Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1278

Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.1.0.CR3
    • None
    • None
    • None

      Coverity found possible NPE occurense, as according to javadoc for SSLSession().getLocalCertificates() may return null [1], but X500.asX509CertificateArray can't consume null parameter and NPE will be thrown in that case.

      ServerAuthenticationContext.java
       
                } else if (callback instanceof SSLCallback) {
                    SSLCallback sslCallback = (SSLCallback) callback;

                    try {
                        peerCerts = X500.asX509CertificateArray(sslCallback.getSslSession().getPeerCertificates());
                    } catch (SSLPeerUnverifiedException e) {
                        log.trace("Peer unverified", e);
                        peerCerts = null;
                    }
                    serverCerts = X500.asX509CertificateArray(sslCallback.getSslSession().getLocalCertificates());
                    handleOne(callbacks, idx + 1);
                }

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=26379676&defectInstanceId=5932898&mergedDefectId=1449008

      [1] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSession.html#getLocalCertificates--

            rhn-support-ivassile Ilia Vassilev
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: