diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-31 22:20:06 +1000 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-03 15:37:52 +1000 |
| commit | 9062e0265e7cadfa05f64a7c5c0a718594283d06 (patch) | |
| tree | c79a530ecc9e89f4917fb5da1a2468598df288be /base/ca/src/com/netscape | |
| parent | b1bafc4935c088fe98373a7988f5e0518b950226 (diff) | |
| download | pki-9062e0265e7cadfa05f64a7c5c0a718594283d06.tar.gz pki-9062e0265e7cadfa05f64a7c5c0a718594283d06.tar.xz pki-9062e0265e7cadfa05f64a7c5c0a718594283d06.zip | |
Don't update obsolete CertificateAuthority after key retrieval
If additional LDAP events are processed for a lightweight CA while
key retrieval proceeds in another thread, when retrieval is
complete, the KeyRetrieverRunner reinitialises the signing unit of a
stale object.
Instead of holding onto a CertificateAuthority, hold onto the
AuthorityID and look it up afresh when ready to reinitialise its
SigningUnit.
Part of: https://fedorahosted.org/pki/ticket/2293
Diffstat (limited to 'base/ca/src/com/netscape')
| -rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthority.java | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 46859829e..6001d2b78 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -1496,7 +1496,7 @@ public class CertificateAuthority if (!keyRetrieverThreads.containsKey(authorityID)) { CMS.debug("Starting KeyRetrieverRunner thread"); Thread t = new Thread( - new KeyRetrieverRunner(this), + new KeyRetrieverRunner(authorityID, mNickname, authorityKeyHosts), "KeyRetrieverRunner-" + authorityID); t.start(); keyRetrieverThreads.put(authorityID, t); @@ -3187,10 +3187,15 @@ public class CertificateAuthority } private class KeyRetrieverRunner implements Runnable { - private CertificateAuthority ca; + private AuthorityID aid; + private String nickname; + private Collection<String> hosts; - public KeyRetrieverRunner(CertificateAuthority ca) { - this.ca = ca; + public KeyRetrieverRunner( + AuthorityID aid, String nickname, Collection<String> hosts) { + this.aid = aid; + this.nickname = nickname; + this.hosts = hosts; } public void run() { @@ -3198,7 +3203,7 @@ public class CertificateAuthority _run(); } finally { // remove self from tracker - keyRetrieverThreads.remove(ca.authorityID); + keyRetrieverThreads.remove(aid); } } @@ -3233,7 +3238,7 @@ public class CertificateAuthority KeyRetriever.Result krr = null; try { - krr = kr.retrieveKey(ca.mNickname, ca.authorityKeyHosts); + krr = kr.retrieveKey(nickname, hosts); } catch (Throwable e) { CMS.debug("Caught exception during execution of KeyRetriever.retrieveKey"); CMS.debug(e); @@ -3261,16 +3266,28 @@ public class CertificateAuthority CryptoUtil.importPKIArchiveOptions( token, unwrappingKey, pubkey, paoData); - cert = manager.importUserCACertPackage(certBytes, ca.mNickname); + cert = manager.importUserCACertPackage(certBytes, nickname); } catch (Throwable e) { CMS.debug("Caught exception during cert/key import"); CMS.debug(e); return; } + CertificateAuthority ca; boolean initSigUnitSucceeded = false; try { CMS.debug("Reinitialising SigningUnit"); + + /* While we were retrieving the key and cert, the + * CertificateAuthority instance in the caMap might + * have been replaced, so look it up afresh. + */ + ca = (CertificateAuthority) getCA(aid); + if (ca == null) { + CMS.debug("Authority is no longer in caMap; returning."); + return; + } + // re-init signing unit, but avoid triggering // key replication if initialisation fails again // for some reason |