RFR: 8327461: KeyStore getEntry is not thread-safe [v2]
Weijun Wang
weijun at openjdk.org
Thu Mar 7 21:27:53 UTC 2024
On Thu, 7 Mar 2024 17:20:08 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Change was made to engineGetEntry() in PKCS12KeyStore to extract the key and certificate chain from Entry only once. This is because the entry may get updated between engineGetKey() and engineGetCertificateChain() which causes inconsistent result. A new test was added to assess and manipulate PKCS12KeyStore with read and write operations concurrently from multiple threads. Thanks!
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Update bug number in the test
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1346:
> 1344: char[] password = pp.getPassword();
> 1345:
> 1346: Key key = internalGetKey(entry, password);
This is a very smart change to use the already retrieved `entry` object to avoid it being replaced. There are other places in this method that `alias` is used to retrieve other info -- like `engineIsCertificateEntry(alias)` and `engineIsKeyEntry(alias)`. They should be also modified to depend on `entry` only. Ideally, `entries.get(alias)` (or any method that calls it) should only appear once in every `alias`-related method.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18156#discussion_r1516849094
More information about the security-dev
mailing list