From 83137e5917d5dc1f0e7552165bed3e351a7a3ea2 Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Mon, 9 Oct 2023 14:38:07 +0200 Subject: prevent race condition when refreshing role cert --- .../athenz/identityprovider/client/AthenzIdentityProviderImpl.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'vespa-athenz') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index e97409b40ef..fd297c291c2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -278,17 +278,17 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen identity, role, athenzUniqueInstanceId, null, keyPair); try (ZtsClient client = createZtsClient()) { X509Certificate roleCertificate = client.getRoleCertificate(role, csr); - updateRoleKeyManager(role, roleCertificate); + updateRoleKeyManager(role, keyPair.getPrivate(), roleCertificate); log.info(String.format("Requester role certificate for role %s, expires: %s", role.toResourceNameString(), roleCertificate.getNotAfter().toInstant().toString())); return roleCertificate; } } - private void updateRoleKeyManager(AthenzRole role, X509Certificate certificate) { + private void updateRoleKeyManager(AthenzRole role, PrivateKey privateKey, X509Certificate certificate) { MutableX509KeyManager keyManager = roleKeyManagerCache.computeIfAbsent(role, r -> new MutableX509KeyManager()); keyManager.updateKeystore( KeyStoreBuilder.withType(PKCS12) - .withKeyEntry("default", autoReloadingX509KeyManager.getCurrentCertificateWithKey().privateKey(), certificate) + .withKeyEntry("default", privateKey, certificate) .build(), new char[0]); } -- cgit v1.2.3