make sure X509Object list is synchronized properly

Sponsored by Lookout Inc.

Author: mkristian

src/main/java/org/jruby/ext/openssl/x509store/Lookup.java

@@ -596,7 +596,7 @@ else if ( type == X509_LU_CRL ) {
                 }
                 X509Object tmp = null;
                 synchronized ( CRYPTO_LOCK_X509_STORE ) {
-                    for ( X509Object obj : lookup.store.objects ) {
+                    for ( X509Object obj : lookup.store.getObjects() ) {
                         if ( obj.type() == type && obj.isName(name) ) {
                             tmp = obj; break;
                         }

src/main/java/org/jruby/ext/openssl/x509store/Store.java

@@ -114,7 +114,7 @@ public int call(StoreContext context) {
 
     @Deprecated int cache = 1; // not-used
 
-    final List<X509Object> objects;
+    private final List<X509Object> objects;
     private final List<Lookup> certificateMethods;
 
     public final VerifyParameter verifyParameter;
@@ -375,13 +375,15 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) {
 
     @Override
     public X509Certificate[] getAcceptedIssuers() {
-        ArrayList<X509Certificate> issuers = new ArrayList<X509Certificate>(objects.size());
-        for ( X509Object object : objects ) {
-            if ( object instanceof Certificate ) {
-                issuers.add( ( (Certificate) object ).x509 );
+        synchronized(CRYPTO_LOCK_X509_STORE) {
+            ArrayList<X509Certificate> issuers = new ArrayList<X509Certificate>(objects.size());
+            for ( X509Object object : objects ) {
+                if ( object instanceof Certificate ) {
+                    issuers.add( ( (Certificate) object ).x509 );
+                }
             }
+            return issuers.toArray( new X509Certificate[ issuers.size() ] );
         }
-        return issuers.toArray( new X509Certificate[ issuers.size() ] );
     }
 
 }// X509_STORE

src/main/java/org/jruby/ext/openssl/x509store/StoreContext.java

@@ -150,22 +150,24 @@ else if ( ok != X509Utils.X509_LU_FAIL ) {
             return 1;
         }
 
-        int idx = X509Object.indexBySubject(store.objects, X509Utils.X509_LU_X509, xn);
-        if ( idx == -1 ) return 0;
-
-        /* Look through all matching certificates for a suitable issuer */
-        for ( int i = idx; i < store.objects.size(); i++ ) {
-            final X509Object pobj = store.objects.get(i);
-            if ( pobj.type() != X509Utils.X509_LU_X509 ) {
-                return 0;
-            }
-            final X509AuxCertificate x509 = ((Certificate) pobj).x509;
-            if ( ! xn.equalTo( x509.getSubjectX500Principal() ) ) {
-                return 0;
-            }
-            if ( checkIssued.call(this, x, x509) != 0 ) {
-                issuers[0] = x509;
-                return 1;
+        synchronized(X509Utils.CRYPTO_LOCK_X509_STORE) {
+            int idx = X509Object.indexBySubject(store.getObjects(), X509Utils.X509_LU_X509, xn);
+            if ( idx == -1 ) return 0;
+
+            /* Look through all matching certificates for a suitable issuer */
+            for ( int i = idx; i < store.getObjects().size(); i++ ) {
+                final X509Object pobj = store.getObjects().get(i);
+                if ( pobj.type() != X509Utils.X509_LU_X509 ) {
+                    return 0;
+                }
+                final X509AuxCertificate x509 = ((Certificate) pobj).x509;
+                if ( ! xn.equalTo( x509.getSubjectX500Principal() ) ) {
+                    return 0;
+                }
+                if ( checkIssued.call(this, x, x509) != 0 ) {
+                    issuers[0] = x509;
+                    return 1;
+                }
             }
         }
         return 0;
@@ -605,9 +607,9 @@ public int setDefault(String name) {
     public int getBySubject(int type,Name name,X509Object[] ret) throws Exception {
         Store c = store;
 
-        X509Object tmp = X509Object.retrieveBySubject(c.objects,type,name);
-        if ( tmp == null ) {
-            synchronized(X509Utils.CRYPTO_LOCK_X509_STORE) {
+        synchronized(X509Utils.CRYPTO_LOCK_X509_STORE) {
+            X509Object tmp = X509Object.retrieveBySubject(c.getObjects(),type,name);
+            if ( tmp == null ) {
                 for(int i=currentMethod; i<c.getCertificateMethods().size(); i++) {
                     Lookup lu = c.getCertificateMethods().get(i);
                     X509Object[] stmp = new X509Object[1];
@@ -625,8 +627,8 @@ else if( j > 0 ) {
             currentMethod = 0;
 
             if ( tmp == null ) return 0;
+            ret[0] = tmp;
         }
-        ret[0] = tmp;
         return 1;
     }