Limit key retrieval to a single thread per CA

Before implementing lightweight CA key retrieval retry with exponential backoff, ensure that only one key retriever thread can execute at a time, for each CA. Also make SigningUnit initialisation (initSigUnit) synchronised. Part of: https://fedorahosted.org/pki/ticket/2293
author: Fraser Tweedale <ftweedal@redhat.com> 2016-05-31 21:38:37 +1000
committer: Fraser Tweedale <ftweedal@redhat.com> 2016-06-03 15:37:52 +1000
commit: b1bafc4935c088fe98373a7988f5e0518b950226 (patch)
tree: 367069df62a8f66a920595290470a740b364d994 /base/ca/src/com
parent: 9bcc0bba57003a26ee0488def88a57ca883d9134 (diff)
download: pki-b1bafc4935c088fe98373a7988f5e0518b950226.tar.gz
pki-b1bafc4935c088fe98373a7988f5e0518b950226.tar.xz
pki-b1bafc4935c088fe98373a7988f5e0518b950226.zip
1 files changed, 22 insertions, 6 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index cf8378bc9..46859829e 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -204,6 +204,8 @@ public class CertificateAuthority
 
     private static final Map<AuthorityID, ICertificateAuthority> caMap =
         Collections.synchronizedSortedMap(new TreeMap<AuthorityID, ICertificateAuthority>());
+    private static final Map<AuthorityID, Thread> keyRetrieverThreads =
+        Collections.synchronizedSortedMap(new TreeMap<AuthorityID, Thread>());
     protected CertificateAuthority hostCA = null;
     protected AuthorityID authorityID = null;
     protected AuthorityID authorityParentID = null;
@@ -1460,7 +1462,7 @@ public class CertificateAuthority
     /**
      * init CA signing unit & cert chain.
      */
-    private boolean initSigUnit(boolean retrieveKeys)
+    private synchronized boolean initSigUnit(boolean retrieveKeys)
             throws EBaseException {
         try {
             // init signing unit
@@ -1491,11 +1493,16 @@ public class CertificateAuthority
                 CMS.debug("CA signing key and cert not (yet) present in NSSDB");
                 signingUnitException = e;
                 if (retrieveKeys == true) {
-                    CMS.debug("Starting KeyRetrieverRunner thread");
-                    new Thread(
-                        new KeyRetrieverRunner(this),
-                        "KeyRetrieverRunner-" + authorityID
-                    ).start();
+                    if (!keyRetrieverThreads.containsKey(authorityID)) {
+                        CMS.debug("Starting KeyRetrieverRunner thread");
+                        Thread t = new Thread(
+                            new KeyRetrieverRunner(this),
+                            "KeyRetrieverRunner-" + authorityID);
+                        t.start();
+                        keyRetrieverThreads.put(authorityID, t);
+                    } else {
+                        CMS.debug("KeyRetriever thread already running for authority " + authorityID);
+                    }
                 }
                 return false;
             }
@@ -3187,6 +3194,15 @@ public class CertificateAuthority
         }
 
         public void run() {
+            try {
+                _run();
+            } finally {
+                // remove self from tracker
+                keyRetrieverThreads.remove(ca.authorityID);
+            }
+        }
+
+        private void _run() {
             String KR_CLASS_KEY = "features.authority.keyRetrieverClass";
             String className = null;
             try {
author	Fraser Tweedale <ftweedal@redhat.com>	2016-05-31 21:38:37 +1000
committer	Fraser Tweedale <ftweedal@redhat.com>	2016-06-03 15:37:52 +1000
commit	b1bafc4935c088fe98373a7988f5e0518b950226 (patch)
tree	367069df62a8f66a920595290470a740b364d994 /base/ca/src/com
parent	9bcc0bba57003a26ee0488def88a57ca883d9134 (diff)
download	pki-b1bafc4935c088fe98373a7988f5e0518b950226.tar.gz pki-b1bafc4935c088fe98373a7988f5e0518b950226.tar.xz pki-b1bafc4935c088fe98373a7988f5e0518b950226.zip