From cc19c2e76db61475981c9bf5e860bca9b998c338 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 29 Sep 2015 05:59:38 -0400
Subject: [PATCH 48/49] Lightweight CAs: fix caMap synchronization

Some access to caMap was not correctly synchronized, with
authorities (of which there could be many) acquiring their own
intrinsic lock rather than the shared caMap.

Use 'Collections.synchronizedSortedMap' to fix this.  As a bonus,
locking is now more fine-grained.
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 42a0ec4d1d362c9b615cb9483530590e2b785a42..b3663ed1d497d03651ad1fa753b4e23ae4aea6b0 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -161,7 +161,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
 
     public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2");
 
-    private static final Map<AuthorityID, ICertificateAuthority> caMap = new TreeMap<>();
+    private static final Map<AuthorityID, ICertificateAuthority> caMap =
+        Collections.synchronizedSortedMap(new TreeMap<>());
     protected CertificateAuthority hostCA = null;
     protected AuthorityID authorityID = null;
     protected AuthorityID authorityParentID = null;
@@ -1934,7 +1935,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
      *
      * This method must only be called by the host CA.
      */
-    private synchronized void loadLightweightCAs() throws EBaseException {
+    private void loadLightweightCAs() throws EBaseException {
         ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("loadLightweightCAs");
         dbFactory.init(CMS.getConfigStore().getSubStore("internaldb"));
         LDAPConnection conn = dbFactory.getConn();
@@ -2321,10 +2322,12 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
     /**
      * Enumerate all authorities (including host authority)
      */
-    public synchronized List<ICertificateAuthority> getCAs() {
+    public List<ICertificateAuthority> getCAs() {
         List<ICertificateAuthority> cas = new ArrayList<>();
-        for (ICertificateAuthority ca : caMap.values()) {
-            cas.add(ca);
+        synchronized (caMap) {
+            for (ICertificateAuthority ca : caMap.values()) {
+                cas.add(ca);
+            }
         }
         return cas;
     }
@@ -2379,9 +2382,7 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
 
         ICertificateAuthority ca = parentCA.createSubCA(
                 subjectDN, description);
-        synchronized (this) {
-            caMap.put(ca.getAuthorityID(), ca);
-        }
+        caMap.put(ca.getAuthorityID(), ca);
         return ca;
     }
 
-- 
2.4.3