Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15049

wrong JWT while obtaining CIBA auth request id will result in HTTP 500 NPE

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 6.5.2, 7.0.0
    • 7.0.0, 6.5.3
    • oauth2
    • AM 2019.15 - Gears
    • Yes

      Description

      Bug description

      When I remove last character from JWT used for CIBA Auth Request Id, server will return http 500 error and there is NPE in debug

      ERROR: Unhandled exception: 
      java.lang.NullPointerException: null
      	at org.forgerock.json.jose.jws.SupportedEllipticCurve.forSignature(SupportedEllipticCurve.java:181)
      	at org.forgerock.json.jose.utils.DerUtils.encodeEcdsaSignature(DerUtils.java:168)
      	at org.forgerock.json.jose.jws.handlers.SecretECDSASigningHandler.verify(SecretECDSASigningHandler.java:79)
      	at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:194)
      	at org.forgerock.openam.jwt.JwtSignatureVerificationHandler$$Lambda$863/1272821841.test(Unknown Source)
      	at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
      	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
      	at java.util.stream.StreamSpliterators$WrappingSpliterator.tryAdvance(StreamSpliterators.java:302)
      	at java.util.stream.Streams$ConcatSpliterator.tryAdvance(Streams.java:727)
      	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
      	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:529)
      	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:516)
      	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:502)
      	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
      	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
      	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
      	at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:449)
      	at org.forgerock.openam.jwt.JwtSignatureVerificationHandler.verifyJwsSignature(JwtSignatureVerificationHandler.java:107)
      	at org.forgerock.openam.jwt.JwtSignatureVerificationHandler.verifyJwsSignature(JwtSignatureVerificationHandler.java:71)
      	at org.forgerock.openam.oauth2.OpenAMClientRegistration.verifyBackChannelAuthRequestJwt(OpenAMClientRegistration.java:815)
      	at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:137)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:483)
      	at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
      	at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:77)
      	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
      	at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:88)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.routing.Router.handle(Router.java:100)
      	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:85)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.routing.Router.handle(Router.java:100)
      	at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
      	at org.forgerock.http.routing.Router.handle(Router.java:100)
      	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60)
      	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$621/1127517004.filter(Unknown Source)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88)
      	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$738/30937237.filter(Unknown Source)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:265)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      How to reproduce the issue

      A. Configuration

      1. generate signing keys at https://mkjwk.org - Elliptic Curve tab, Curve = P-256, Key Use=Signing, Algorithm=ES256, Key ID=myKID - save output
      2. add oauth2client - ClientID=myCID, password=password, scopes="openid profile", add "grant type"="Back Channel Request" in Advanced tab, add "Keypair set" from  step 1. to "Json Web Key" in "Signing and Encryption" tab and also change "Public key selector" to JWKs

      B. Generate JWT at http://jwt.io with ES256 algorithm

      Verify signature

      • enter public key from step 1 to upper box
      • enter keypair from step 1 to lower box

      Change payload to:

      {  
         "login_hint":"demo",
         "scope":"openid profile",
         "acr_values":"push",
         "iss":"myCID",
         "aud":"http://am.localtest.me:8080/openam/oauth2",
         "exp":1559753575,
         "binding_message":"Allow ExampleBank to transfer £50 from your 'Main' account to your 'Savings' account? Reference: 0246326"
      }
      

      and modify

      • exp (expiration time) to current time plus 10 minutes - in bash: expr `date +%s` + 600
      • aud to your am URL

      C. Do request for Auth request ID

      copy JWT to file /tmp/JWT.txt and run:

      http -v -f -a ${OAUTH2_CLIENT_ID}:${OAUTH2_CLIENT_PASS} POST ${AM_URL}/oauth2/bc-authorize request=`cat ${JWT_FILE}`
      

      this should return "acr_values invalid or missing" as this was not configured

      D. remove last character from file and run command again

      Expected behaviour
      HTTP 400 JWT signature verification failed
      
      Current behaviour
      HTTP 500 Null pointer exception

        Attachments

        There are no Sub-Tasks for this issue.

          Activity

            People

            michael.carter Michael Carter [X] (Inactive)
            lubomir.mlich Ľubomír Mlích
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: