make file depot consistent with bolt db: lock during new serial numbe…

…r req. also undo locking done in #185 in lieu of this fix
micromdm · Dec 1, 2023 · 3706389 · 3706389
1 parent 4f80856
commit 3706389
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 14 deletions.
diff --git a/depot/file/depot.go b/depot/file/depot.go
@@ -16,6 +16,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 )
 
@@ -31,7 +32,9 @@ func NewFileDepot(path string) (*fileDepot, error) {
 }
 
 type fileDepot struct {
-	dirPath string
+	dirPath  string
+	serialMu sync.Mutex
+	dbMu     sync.Mutex
 }
 
 func (d *fileDepot) CA(pass []byte) ([]*x509.Certificate, *rsa.PrivateKey, error) {
@@ -75,10 +78,7 @@ func (d *fileDepot) Put(cn string, crt *x509.Certificate) error {
 		return err
 	}
 
-	serial, err := d.Serial()
-	if err != nil {
-		return err
-	}
+	serial := crt.SerialNumber
 
 	if crt.Subject.CommonName == "" {
 		// this means our cn was replaced by the certificate Signature
@@ -103,14 +103,12 @@ func (d *fileDepot) Put(cn string, crt *x509.Certificate) error {
 		return err
 	}
 
-	if err := d.incrementSerial(serial); err != nil {
-		return err
-	}
-
 	return nil
 }
 
 func (d *fileDepot) Serial() (*big.Int, error) {
+	d.serialMu.Lock()
+	defer d.serialMu.Unlock()
 	name := d.path("serial")
 	s := big.NewInt(2)
 	if err := d.check("serial"); err != nil {
@@ -136,6 +134,9 @@ func (d *fileDepot) Serial() (*big.Int, error) {
 	if !ok {
 		return nil, errors.New("could not convert " + string(data) + " to serial number")
 	}
+	if err := d.incrementSerial(serial); err != nil {
+		return serial, err
+	}
 	return serial, nil
 }
 
@@ -255,6 +256,8 @@ func (d *fileDepot) HasCN(_ string, allowTime int, cert *x509.Certificate, revok
 }
 
 func (d *fileDepot) writeDB(cn string, serial *big.Int, filename string, cert *x509.Certificate) error {
+	d.dbMu.Lock()
+	defer d.dbMu.Unlock()
 
 	var dbEntry bytes.Buffer
 

diff --git a/depot/signer.go b/depot/signer.go
@@ -3,7 +3,6 @@ package depot
 import (
 	"crypto/rand"
 	"crypto/x509"
-	"sync"
 	"time"
 
 	"github.com/micromdm/scep/v2/cryptoutil"
@@ -13,7 +12,6 @@ import (
 // Signer signs x509 certificates and stores them in a Depot
 type Signer struct {
 	depot            Depot
-	mu               sync.Mutex
 	caPass           string
 	allowRenewalDays int
 	validityDays     int
@@ -81,9 +79,6 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		return nil, err
 	}
 
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
 	serial, err := s.depot.Serial()
 	if err != nil {
 		return nil, err