Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16096

AMKeyProvider.mapPk2Cert error when using AWS CloudHSM

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.5.2.3, 7.0.0
    • Fix Version/s: 7.0.0, 6.5.3
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 73
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      Bug description

      AMKeyProvider loops through all entries in the keystore on startup and creates a map from public key to certificate. This code currently assumes that anything that isn't a SecretKeyEntry in the keystore will have a certificate associated with it. This is not true for the AWS CloudHSM JCE provider, which can include other entries of unknown type.

      How to reproduce the issue

      Set up AWS CloudHSM and use their JCE provider. Set the HSM as the keystore for AMKeyProvider by setting the various system properties. Restart AM.

      Expected behaviour

      AM starts correctly.

      Current behaviour

      AM fails to start due to NPE in AMKeyProvider.mapPk2Cert
      Truncated Stacktrace

      javax.servlet.ServletException: Failed to load the Http Application class: nulljavax.servlet.ServletException: Failed to load the Http Application class: null org.forgerock.http.servlet.HttpApplicationLoader$LazilyLinkGuice.load(HttpApplicationLoader.java:201) 
      ....
      org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:748)</pre><p><b>Root Cause</b></p><pre>com.google.inject.ProvisionException: Unable to provision, see the following errors:​1) Error injecting constructor, java.lang.NullPointerException  at org.forgerock.openam.utils.AMKeyProvider.&lt;init&gt;(Unknown Source)  at org.forgerock.openam.forgerockrest.guice.ForgerockRestGuiceModule.configure(ForgerockRestGuiceModule.java:43)  while locating org.forgerock.openam.utils.AMKeyProvider    for the 1st parameter of org.forgerock.openam.selfservice.JwtSnapshotTokenHandlerFactory.&lt;init&gt;(Unknown Source)  while locating org.forgerock.openam.selfservice.JwtSnapshotTokenHandlerFactory  while locating org.forgerock.selfservice.core.snapshot.SnapshotTokenHandlerFactory    for the 2nd parameter of org.forgerock.openam.selfservice.SelfServiceFactoryImpl.&lt;init&gt;(Unknown Source)  while locating org.forgerock.openam.selfservice.SelfServiceFactoryImpl  while locating org.forgerock.openam.selfservice.SelfServiceFactory    for the 1st parameter of org.forgerock.openam.selfservice.SelfServiceGuiceModule.getUserRegistrationService(Unknown Source)  at org.forgerock.openam.selfservice.SelfServiceGuiceModule.getUserRegistrationService(Unknown Source)  while locating org.forgerock.openam.selfservice.SelfServiceRequestHandler&lt;org.forgerock.openam.selfservice.config.beans.UserRegistrationConsoleConfig&gt;  while locating org.forgerock.openam.http.HttpRouterProvider  at org.forgerock.openam.http.HttpGuiceModule.configure(HttpGuiceModule.java:34)  while locating org.forgerock.http.Handler annotated with @com.google.inject.name.Named(value=HttpHandler)    for the 1st parameter of org.forgerock.openam.http.OpenAMHttpApplication.&lt;init&gt;(Unknown Source)  at org.forgerock.openam.http.OpenAMHttpApplication.class(Unknown Source)  while locating org.forgerock.openam.http.OpenAMHttpApplication  while locating org.forgerock.http.HttpApplication​1 error com.google.inject.internal.InternalProvisionException.toProvisionException(InternalProvisionException.java:226) com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1053) com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1086) org.forgerock.guice.core.InjectorHolder.getInstance(InjectorHolder.java:72) org.forgerock.http.servlet.HttpApplicationLoader$LazilyLinkGuice.load(HttpApplicationLoader.java:193) org.forgerock.http.servlet.HttpApplicationLoader$LazilyLinkGuice.access$100(HttpApplicationLoader.java:188) org.forgerock.http.servlet.HttpApplicationLoader$3.load(HttpApplicationLoader.java:183) org.forgerock.http.servlet.HttpFrameworkServlet.getApplication(HttpFrameworkServlet.java:219) org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:161) )
      ........
       org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:748)</pre><p><b>Root Cause</b></p><pre>java.lang.NullPointerException org.forgerock.openam.utils.AMKeyProvider.mapPk2Cert(AMKeyProvider.java:231) org.forgerock.openam.utils.AMKeyProvider.&lt;init&gt;(AMKeyProvider.java:125) org.forgerock.openam.utils.AMKeyProvider.&lt;init&gt;(AMKeyProvider.java:91) sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
      .....
      org.forgerock.guice.core.InjectorHolder.getInstance(InjectorHolder.java:85) org.forgerock.openam.rest.Routers$VersionedResourceRoute.toRequestHandler(Routers.java:1027) org.forgerock.openam.rest.Routers$ResourceRoute.toRequestHandler(Routers.java:612) org.forgerock.openam.selfservice.SelfServiceRestRouteProvider.addResourceRoutes(SelfServiceRestRouteProvider.java:48) org.forgerock.openam.rest.AbstractRestRouteProvider.addRoutes(AbstractRestRouteProvider.java:32) org.forgerock.openam.rest.RestHttpRouteProvider.get(RestHttpRouteProvider.java:49) org.forgerock.openam.http.HttpRouterProvider.get(HttpRouterProvider.java:41) org.forgerock.openam.http.HttpRouterProvider.get(HttpRouterProvider.java:25) 
      .......
      com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1086) org.forgerock.guice.core.InjectorHolder.getInstance(InjectorHolder.java:72) org.forgerock.http.servlet.HttpApplicationLoader$LazilyLinkGuice.load(HttpApplicationLoader.java:193) org.forgerock.http.servlet.HttpApplicationLoader$LazilyLinkGuice.access$100(HttpApplicationLoader.java:188) org.forgerock.http.servlet.HttpApplicationLoader$3.load(HttpApplicationLoader.java:183) org.forgerock.http.servlet.HttpFrameworkServlet.getApplication(HttpFrameworkServlet.java:219) org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:161) 
      ....
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:748 

       

      Work around

      It may be possible to delete the HSM objects that cause the issue.

      Code analysis

      org.forgerock.openam.utils.AMKeyProvider#mapPk2Cert:
                      Certificate cert = getCertificate(alias);
      // Add the following check
      if (cert == null) {
          logger.warning("Unknown keystore entry without certificate: {}", alias);
          continue;
      }

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: