Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-919

Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.1.0.Beta23
    • 1.1.0.Beta21
    • HTTP
    • None

      Coverity static-analysis scan found a String to byte conversion (4xoccurences of getBytes()) with default platform encoding in the DefaultSingleSignOnSessionFactory method.

      Following code

      DefaultSingleSignOnSessionFactory.java
          @Override
          public String createLogoutParameter(String sessionId) {
              try {
                  Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
      
                  signature.initSign(this.privateKey);
      
                  Base64.Encoder urlEncoder = Base64.getUrlEncoder();
      
                  return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
              } catch (NoSuchAlgorithmException | InvalidKeyException e) {
                  throw new IllegalStateException(e);
              }
          }
          
          @Override
          public String verifyLogoutParameter(String parameter) {
              String[] parts = parameter.split("\\.");
              if (parts.length != 2) {
                  throw new IllegalArgumentException(parameter);
              }
              try {
                  String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
                  Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
      
                  signature.initVerify(this.certificate);
                  signature.update(localSessionId.getBytes());
      
                  Base64.Decoder urlDecoder = Base64.getUrlDecoder();
      
                  if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
                      throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
                  }
      
                  return localSessionId;
              } catch (NoSuchAlgorithmException | InvalidKeyException e) {
                  throw new IllegalStateException(e);
              } catch (SignatureException e) {
                  throw new IllegalArgumentException(parameter, e);
              }
          }
      

      The encoding should be specified as argument.

      Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with asUtf8String(), which implies specifying default encoding UTF-8.

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164160&mergedDefectId=1396938
      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164161&mergedDefectId=1396939

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: