Bug 38605 - X509CertificateResolver throws NullPointerException
Summary: X509CertificateResolver throws NullPointerException
Status: CLOSED FIXED
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature (show other bugs)
Version: unspecified
Hardware: PC Windows XP
: P2 major
Target Milestone: ---
Assignee: XML Security Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-10 11:10 UTC by Peter Bacik
Modified: 2006-08-06 10:52 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Bacik 2006-02-10 11:10:11 UTC 
XMLSec 1.3.0, Java 

Wehn I invoke method KeyInfo.getX509Certificate(), X509CertificateResolver 
throws NullPointerException. This problem occures if application runs 
multithreaded. X509CertificateResolver object is shared among all the threads 
and is not synchronized. This was not the case in XMLSec 1.2.1, because there 
was allways a new X509CertificateResolver object created for every KeyInfo.

OS: Windows XP Professional (32bit), SUSE Linux (64bit)
JVM: 1.5.0_06
Comment 1 Raul Benito 2006-02-15 09:32:17 UTC 
I cannot reproduce the error. Can you attach at testcase or even the Backtrace
of the exception.

Thanks.
Comment 2 Peter Bacik 2006-02-20 11:58:43 UTC 
This is the exception stack trace and a part of the code that runs on the 
exception. Note that the error occurs only if the web service is invoked from 
multiple threads. Please, let me know, whether this is sufficient.

java.lang.NullPointerException
	at 
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolve
r.engineResolveX509Certificate(X509CertificateResolver.java:149)
	at 
org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate
(KeyResolver.java:239)
	at 
org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers
(KeyInfo.java:900)
	at org.apache.xml.security.keys.KeyInfo.getX509Certificate
(KeyInfo.java:859)
	at provgw.adapter.security.X509SecurityInterceptor.validateSignature
(X509SecurityInterceptor.java:190)
	at provgw.adapter.security.X509CallbackSimSecurityInterceptor.invoke
(X509CallbackSimSecurityInterceptor.java:89)
	at org.apache.axis.strategies.InvocationStrategy.visit
(InvocationStrategy.java:32)
	at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
	at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
	at org.apache.axis.server.AxisServer.invoke(AxisServer.java:239)
	at org.apache.axis.transport.http.AxisServlet.doPost
(AxisServlet.java:699)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
	at org.apache.axis.transport.http.AxisServletBase.service
(AxisServletBase.java:327)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:237)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:157)
	at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:214)
	at org.apache.catalina.core.StandardValveContext.invokeNext
(StandardValveContext.java:104)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
	at org.apache.catalina.core.StandardContextValve.invokeInternal
(StandardContextValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:152)
	at org.apache.catalina.core.StandardValveContext.invokeNext
(StandardValveContext.java:104)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
	at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:137)
	at org.apache.catalina.core.StandardValveContext.invokeNext
(StandardValveContext.java:104)
	at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:118)
	at org.apache.catalina.core.StandardValveContext.invokeNext
(StandardValveContext.java:102)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
	at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:109)
	at org.apache.catalina.core.StandardValveContext.invokeNext
(StandardValveContext.java:104)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
	at org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:929)
	at org.apache.coyote.tomcat5.CoyoteAdapter.service
(CoyoteAdapter.java:160)
	at org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:799)
	at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnecti
on(Http11Protocol.java:705)
	at org.apache.tomcat.util.net.TcpWorkerThread.runIt
(PoolTcpEndpoint.java:577)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run
(ThreadPool.java:683)
	at java.lang.Thread.run(Unknown Source)

-----------

X509Certificate certificate;
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
  if (keyInfo.containsX509Data()) {
    try {
      certificate = keyInfo.getX509Certificate();
    }
    catch (KeyResolverException e) {
      return false;
    }
    if (certificate == null) {
      return false;
    }
  }
}
Comment 3 Raul Benito 2006-02-26 18:43:09 UTC 
Fixed in SVN head,
Thanks for pointing the problem. It was true that engineCanResolve set status for the latter engineResolveX methods, and after making Resolvers singleton-like for all threads a race condition can arraise. 
I have fixed it merging this two methods in one the engineResolveX.
Can you test the changes?
Also I think this bug is important enought to do a 1.3.1 release.
What do you think?
Comment 4 Peter Bacik 2006-02-27 10:10:19 UTC 
I have tested the bugfix and the code behaves correctly now.
Yes, this bug is surely worth of new release. The 1.3.0 code of the 
X509CertificateResolver is not thread safe and therefore it cannot be trusted 
in multithreaded applications.

Thanks for the fix.
Comment 5 Raul Benito 2006-08-06 17:52:54 UTC 
Closing old bugs.