AdvancedTlsX509KeyManager does not atomically update key #12485
Description
This isn't about atomicity for the in-memory update. That's okay. This is about updating the cert chain+key together, atomically for in-progress handshakes.
The various methods of X509ExtendedKeyManager are called at various times during the handshake. So if keyInfo is modified, different methods may see a different state. The way to handle this is to use the String alias parameter passed into those APIs, as each of the methods will be called with the same alias. We'd need to keep the old state around for a while, and have methods like chooseClientAlias() change the alias they return.
This race would probably rarely cause user-visible errors, because it would just cause at most a few handshakes to fail. But handshakes to other hosts would succeed and be used instead, and after a second any reconnection attempt would succeed.