Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14594

Possible thread-safety issue in OIDC pairwise subject identifiers


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.2, 14.0.0, 5.5.1,,, 7.0.0
    • Fix Version/s: None
    • Component/s: OpenID Connect
    • Labels:
    • Target Version/s:


      Bug description

      The implementation of OIDC pairwise subject identifiers uses a singleton MessageDigest object to implement the salted SHA-256 hashing suggested in the spec. MessageDigest objects are stateful and not thread-safe so this could potentially cause incorrect results if called from multiple threads simultaneously.

      It looks like it is currently only called from a single thread at the moment, as OpenAMClientRegistrationStore always constructs a new instance, but I don't know if the client registration instance is itself always used from a single thread. If we ever introduce any caching of client registrations then it may become multi-threaded.

      How to reproduce the issue

      Found by code inspection_._ Hard to reproduce externally.

      Code analysis

      org.forgerock.openam.oauth2.OpenAMClientRegistration (constructor)
                  this.digest = MessageDigest.getInstance("SHA-256");

      Given that this message digest is only ever used if pairwise subject identifiers are enabled, it would be safer and more efficient to only get a MessageDigest instance when we actually need one as they are not particularly expensive to construct.




            • Assignee:
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: