Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14594

Possible thread-safety issue in OIDC pairwise subject identifiers

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 13.5.2, 14.0.0, 5.5.1, 6.0.0.6, 6.5.0.1, 7.0.0
    • None
    • OpenID Connect
    • Rank:
      1|hzxsjj:

      Description

      Bug description

      The implementation of OIDC pairwise subject identifiers uses a singleton MessageDigest object to implement the salted SHA-256 hashing suggested in the spec. MessageDigest objects are stateful and not thread-safe so this could potentially cause incorrect results if called from multiple threads simultaneously.

      It looks like it is currently only called from a single thread at the moment, as OpenAMClientRegistrationStore always constructs a new instance, but I don't know if the client registration instance is itself always used from a single thread. If we ever introduce any caching of client registrations then it may become multi-threaded.

      How to reproduce the issue

      Found by code inspection_._ Hard to reproduce externally.

      Code analysis

      org.forgerock.openam.oauth2.OpenAMClientRegistration (constructor)
                  this.digest = MessageDigest.getInstance("SHA-256");

      Given that this message digest is only ever used if pairwise subject identifiers are enabled, it would be safer and more efficient to only get a MessageDigest instance when we actually need one as they are not particularly expensive to construct.

        Attachments

          Activity

            People

            Unassigned Unassigned
            neil.madden Neil Madden
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated: