RFR: 8309667: TLS handshake fails because of ConcurrentModificationException in PKCS12KeyStore.engineGetEntry

Daniel Fuchs dfuchs at openjdk.org
Tue Sep 26 16:01:16 UTC 2023


On Tue, 26 Sep 2023 15:04:44 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1270:
>> 
>>> 1268:         }
>>> 1269:         Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
>>> 1270:         return Collections.unmodifiableSet(new HashSet<>(entry.attributes));
>> 
>> I do not think this fix is correct. A call to `engineGetAttribute()` could observe an empty `HashSet` set by `populateAttributes`, but before the entry is populated. If we want to prevent that I believe we need a lock of some kind shared between `engineGetAttribute` and `populateAttributes`. 
>> Also the constructor of `HashSet` that takes a collection calls `HashSet.addAll()`, which loops over the provided collection. In a multi threaded context, if `populateAttributes` can run concurrently with `engineGetAttribute`, it is not impossible that this loop will get a `ConcurrentModificationException`, like before. Or am I missing something?
>
> Entries is a synchronized map, and populateAttributes is only called on freshly created entries before they are added to the map. I don't see how this could fail.

Oh - I see - I did miss that. LGTM then.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/15909#discussion_r1337447708


More information about the security-dev mailing list