Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix possible infinite loop when loading cert chains from Java P11KeyStore #216

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

amsalby
Copy link

@amsalby amsalby commented Sep 4, 2024

When HSM contains certificate chains, the JDK P11KeyStore tries to load the full chain within loadChain() method.

This action is performed in a while(true) loop as:

  while (true) {
    CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
      ATTR_TOKEN_TRUE,
      ATTR_CLASS_CERT,
      new CK_ATTRIBUTE(CKA_SUBJECT,
          next.getIssuerX500Principal().getEncoded()) };
    long[] ch = findObjects(session, attrs);
    if (ch == null || ch.length == 0) {
        // done
        break;
    } else {
        // Just take the first
        next = loadCert(session, ch[0]);
        lChain.add(next);
        if (next.getSubjectX500Principal().equals
              (next.getIssuerX500Principal())) {
            // self signed
            break;
        }
    }
  }

Here, supporting filtering certificates by CKA_SUBJECT is crucial otherwise the while true loop would continue forever (until findObjects returns some certificates and first one is not self signed)

@sosthene-nitrokey
Copy link
Contributor

Hi,

Thank you for the pull request. Would you be willing to add a test that exercises the use of this feature?

Comment on lines 481 to 495
if let Some(kind) = requirements.kind {
kind == obj.kind
if (matches!(requirements.kind, Some(ObjectKind::Certificate))
&& kind == obj.kind
&& requirements.subject.is_some()) {
requirements.subject == obj.subject
} else {
kind == obj.kind
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this you don't need to coy the subject in Object

Suggested change
if let Some(kind) = requirements.kind {
kind == obj.kind
if (matches!(requirements.kind, Some(ObjectKind::Certificate))
&& kind == obj.kind
&& requirements.subject.is_some()) {
requirements.subject == obj.subject
} else {
kind == obj.kind
}
if let Some(kind) = requirements.kind {
kind == obj.kind
&& matches!(kind, ObjectKind::Certificate)
&& obj.attr(CKA_SUBJECT).map(|attr| attr.as_bytes())
== requirements.subject.as_deref()
} else {
true
}

Copy link
Author

@amsalby amsalby Sep 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will do the following, so you can extend easily on further requirements support:

                if let Some(kind) = requirements.kind {
                    // kind must match
                    if kind != obj.kind {
                        false
                    // extra checks if kind is Cerificate
                    } else if kind == ObjectKind::Certificate {
                        // When Subject is provided as requirement, it must match
                        requirements.cka_subject.is_none() ||
                            obj.attr(CKA_SUBJECT)
                                .map(|attr| attr.as_bytes())
                                    == requirements.cka_subject.as_deref()
                    // On other kinds, no need for extra checks
                    } else {
                        true
                    }
                } else {
                    true
                }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, please make it as simple as possible. Avoid extra complexity for future checks that may never exist.

pkcs11/src/backend/object.rs Outdated Show resolved Hide resolved
…tore

When HSM contains certificate chains, the JDK P11KeyStore
tries to load the full chain within loadChain() method.

This action is performed in a while(true) loop as:

  while (true) {
    CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
      ATTR_TOKEN_TRUE,
      ATTR_CLASS_CERT,
      new CK_ATTRIBUTE(CKA_SUBJECT,
          next.getIssuerX500Principal().getEncoded()) };
    long[] ch = findObjects(session, attrs);
    if (ch == null || ch.length == 0) {
        // done
        break;
    } else {
        // Just take the first
        next = loadCert(session, ch[0]);
        lChain.add(next);
        if (next.getSubjectX500Principal().equals
              (next.getIssuerX500Principal())) {
            // self signed
            break;
        }
    }
  }

Here, supporting filtering certificates by CKA_SUBJECT is crucial
otherwise the while true loop would continue forever (until findObjects
returns some certificates and first one is not self signed)

Signed-off-by: Alberto Panizzo <alberto@amarulasolutions.com>
@amsalby amsalby force-pushed the fix_java_p11keystore_infinite_loop branch from 8b1ecd8 to 3269137 Compare September 20, 2024 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants