From f6eed44501b6b65f1da1e32c9c6755db180b8776 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 31 May 2016 22:20:06 +1000 Subject: [PATCH 118/119] Don't update obsolete CertificateAuthority after key retrieval If additional LDAP events are processed for a lightweight CA while key retrieval proceeds in another thread, when retrieval is complete, the KeyRetrieverRunner reinitialises the signing unit of a stale object. Instead of holding onto a CertificateAuthority, hold onto the AuthorityID and look it up afresh when ready to reinitialise its SigningUnit. Part of: https://fedorahosted.org/pki/ticket/2293 --- .../src/com/netscape/ca/CertificateAuthority.java | 31 +++++++++++++++++----- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index c2a7d0c907b4dd5774b22cfbb404194da162a535..289ab7ac703fcd7e35b11b589f0dfb2b57488006 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -1496,7 +1496,7 @@ public class CertificateAuthority if (!keyRetrieverThreads.containsKey(authorityID)) { CMS.debug("Starting KeyRetrieverRunner thread"); Thread t = new Thread( - new KeyRetrieverRunner(this), + new KeyRetrieverRunner(authorityID, mNickname, authorityKeyHosts), "KeyRetrieverRunner-" + authorityID); t.start(); keyRetrieverThreads.put(authorityID, t); @@ -3180,10 +3180,15 @@ public class CertificateAuthority } private class KeyRetrieverRunner implements Runnable { - private CertificateAuthority ca; + private AuthorityID aid; + private String nickname; + private Collection hosts; - public KeyRetrieverRunner(CertificateAuthority ca) { - this.ca = ca; + public KeyRetrieverRunner( + AuthorityID aid, String nickname, Collection hosts) { + this.aid = aid; + this.nickname = nickname; + this.hosts = hosts; } public void run() { @@ -3191,7 +3196,7 @@ public class CertificateAuthority _run(); } finally { // remove self from tracker - keyRetrieverThreads.remove(ca.authorityID); + keyRetrieverThreads.remove(aid); } } @@ -3226,7 +3231,7 @@ public class CertificateAuthority KeyRetriever.Result krr = null; try { - krr = kr.retrieveKey(ca.mNickname, ca.authorityKeyHosts); + krr = kr.retrieveKey(nickname, hosts); } catch (Throwable e) { CMS.debug("Caught exception during execution of KeyRetriever.retrieveKey"); CMS.debug(e); @@ -3254,16 +3259,28 @@ public class CertificateAuthority CryptoUtil.importPKIArchiveOptions( token, unwrappingKey, pubkey, paoData); - cert = manager.importUserCACertPackage(certBytes, ca.mNickname); + cert = manager.importUserCACertPackage(certBytes, nickname); } catch (Throwable e) { CMS.debug("Caught exception during cert/key import"); CMS.debug(e); return; } + CertificateAuthority ca; boolean initSigUnitSucceeded = false; try { CMS.debug("Reinitialising SigningUnit"); + + /* While we were retrieving the key and cert, the + * CertificateAuthority instance in the caMap might + * have been replaced, so look it up afresh. + */ + ca = (CertificateAuthority) getCA(aid); + if (ca == null) { + CMS.debug("Authority is no longer in caMap; returning."); + return; + } + // re-init signing unit, but avoid triggering // key replication if initialisation fails again // for some reason -- 2.5.5