Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible NullPointerException #22375

Closed
2 tasks done
arthurscchan opened this issue Aug 10, 2023 · 0 comments · Fixed by #22376
Closed
2 tasks done

Possible NullPointerException #22375

arthurscchan opened this issue Aug 10, 2023 · 0 comments · Fixed by #22376
Labels
area/core kind/bug Categorizes a PR related to a bug
Milestone
23.0.0

Comments

@arthurscchan
Copy link
Contributor

Before reporting an issue

Area

core

Describe the bug

In https://github.com/keycloak/keycloak/blob/main/core/src/main/java/org/keycloak/jose/jwk/JWKParser.java#L83-L84, the logic depends on the x and y field in the otherclaim map stored within the JWK object to generate 2 big integers for base EC points. But according to the ec method in https://github.com/keycloak/keycloak/blob/main/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java#L118, it does not explicitly put any value to the otherclaim map and thus the map will remain the default empty map in some cases. It causes the retrieval of x and y fields to return a null value and subsequently make Base64.decode throws a NullPointerException when the null value is parsed.

Version

latest

Expected behavior

Either discovery of the emptiness of the map and throw a wrapped error or setting a default value if the retrieval of x and y field return null.

Actual behavior

The exception stacktrace

== Java Exception: java.lang.NullPointerException: Cannot invoke "String.replace(char, char)" because "base64Url" is null
    at org.keycloak.common.util.Base64Url.encodeBase64UrlToBase64(Base64Url.java:58)
    at org.keycloak.common.util.Base64Url.decode(Base64Url.java:32)
    at org.keycloak.jose.jwk.JWKParser.createECPublicKey(JWKParser.java:83)
    at org.keycloak.jose.jwk.JWKParser.toPublicKey(JWKParser.java:74)
    at TestFuzzer.main(TestFuzzer.java:15)

How to Reproduce?

The following code snippet could reproduce the NullPointerException easily.

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import org.keycloak.crypto.KeyUse;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.jose.jwk.JWKParser;

public class TestFuzzer {
  public static void main(String[] args) throws Throwable {
    JWKBuilder builder = JWKBuilder.create();
    KeyPairGenerator generator = KeyPairGenerator.getInstance("EC");
    KeyPair keyPair = generator.generateKeyPair();
    JWK jwk = builder.ec(keyPair.getPublic(), KeyUse.ENC);
    JWKParser parser = new JWKParser(jwk);
    parser.toPublicKey();
  }
}

Anything else?

This bug is found by a fuzzer using oss-fuzz and the bug report link is https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61287.
@arthurscchan arthurscchan added kind/bug Categorizes a PR related to a bug status/triage labels Aug 10, 2023
@ghost ghost added the area/core label Aug 10, 2023
@arthurscchan arthurscchan mentioned this issue Aug 10, 2023
Merged
@ghost ghost added the team/core label Aug 10, 2023
@mposolda mposolda added this to the 23.0.0 milestone Aug 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/core kind/bug Categorizes a PR related to a bug
Projects
None yet
Milestone
23.0.0
Development

Successfully merging a pull request may close this issue.

Fix possible NullPointerException in core/JWKParser arthurscchan/keycloak
3 participants
@abstractj @mposolda @arthurscchan