Loading of System-Certificates takes long or forever when USB-Token Software is installed.

[cmei84]

We have an Issue Starting the SonarLint Eclipse Plugin after installing Software to support code signing via USB-Token.
The problem can be reproduced by using your library in a main-method.
(the SonarLint-Plugin uses your library internally)

While reading system certificates the application hangs forever.

Uninstalling this software solves the problem.
We use SafeNet Authentication Client (link)

To Reproduce

1. Install the SafeNet Authentication Client
2. run the following code (in a project with your library as dependency)

	public static void main(String... args) {
		SSLFactory.builder()
        .withDefaultTrustMaterial()
        .withSystemTrustMaterial()
        .build();
	}

execution hangs forever.

Since i don't need to sing locally i will remove this application for now.

Expected behavior
execution of that code to take a second or so

Environmental Data:

• Java Version 8 and 17
• OS Windows 10

Stack-Trace

"main" #1 prio=5 os_prio=0 tid=0x000001b648bfc000 nid=0x46e4 runnable [0x0000007ce84fe000]
   java.lang.Thread.State: RUNNABLE
        at sun.security.mscapi.CKeyStore.loadKeysOrCertificateChains(Native Method)
        at sun.security.mscapi.CKeyStore.engineLoad(CKeyStore.java:711)
        at sun.security.mscapi.CKeyStore$MY.engineLoad(CKeyStore.java:57)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at nl.altindag.ssl.util.KeyStoreUtils.createKeyStore(KeyStoreUtils.java:150)
        at nl.altindag.ssl.util.KeyStoreUtils.createKeyStoreIfAvailable(KeyStoreUtils.java:260)
        at nl.altindag.ssl.util.KeyStoreUtils.lambda$loadSystemKeyStores$1(KeyStoreUtils.java:233)
        at nl.altindag.ssl.util.KeyStoreUtils$$Lambda$18/1638172114.apply(Unknown Source)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)

[Hakky54]

Thank you for reporting this issue. It is quite detailed.
I am investigating how to properly setup safenet authentication cliënt. It might take some time as it looks like I need a certificate and usb token etc.

I am linking the issues of sonarsource also here and the existing earlier issues related to this topic:

• Loading the keystore takes a very long time in some rare cases #444
• https://community.sonarsource.com/t/sonarlint-eclipse-hangs-on-sonarlint-core-startup-backend-initialization-after-starting-eclipse/110456
• https://community.sonarsource.com/t/sonarlint-server-rpc-sequential-executor/111277
• https://sonarsource.atlassian.net/browse/SLCORE-669
• https://sonarsource.atlassian.net/browse/SLCORE-686
• SLCORE-686 Don't load OS-specific SSL store on Windows SonarSource/sonarlint-core#902

It might also be related to the following jdk bug reports:

• https://bugs.openjdk.org/browse/JDK-8313367

[cmei84]

Maybe you want to hold this investigation for now.
This morning i tried to reproduce this issue on my PC at home and failed to do so.
It only occours on my work-pc.
Same Java Versions + the SafeNet Authentication Client.
The certificate-situation of course is very different on those two machines.

[Hakky54]

By the way, I am having hard time to setup the same setup as you have on your work pc. Would it be possible that I do code changes on this repo and create a jar so you can try it out on your side and share your results here? In that way I can atleast give an attempt to resolve the issue. What do you think?

[cmei84]

Working for two days, one in the Office and one from home (Remote-Desktop).
I tried multiple things reinstalling the software using the token when i was in the office (USB code signing tokens can not be used in RDP-session).
Restarted the Work-PC, installed some certficates that i hade removed on friday, restarted again.

The error did not present itself again and i am not shure what exactly fixed it.
Maybe the certificate store got messed up somehow and reinstalling fixed it.

I would report back if the Error comes back within this week or so. If not i tink this could be closed.

[Hakky54]

Interesting behaviour, not quite sure what to do with it actually... If I had a way to reproduce it locally I could attempt to fix it, but even you have difficulties reproducing it

I would report back if the Error comes back within this week or so. If not i tink this could be closed.

That would be nice to report back if it is occuring again. Lets keep the issue open for some time. Can you maybe also give an update within the sonarsource community? Not sure whether they are following your updates here.

[cmei84]

The developers of the SonarLint Eclipse plugin also know that i don't have this issue anymore.

[Hakky54]

I am closing this bug report as it is not fixable within this library. This bug is related to the JDK itself. The correct way to resolve this bug is to wait till the maintainers of the JDK (Oracle) or hope that someone in the community can contribute to the openjdk to fix it in Microsoft Crypto API (MSCAPI) For the time being the call to fetch the system trustmaterial on windows should be tested on the end-user. If there is no issues it can be safely used or else it needs to be avoided. I will also add a disclaimer on the main documentation page.

[Hakky54]

I am linking the OpenJDK bug report here to track the progress for the fix: https://bugs.openjdk.org/browse/JDK-8332076