Fix possible infinite loop when loading cert chains from Java P11KeyStore #216
Commits on Sep 20, 2024
-
Fix possible infinite loop when loading cert chains from Java P11KeyS…
…tore When HSM contains certificate chains, the JDK P11KeyStore tries to load the full chain within loadChain() method. This action is performed in a while(true) loop as: while (true) { CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { ATTR_TOKEN_TRUE, ATTR_CLASS_CERT, new CK_ATTRIBUTE(CKA_SUBJECT, next.getIssuerX500Principal().getEncoded()) }; long[] ch = findObjects(session, attrs); if (ch == null || ch.length == 0) { // done break; } else { // Just take the first next = loadCert(session, ch[0]); lChain.add(next); if (next.getSubjectX500Principal().equals (next.getIssuerX500Principal())) { // self signed break; } } } Here, supporting filtering certificates by CKA_SUBJECT is crucial otherwise the while true loop would continue forever (until findObjects returns some certificates and first one is not self signed) Signed-off-by: Alberto Panizzo <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.