Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Invalid No X509Certificate found WARNING spam from CertificateRealm #7197

Open
bdrx312 opened this issue Feb 18, 2025 · 0 comments
Open

Bug Report: Invalid No X509Certificate found WARNING spam from CertificateRealm #7197

bdrx312 opened this issue Feb 18, 2025 · 0 comments
Assignees
@skipper4
Labels
Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect

Comments

@bdrx312
Copy link

bdrx312 commented Feb 18, 2025

Brief Summary

Pull request #5398 added a warning "No X509Certificate found" to the CertificateRealm which is spamming our logs every time a request is made.

The warning comes from this line:
https://github.com/payara/Payara/blame/97cfdaff4278107579041b228351f48bafba8b61/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java#L194

It appears the code is trying to find the subject for the certificate with this getCertificateFromSubject method https://github.com/payara/Payara/blob/7e73ca597af46ed99827371d1c9def64aea826c6/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java#L234C4-L251C6

private X509Certificate getCertificateFromSubject(Subject subject, X500Principal principal) {
        X509Certificate result = null;
        Set<Object> publicCredentials = subject.getPublicCredentials();
        for (Object publicCredential : publicCredentials) {
            if (publicCredential instanceof List) {
                List<Object> data = (List<Object>) publicCredential;
                for (Object item : data) {
                    if (item instanceof X509Certificate) {
                        X509Certificate certificate = (X509Certificate) item;
                        if (principal.equals(certificate.getIssuerX500Principal())) {
                            result = (X509Certificate) item;
                        }
                    }
                }
            }
        }
        return result;
    }

but the logic appears to be looking for a certificate where the principal equals the issuer (if (principal.equals(certificate.getIssuerX500Principal())) {) which I believe will only occur for self signed certificates.

Also even if the code was correct, the warning gives no context for the problem, where in the code the warning is coming from (none of filename, class, function, or line number is logged with the warning with the default payara configuration), nor how to fix it so it is not a useful warning.

We are using payara 6.2025.1

Expected Outcome

No warning in the server.log about "No X509Certificate found"

Current Outcome

Warning "No X509Certificate found" in the server.log

Reproducer

Setup a CertificateRealm as the login module (login.conf) and receive a request from a certificate that is not self signed.

Operating System

RHEL 8.10

JDK Version

openjdk JDK 21.04.

Payara Distribution

Payara Server Full Profile
@bdrx312 bdrx312 added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect labels Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skipper4 skipper4

Labels
Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bdrx312 @skipper4