Azure credentials with retry

[czulehner]

When using jsign with AZUREKEYVAULT, we sometimes have unexpected timeouts, as shown in the following log output.
Running it again then works fine. The timeout happens after about 2 minutes.

jsign: Unable to retrieve Azure Key Vault certificate 'xxxxxxxxxxxxxxxxxxx'
java.security.KeyStoreException: Unable to retrieve Azure Key Vault certificate 'xxxxxxxxxxxxxxxxxxx'
	at net.jsign.jca.AzureKeyVaultSigningService.getCertificateChain(AzureKeyVaultSigningService.java:155)
	at net.jsign.jca.SigningServiceKeyStore.engineGetCertificateChain(SigningServiceKeyStore.java:43)
	at java.base/java.security.KeyStore.getCertificateChain(KeyStore.java:1075)
	at net.jsign.SignerHelper.build(SignerHelper.java:388)
	at net.jsign.SignerHelper.sign(SignerHelper.java:471)
	at net.jsign.SignerHelper.execute(SignerHelper.java:325)
	at net.jsign.JsignCLI.execute(JsignCLI.java:229)
	at net.jsign.JsignCLI.main(JsignCLI.java:58)
Caused by: java.net.ConnectException: Connection timed out
	at java.base/sun.nio.ch.Net.connect0(Native Method)
	at java.base/sun.nio.ch.Net.connect(Net.java:579)
	at java.base/sun.nio.ch.Net.connect(Net.java:568)
	at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:593)
	at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
	at java.base/java.net.Socket.connect(Socket.java:633)
	at java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:304)
	at java.base/sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:174)
	at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
	at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:533)
	at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:638)
	at java.base/sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:266)
	at java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:380)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:193)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1262)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1148)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:179)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1717)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1641)
	at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
	at net.jsign.jca.RESTClient.query(RESTClient.java:164)
	at net.jsign.jca.RESTClient.get(RESTClient.java:70)
	at net.jsign.jca.AzureKeyVaultSigningService.getCertificateInfo(AzureKeyVaultSigningService.java:102)
	at net.jsign.jca.AzureKeyVaultSigningService.getCertificateChain(AzureKeyVaultSigningService.java:146)
	... 7 more

I found some related (?) post : https://quinngil.com/2022/09/22/azure-keyvault-and-timeout/
and maybe a simple retry would work here too...

It is cumbersome to implement a retry method around jsign, so a retry option for Azuzre authentication with several timeouts would help.
Also (not sure if this is done already), different exit codes (depending on the underlying error) would help to write a retry-wrapper.

Note: I'm currently using jsign in a gitlab pipeline script with java -jar ...

[ebourg]

Jsign has a retry logic for the timestamping only. It would make sense to also retry the AWS API calls to improve the reliability. It's just a matter of modifying the RESTClient class in the jsign-crypto module.