Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 43690 invoked from network); 13 May 2008 18:26:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 May 2008 18:26:14 -0000 Received: (qmail 56833 invoked by uid 500); 13 May 2008 18:26:15 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 56546 invoked by uid 500); 13 May 2008 18:26:15 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 56535 invoked by uid 99); 13 May 2008 18:26:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 May 2008 11:26:15 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 May 2008 18:25:29 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id A0F6C234C10F; Tue, 13 May 2008 11:25:49 -0700 (PDT) From: bugzilla@apache.org To: security-dev@xml.apache.org Subject: DO NOT REPLY [Bug 44991] New: Concurrent invocation of KeyInfo. getX509Certificate() occasionally fails X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: newchanged X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Security X-Bugzilla-Component: Signature X-Bugzilla-Keywords: X-Bugzilla-Severity: critical X-Bugzilla-Who: giedrius.noreikis@gmail.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: security-dev@xml.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Tue, 13 May 2008 11:25:49 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=44991 Summary: Concurrent invocation of KeyInfo.getX509Certificate() occasionally fails Product: Security Version: unspecified Platform: PC OS/Version: All Status: NEW Severity: critical Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: giedrius.noreikis@gmail.com When executed concurrently in several threads, org.apache.xml.security.keys.KeyInfo.getX509Certificate() occasionally returns null. The log entries made from the failing thread are: -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.KeyInfo getX509CertificateFromInternalResolvers Start getX509CertificateFromInternalResolvers() with 0 resolvers -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.KeyInfo getX509Certificate I couldn't find a X509Certificate using the per-KeyInfo key resolvers -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.KeyInfo getX509CertificateFromStaticResolvers Start getX509CertificateFromStaticResolvers() with 7 resolvers -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver engineLookupResolveX509Certificate Can I resolve X509Data? -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.keyresolver.implementations.X509SKIResolver engineLookupResolveX509Certificate I can't -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver engineLookupResolveX509Certificate Can I resolve X509Data? -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.keyresolver.implementations.X509SubjectNameResolver engineLookupResolveX509Certificate I can't -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.keyresolver.implementations.X509IssuerSerialResolver engineLookupResolveX509Certificate Can I resolve X509Data? -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.utils.ElementProxy setElement("X509Data", "http://www.w3.org/2000/09/xmldsig#") -------------------------------------------------- 2008-05-13T20:21:50 org.apache.xml.security.keys.KeyInfo getX509Certificate I couldn't find a X509Certificate using the system-wide key resolvers -------------------------------------------------- Possible cause: KeyInfo.getX509CertificateFromStaticResolvers() operates on org.apache.xml.security.keys.keyresolver.KeyResolver class: it iterates through all KeyResolver items, trying to applyCurrentResolver(), and, in case of success, calls KeyResolver.hit(). When getX509CertificateFromStaticResolvers() in Thread-1 founds a "good" resolver at iteration, say, i=5, and calls hit(), that resolver is moved at the beginning of the static KeyResolver._resolverVector list. If Thread-2 at the same time executes getX509CertificateFromStaticResolvers() at iteration, say, i=3, it will never see that resolver. Possible fix: With the present design, it seems, KeyResolver can not support item() and hit() methods together, since hit() changes the order of the _resolverVector items. Either hit() should be removed or a copy of _resolverVector should be made before accessing it's elements. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.