exclusion>
+              <groupId>com.fasterxml.jackson.core</groupId>
+              <artifactId>jackson-databind</artifactId>
+          </exclusion>
+        </exclusions>
+    </dependency>
+    <dependency>
+        <groupId>net.java.dev.jna</groupId>
+        <artifactId>jna-platform</artifactId>
+        <version>5.13.0</version>
+    </dependency>
+    <dependency>
+        <groupId>com.fasterxml.jackson.core</groupId>
+        <artifactId>jackson-databind</artifactId>
+        <version>2.13.5</version>
+    </dependency>
+    <dependency>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>dss-token</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>dss-model</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>dss-xades</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>eu.europa.ec.joinup.sd-dss</groupId>
+      <artifactId>dss-utils-google-guava</artifactId>
+    </dependency>
+    <!-- JUnit for tests -->
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <version>5.10.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-core</artifactId>
+        <version>5.11.0</version>
+        <scope>test</scope>
+    </dependency>
+
+    <!-- Optional: integration with JUnit 5 -->
+    <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-junit-jupiter</artifactId>
+        <version>5.11.0</version>
+        <scope>test</scope>
+    </dependency>
+
+  </dependencies>
+  <build>
+  <plugins>
+    <plugin>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-shade-plugin</artifactId>
+      <version>3.2.4</version>
+      <executions>
+        <!-- Managed Identity JAR -->
+        <execution>
+          <id>shade-managed-identity</id>
+          <phase>package</phase>
+          <goals><goal>shade</goal></goals>
+          <configuration>
+            <finalName>dss-azure-key-vault-${project.version}-managed-identity-signer</finalName>
+            <filters>
+              <filter>
+                <artifact>*:*</artifact>
+                <excludes>
+                  <exclude>META-INF/*.SF</exclude>
+                  <exclude>META-INF/*.DSA</exclude>
+                  <exclude>META-INF/*.RSA</exclude>
+                </excludes>
+              </filter>
+            </filters>
+            <transformers>
+              <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                <mainClass>eu.europa.esig.dss.azure.kv.ManagedIdentityBasedSigner</mainClass>
+              </transformer>
+            </transformers>
+          </configuration>
+        </execution>
+        <!-- Client Secret JAR -->
+        <execution>
+          <id>shade-client-secret</id>
+          <phase>package</phase>
+          <goals><goal>shade</goal></goals>
+          <configuration>
+            <finalName>dss-azure-key-vault-${project.version}-client-secret-signer</finalName>
+              <filters>
+              <filter>
+                <artifact>*:*</artifact>
+                <excludes>
+                  <exclude>META-INF/*.SF</exclude>
+                  <exclude>META-INF/*.DSA</exclude>
+                  <exclude>META-INF/*.RSA</exclude>
+                </excludes>
+              </filter>
+            </filters>
+            <transformers>
+              <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                <mainClass>eu.europa.esig.dss.azure.kv.ClientSecretCredentialBasedSigner</mainClass>
+              </transformer>
+            </transformers>
+          </configuration>
+        </execution>
+      </executions>
+    </plugin>
+  </plugins>
+</build>
+
+</project>
diff --git a/dss-azure-key-vault/src/main/java/eu/europa/esig/dss/azure/kv/AzureCredentialProvider.java b/dss-azure-key-vault/src/main/java/eu/europa/esig/dss/azure/kv/AzureCredentialProvider.java
@@ -0,0 +1,7 @@
+package eu.europa.esig.dss.azure.kv;
+
+import com.azure.core.credential.TokenCredential;
+
+public interface AzureCredentialProvider {
+    TokenCredential getCredential();
+}