From b93c8bf6f5bb9560e9ba219eb6be1ea9bb12f3be Mon Sep 17 00:00:00 2001
From: Fabio Pistolesi <fabio.pistolesi@forgerock.com>
Date: Thu, 26 May 2016 11:15:14 +0000
Subject: [PATCH] OPENDJ-3027 Delete all references to old keys when importing new ones via replication

---
 opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java b/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java
index 958f159..3e546dc 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java
@@ -1640,7 +1640,12 @@
       }
       getCipher(keyEntry, Cipher.DECRYPT_MODE, iv);
 
-      // Cache new entry.
+      // Cache new entry, make sure it is the only one using the given transformation / key length.
+      CipherKeyEntry oldKeyEntry = getKeyEntry(cryptoManager, transformation, secretKeyLengthBits);
+      if (oldKeyEntry != null)
+      {
+        cryptoManager.cipherKeyEntryCache.remove(oldKeyEntry.getKeyID());
+      }
       cryptoManager.cipherKeyEntryCache.put(keyEntry.getKeyID(), keyEntry);
 
       return keyEntry;
@@ -2097,7 +2102,12 @@
       // Validate new entry.
       getMacEngine(keyEntry);
 
-      // Cache new entry.
+      // Cache new entry, make sure it is the only one using the given transformation / key length.
+      MacKeyEntry oldKeyEntry = getKeyEntry(cryptoManager, algorithm, secretKeyLengthBits);
+      if (oldKeyEntry != null)
+      {
+        cryptoManager.macKeyEntryCache.remove(oldKeyEntry.getKeyID());
+      }
       cryptoManager.macKeyEntryCache.put(keyEntry.getKeyID(),
               keyEntry);
 

--
Gitblit v1.10.0