Uploaded image for project: 'JBoss Marshalling'
  1. JBoss Marshalling
  2. JBMAR-159

Read past end of file while marshalling PrivateKey in SAMLAccessFilter

    XMLWordPrintable

Details

    Description

      After moving from glassfish (3.1.2 and 4.0) to WildFly, I get the following stacktrace when reading an object (EvoteSAMLCredentials) containing an instance of org.bouncycastle.jce.provider.JCERSAPrivateKey (found in bcprov-jdk14-1.38.jar or bcprov-jdk16-1.46.jar):

      2014-01-30 11:08:14,639 ERROR [io.undertow.request] (default task-7) UT005023: Exception handling request to /secure/index.xhtml: javax.ejb.EJBException: java.io.EOFException: Read past end of file
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:236) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at $Proxy277.getDIFICredential(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_05]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_05]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_05]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_05]
at no.evote.service.cache.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:84) [classes:]
at no.evote.service.cache.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:115) [classes:]
at $Proxy277.getDIFICredential(Unknown Source) at no.evote.service.security.saml.SAMLAccessFilter.doAuthenticationRedirect(SAMLAccessFilter.java:90) [classes:]
at no.evote.service.security.saml.SAMLAccessFilter.doFilter(SAMLAccessFilter.java:69) [classes:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at no.evote.lifecycle.LifecycleFilter.doFilter(LifecycleFilter.java:50) [classes:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at no.evote.presentation.util.filters.IEModeFilter.doFilter(IEModeFilter.java:45) [classes:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at no.evote.presentation.util.filters.ForceLocaleFilter.doFilter(ForceLocaleFilter.java:56) [classes:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:70)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:67) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:70) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:164) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:654) [undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]
Caused by: java.io.EOFException: Read past end of file
at org.jboss.marshalling.SimpleDataInput.eofOnRead(SimpleDataInput.java:155)
at org.jboss.marshalling.SimpleDataInput.readUnsignedByteDirect(SimpleDataInput.java:298)
at org.jboss.marshalling.SimpleDataInput.readIntDirect(SimpleDataInput.java:347)
at org.jboss.marshalling.SimpleDataInput.readInt(SimpleDataInput.java:320)
at org.jboss.marshalling.river.RiverObjectInputStream.readFields(RiverObjectInputStream.java:120)
at java.math.BigInteger.readObject(BigInteger.java:3096) [rt.jar:1.7.0_05]
at sun.reflect.GeneratedMethodAccessor458.invoke(Unknown Source) [:1.7.0_05]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_05]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_05]
at org.jboss.marshalling.reflect.SerializableClass.callReadObject(SerializableClass.java:311)
at org.jboss.marshalling.river.RiverUnmarshaller.doInitSerializable(RiverUnmarshaller.java:1612)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1273)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:276)
at org.jboss.marshalling.river.BlockUnmarshaller.readObject(BlockUnmarshaller.java:153)
at org.jboss.marshalling.river.BlockUnmarshaller.readObject(BlockUnmarshaller.java:139)
at org.jboss.marshalling.MarshallerObjectInputStream.readObjectOverride(MarshallerObjectInputStream.java:57)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:363) [rt.jar:1.7.0_05]
at org.bouncycastle.jce.provider.JCERSAPrivateKey.readObject(Unknown Source) [bcprov-jdk14-1.38.jar:1.38.0]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_05]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_05]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_05]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_05]
at org.jboss.marshalling.reflect.SerializableClass.callReadObject(SerializableClass.java:311)
at org.jboss.marshalling.river.RiverUnmarshaller.doInitSerializable(RiverUnmarshaller.java:1612)
at org.jboss.marshalling.river.RiverUnmarshaller.doInitSerializable(RiverUnmarshaller.java:1595)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1273)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:276)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:213)
at org.jboss.marshalling.river.RiverUnmarshaller.readFields(RiverUnmarshaller.java:1715)
at org.jboss.marshalling.river.RiverUnmarshaller.doInitSerializable(RiverUnmarshaller.java:1631)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1273)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:276)
at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:213)
at org.jboss.marshalling.AbstractObjectInput.readObject(AbstractObjectInput.java:45)
at org.jboss.ejb.client.remoting.MethodInvocationResponseHandler$MethodInvocationResultProducer.getResult(MethodInvocationResponseHandler.java:103) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:272) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocationResult(EJBObjectInterceptor.java:64) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:274) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocationResult(EJBHomeInterceptor.java:88) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:274) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.TransactionInterceptor.handleInvocationResult(TransactionInterceptor.java:46) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:274) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.ReceiverInterceptor.handleInvocationResult(ReceiverInterceptor.java:129) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:262) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBClientInvocationContext.awaitResponse(EJBClientInvocationContext.java:437) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:202) [jboss-ejb-client-2.0.0.Beta5.jar:2.0.0.Beta5]
... 48 more
Caused by: an exception which occurred:
in field signum
in object of type java.math.BigInteger
in object of type org.bouncycastle.jce.provider.JCERSAPrivateCrtKey
in field privateKey
in object of type no.evote.util.EvoteSAMLCredentials

      I have tried to reproduce this in a unit test by adding

      	public static class MyKey extends JCERSAPrivateKey {

		public MyKey() {
			this.modulus = BigInteger.ONE;
			this.privateExponent = BigInteger.TEN;
		}
	}

	@Test
	public void testMyKey() throws Throwable {
		final Serializable serializable = new MyKey();
		runReadWriteTest(new ReadWriteTest() {
			public void runWrite(final Marshaller marshaller) throws Throwable {
				marshaller.writeObject(serializable);
			}

			public void runRead(final Unmarshaller unmarshaller) throws Throwable {
				assertEquals(serializable, unmarshaller.readObject());
				assertEOF(unmarshaller);
			}
		});
	}

      to org.jboss.test.marshalling.SimpleMarshallerTests with the following output:

      Read Configuration = org.jboss.marshalling.MarshallingConfiguration@7da5b607: instanceCount=256 classCount=64 bufferSize=512 version=3
Marshaller = org.jboss.marshalling.river.RiverMarshaller@71aeef97 (version set to 3)
java.io.NotActiveException: Fields were never written
	at org.jboss.marshalling.river.RiverObjectOutputStream.finish(RiverObjectOutputStream.java:175)
	at org.jboss.marshalling.river.RiverMarshaller.doWriteSerializableObject(RiverMarshaller.java:1012)
	at org.jboss.marshalling.river.RiverMarshaller.doWriteSerializableObject(RiverMarshaller.java:1001)
	at org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:888)
	at org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:62)
	at org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:115)
	at org.jboss.test.marshalling.SimpleMarshallerTests$5.runWrite(SimpleMarshallerTests.java:248)
	at org.jboss.test.marshalling.TestBase.runReadWriteTest(TestBase.java:109)
	at org.jboss.test.marshalling.SimpleMarshallerTests.testMyKey(SimpleMarshallerTests.java:246)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at org.testng.internal.MethodHelper.invokeMethod(MethodHelper.java:643)
	at org.testng.internal.Invoker.invokeMethod(Invoker.java:559)
	at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:723)
	at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1027)
	at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:137)
	at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:121)
	at org.testng.TestRunner.runWorkers(TestRunner.java:1030)
	at org.testng.TestRunner.privateRun(TestRunner.java:709)
	at org.testng.TestRunner.run(TestRunner.java:579)
	at org.testng.SuiteRunner.runTest(SuiteRunner.java:331)
	at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:326)
	at org.testng.SuiteRunner.privateRun(SuiteRunner.java:288)
	at org.testng.SuiteRunner.run(SuiteRunner.java:193)
	at org.testng.TestNG.createAndRunSuiteRunners(TestNG.java:910)
	at org.testng.TestNG.runSuitesLocally(TestNG.java:879)
	at org.testng.TestNG.run(TestNG.java:787)
	at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:75)
	at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:120)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: an exception which occurred:
	in object org.jboss.test.marshalling.SimpleMarshallerTests$MyKey@b

      The sourcecode for EvoteSAMLCredentials is available here:
      https://sourcecode.valg.no/websvn/filedetails.php?repname=Admin&path=%2Fadmin-common%2Fsrc%2Fmain%2Fjava%2Fno%2Fevote%2Futil%2FEvoteSAMLCredentials.java

      Attachments

        Issue Links

          duplicates

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBMAR-120 Do not complain when users fail to call defaultReadObject() and friends in readObject/writeObject

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              dlloyd@redhat.com David Lloyd
              runeks2 Rune Steinseth (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: