Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SubjectCertificateNotRevokedValidator is not thread safe #68

Open
heikih opened this issue Mar 4, 2025 · 3 comments · May be fixed by #69
Open

SubjectCertificateNotRevokedValidator is not thread safe #68

heikih opened this issue Mar 4, 2025 · 3 comments · May be fixed by #69

Comments

@heikih
Copy link

heikih commented Mar 4, 2025
edited
Loading

We experience stacktrace:

eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator.validateCertificateNotRevoked(SubjectCertificateNotRevokedValidator.java:93) ~[authtoken-validation-3.0.1.jar!/:?]

Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 4 out of bounds for length 4","at 
org.bouncycastle.crypto.digests.GeneralDigest.update(Unknown Source) ~[bcprov-jdk18on-1.78.jar!/:?]","at 
org.bouncycastle.crypto.digests.GeneralDigest.finish(Unknown Source) ~[bcprov-jdk18on-1.78.jar!/:?]","at 
org.bouncycastle.crypto.digests.SHA1Digest.doFinal(Unknown Source) ~[bcprov-jdk18on-1.78.jar!/:?]","at 
org.bouncycastle.crypto.io.DigestOutputStream.getDigest(Unknown Source) ~[bcprov-jdk18on-1.78.jar!/:?]","at 
eu.webeid.security.validator.ocsp.Digester.getDigest(Digester.java:98) ~[authtoken-validation-3.0.1.jar!/:?]","at 
org.bouncycastle.cert.ocsp.CertificateID.createCertID(Unknown Source) ~[bcpkix-jdk18on-1.78.jar!/:?]","at 
org.bouncycastle.cert.ocsp.CertificateID.<init>(Unknown Source) ~[bcpkix-jdk18on-1.78.jar!/:?]","at 
eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator.getCertificateId(SubjectCertificateNotRevokedValidator.java:192) ~[authtoken-validation-3.0.1.jar!/:?]","at 
eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator.validateCertificateNotRevoked(SubjectCertificateNotRevokedValidator.java:93) ~[authtoken-validation-3.0.1.jar!/:?]

After first exception all new requests will fail with similar java.lang.ArrayIndexOutOfBoundsException.

Happens when two threads are trying to call getCertificateId method exactly same time.

Underlying reason seems to be usage of single DigestCalculator class:

private static final DigestCalculator DIGEST_CALCULATOR = Digester.sha1();

that ends up with single non threadsafe SHA1Digest class for all threads. If 2 threads are running on same time then internal buffer can be corrupted there.
@mrts
Copy link
Member

mrts commented Mar 4, 2025

Thanks for reporting this issue and apologies for the trouble!

Here's a fix where each thread gets its own DigestCalculator instance: #69

Please let us know if this helps and looks good to you.

@mrts mrts linked a pull request Mar 4, 2025 that will close this issue
Make SubjectCertificateNotRevokedValidator thread-safe #69
Open
@heikih
Copy link
Author

heikih commented Mar 5, 2025

Fix looks good to me. Do you plan to publish a new version with this fix soon?

@mrts
Copy link
Member

mrts commented Mar 6, 2025

Yes, either this or next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make SubjectCertificateNotRevokedValidator thread-safe web-eid/web-eid-authtoken-validation-java
2 participants
@mrts @heikih