search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
746 stars 724 forks source link

Concurrency issues with CRL Validation on retrieving CRL from web #19569

Open Tiffany-silva opened 7 months ago

Tiffany-silva commented 7 months ago

Describe the issue: When multiple requests attempt to simultaneously fetch the Certificate Revocation List (CRL) from the web during the x509 certificate authentication's CRL validation [1], problematic issues arise. This results in a delay in the process, leading to the necessity of a server startup. As multiple calls come in, the following error is thrown during the initial request processing,

{org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationUtil} - Error when getting the X509 CRL for certificate: 85078622056932698594984361040489148362 org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: CRL Url is malformed
        at org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationUtil.downloadCRLFromWeb(CertificateValidationUtil.java:681)
        at org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationUtil.getRevocationStatus(CertificateValidationUtil.java:598)
        at org.wso2.carbon.identity.x509Certificate.validation.validator.CRLValidator.checkRevocationStatus(CRLValidator.java:56)
        at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:85)
        at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)
        at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:392)
        at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:195)
        at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateAuthenticator.addOrValidateCertificate(X509CertificateAuthenticator.java:665)
        at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateAuthenticator.processAuthenticationResponse(X509CertificateAuthenticator.java:560)

Hence, it is crucial to prevent the submission of multiple requests and avoid adding them to the cache multiple times during the initial request processing.

How to reproduce:

  1. Set up x509 Certificate with CRL validation [2].
  2. Send multiple requests concurrently when the cached value is not available.

Expected behaviour: Multiple requests must not be sent when the cache is unavailable while the initial request is processing.

Environment information (Please complete the following information; remove any unnecessary fields) :

jcgarciaa commented 7 months ago

Reopening the case as proposed solution is leading to stuck threads during authentication.