Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8516

Ocsp Signing cache NPE using p11ng for CA keys

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: EJBCA 7.3.0
    • Fix Version/s: EJBCA 7.3.0
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Ad Hoc
    • Epic Link:
    • Sprint:
      EJBCA Team Alice - 2019 w37

      Description

      If a CA exists with keys living in a p11-ng Crypto Token and the token device is unavailable during cache reload (e.g. during appserver start-up), NPE is thrown while trying to fetch the private key reference, causing application server to eventually crash and burn.

       public PrivateKey getPrivateKey(final String alias) throws CryptoTokenOfflineException {
          final PrivateKey privateKey = slot.getReleasableSessionPrivateKey(alias);
          if (privateKey == null) {
             final String msg = intres.getLocalizedMessage("token.errornosuchkey", alias);
             log.error(msg);
             throw new CryptoTokenOfflineException(msg);
          }
       return privateKey;
       }
      

      See code above. Should check is slot is available before retrieving private key ref.

        Attachments

          Activity

            People

            Assignee:
            hsunmark Henrik Sunmark
            Reporter:
            hsunmark Henrik Sunmark
            Verified by:
            Amin Khorsandi
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 30 minutes
                30m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m