Merge pull request jglobus#65 from gbehrmann/bug/crl-race

ssl-proxies: Fix CRL check race condition
abinpaul · Mar 1, 2013 · 00a44ee · 00a44ee
2 parents c664a35 + 5f2968c
commit 00a44ee
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/CRLChecker.java b/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/CRLChecker.java
@@ -125,10 +125,18 @@ public void invoke(X509Certificate cert, GSIConstants.CertificateType certType)
             // validate CRL
             verifyCRL(caCert, crl);
 
-            if (crl.isRevoked(cert)) {
-                throw new CertPathValidatorException(
+            /* One would have thought that a CRL is immutable and thus
+             * thread safe, however inside the ASN1 parse tree we find
+             * LazyDERSequence. LazyDERSequence is parsed lazily and
+             * does so in a non-thread safe manner. One may very well
+             * classify this as a bouncy castle bug, but as a
+             * workaround synchronizing on the CRL solves the problem.
+             */
+            synchronized (crl) {
+                if (crl.isRevoked(cert)) {
+                    throw new CertPathValidatorException(
                         "Certificate " + cert.getSubjectDN() + " has been revoked");
-
+                }
             }
         }
     }