avoid using cjose_jwk_retain because it is not thread safe

Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Jul 27, 2022 · e21c25b · e21c25b
1 parent adec235
commit e21c25b
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,8 @@
 - use main request for Apache request contexts
 - set refresh to true when getting jwsk_uri results from cache
 - print warning when cjose_jws_verify fails
+- avoid using cjose_jwk_retain because it is not thread safe
+- release 1.4.5
 
 06/24/2022
 - add cjose, curl and ssl to liboauth2.pc.in

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([liboauth2],[1.5.0dev],[[email protected]])
+AC_INIT([liboauth2],[1.4.5],[[email protected]])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])

diff --git a/src/jose.c b/src/jose.c
@@ -641,6 +641,7 @@ oauth2_jose_jwk_list_clone(oauth2_log_t *log, oauth2_jose_jwk_list_t *src)
 {
 	oauth2_jose_jwk_list_t *dst = NULL, *ptr = NULL, *last = NULL,
 			       *elem = NULL;
+	char *str = NULL;
 	cjose_err err;
 
 	ptr = src;
@@ -651,9 +652,17 @@ oauth2_jose_jwk_list_clone(oauth2_log_t *log, oauth2_jose_jwk_list_t *src)
 		elem->jwk->kid = oauth2_strdup(ptr->jwk->kid);
 
 		err.code = CJOSE_ERR_NONE;
-		elem->jwk->jwk = cjose_jwk_retain(ptr->jwk->jwk, &err);
+
+		// cjose_jwk_retain is not thread safe
+		str = cjose_jwk_to_json(ptr->jwk->jwk, true, &err);
+		if (str) {
+			elem->jwk->jwk =
+			    cjose_jwk_import(str, strlen(str), &err);
+			cjose_get_dealloc()(str);
+		}
+
 		if ((elem->jwk->jwk == NULL) && (err.code != CJOSE_ERR_NONE)) {
-			oauth2_error(log, "cjose_jwk_retain failed: %s",
+			oauth2_error(log, "cjose_jwk_to_json/import failed: %s",
 				     err.message);
 			oauth2_jose_jwk_list_free(log, elem);
 			continue;