Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use of cleared weak reference in provider OcspCache #1541

Closed
dghgit opened this issue Dec 2, 2023 · 9 comments
Closed

use of cleared weak reference in provider OcspCache #1541

dghgit opened this issue Dec 2, 2023 · 9 comments
Assignees
@dghgit

Comments

@dghgit
Copy link
Contributor

dghgit commented Dec 2, 2023

  | You don't often get email from felix.dorner@gmail.com. Learn why this is important |   -- | -- | --
CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com with any questions.

Hi, 

I hit the NPE below with OCSP validation using these BC libs:

 +--- org.bouncycastle:bcpkix-jdk15on:1.70
|    |    +--- org.bouncycastle:bcprov-jdk15on:1.70
|    |    \--- org.bouncycastle:bcutil-jdk15on:1.70
|    |         \--- org.bouncycastle:bcprov-jdk15on:1.70
|    +--- org.bouncycastle:bcprov-jdk15on:1.70

The exception does not happen reproducibly, it's rather intermittent:

at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.lang.NullPointerException: Cannot invoke "java.util.Map.put(Object, Object)" because "<local6>" is null
at org.bouncycastle.jce.provider.OcspCache.getOcspResponse(Unknown Source)
at org.bouncycastle.jce.provider.ProvOcspRevocationChecker.check(Unknown Source)
at org.bouncycastle.jce.provider.ProvRevocationChecker.check(Unknown Source)
at java.base/java.security.cert.PKIXCertPathChecker.check(PKIXCertPathChecker.java:176)
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi_8.engineValidate(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi_8.build(Unknown Source) ... 86 common frames omitted

I will replace the dependency with the debug artefacts to get info about line numbers, but maybe someone on this list has seen this before and can advise.
You don't often get email from felix.dorner@gmail.com. [Learn why this is important](https://aka.ms/LearnAboutSenderIdentification)

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com with any questions.

Hi,

I hit the NPE below with OCSP validation using these BC libs:

+--- org.bouncycastle:bcpkix-jdk15on:1.70
| | +--- org.bouncycastle:bcprov-jdk15on:1.70
| | --- org.bouncycastle:bcutil-jdk15on:1.70
| | --- org.bouncycastle:bcprov-jdk15on:1.70
| +--- org.bouncycastle:bcprov-jdk15on:1.70

The exception does not happen reproducibly, it's rather intermittent:

at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.lang.NullPointerException: Cannot invoke "java.util.Map.put(Object, Object)" because "" is null
at org.bouncycastle.jce.provider.OcspCache.getOcspResponse(Unknown Source)
at org.bouncycastle.jce.provider.ProvOcspRevocationChecker.check(Unknown Source)
at org.bouncycastle.jce.provider.ProvRevocationChecker.check(Unknown Source)
at java.base/java.security.cert.PKIXCertPathChecker.check(PKIXCertPathChecker.java:176)
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi_8.engineValidate(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi_8.build(Unknown Source) ... 86 common frames omitted

I will replace the dependency with the debug artefacts to get info about line numbers, but maybe someone on this list has seen this before and can advise.

From:Eckenfels. Bernd B.Eckenfels@seeburger.de

I bet it’s the weak reference here:

https://github.com/bcgit/bc-java/blob/5c35c9a5e79648d7fdf85d7cbaffe8169f249443/prov/src/main/java/org/bouncycastle/jce/provider/OcspCache.java#L199C32-L199C32

responseMap = markerRef.get();

responseMap.put(certID, response);
@dghgit
Copy link
Contributor Author

dghgit commented Dec 4, 2023

There's a new beta up which should fix this one at https://www.bouncycastle.org/betas

@dghgit dghgit mentioned this issue Dec 4, 2023
Open
@felixdo
Copy link

felixdo commented Dec 6, 2023

There's a new beta up which should fix this one at https://www.bouncycastle.org/betas

The url worked a few days ago but now gives 404

@dghgit
Copy link
Contributor Author

dghgit commented Dec 6, 2023

More excitement than I've had in a while, but I'm pleased to say the site is back. Let me know how you go.

@felixdo
Copy link

felixdo commented Dec 27, 2023

#1548 is blocking me from upgrading.

@dghgit
Copy link
Contributor Author

dghgit commented Dec 28, 2023

@felixdo have you confirmed the latest beta fixes the issue?

@felixdo
Copy link

felixdo commented Jan 5, 2024

@dghgit as commented above I can't even try because of #1548

@dghgit
Copy link
Contributor Author

dghgit commented Jan 5, 2024
edited
Loading

@felixdo #1548 has been fixed as part of this. Apologies for the confusion.

@felixdo
Copy link

felixdo commented Feb 1, 2024

@dghgit It's on my list to test this, but can't say when.

@dghgit dghgit self-assigned this Feb 12, 2024
@dghgit
Copy link
Contributor Author

dghgit commented Apr 22, 2024

Fixed in 1.78.

@dghgit dghgit closed this as completed Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dghgit dghgit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@felixdo @dghgit