From 3706389913714b1a2bffe5da56f80152e68c2c0b Mon Sep 17 00:00:00 2001
From: Jesse Peterson <jesse.c.peterson@gmail.com>
Date: Thu, 30 Nov 2023 22:20:04 -0800
Subject: [PATCH] make file depot consistent with bolt db: lock during new
 serial number req. also undo locking done in micromdm/scep#185 in lieu of
 this fix

---
 depot/file/depot.go | 21 ++++++++++++---------
 depot/signer.go     |  5 -----
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/depot/file/depot.go b/depot/file/depot.go
index b843b95..ab8d336 100644
--- a/depot/file/depot.go
+++ b/depot/file/depot.go
@@ -16,6 +16,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 )
 
@@ -31,7 +32,9 @@ func NewFileDepot(path string) (*fileDepot, error) {
 }
 
 type fileDepot struct {
-	dirPath string
+	dirPath  string
+	serialMu sync.Mutex
+	dbMu     sync.Mutex
 }
 
 func (d *fileDepot) CA(pass []byte) ([]*x509.Certificate, *rsa.PrivateKey, error) {
@@ -75,10 +78,7 @@ func (d *fileDepot) Put(cn string, crt *x509.Certificate) error {
 		return err
 	}
 
-	serial, err := d.Serial()
-	if err != nil {
-		return err
-	}
+	serial := crt.SerialNumber
 
 	if crt.Subject.CommonName == "" {
 		// this means our cn was replaced by the certificate Signature
@@ -103,14 +103,12 @@ func (d *fileDepot) Put(cn string, crt *x509.Certificate) error {
 		return err
 	}
 
-	if err := d.incrementSerial(serial); err != nil {
-		return err
-	}
-
 	return nil
 }
 
 func (d *fileDepot) Serial() (*big.Int, error) {
+	d.serialMu.Lock()
+	defer d.serialMu.Unlock()
 	name := d.path("serial")
 	s := big.NewInt(2)
 	if err := d.check("serial"); err != nil {
@@ -136,6 +134,9 @@ func (d *fileDepot) Serial() (*big.Int, error) {
 	if !ok {
 		return nil, errors.New("could not convert " + string(data) + " to serial number")
 	}
+	if err := d.incrementSerial(serial); err != nil {
+		return serial, err
+	}
 	return serial, nil
 }
 
@@ -255,6 +256,8 @@ func (d *fileDepot) HasCN(_ string, allowTime int, cert *x509.Certificate, revok
 }
 
 func (d *fileDepot) writeDB(cn string, serial *big.Int, filename string, cert *x509.Certificate) error {
+	d.dbMu.Lock()
+	defer d.dbMu.Unlock()
 
 	var dbEntry bytes.Buffer
 
diff --git a/depot/signer.go b/depot/signer.go
index 6fe0109..3e3bdb5 100644
--- a/depot/signer.go
+++ b/depot/signer.go
@@ -3,7 +3,6 @@ package depot
 import (
 	"crypto/rand"
 	"crypto/x509"
-	"sync"
 	"time"
 
 	"github.com/micromdm/scep/v2/cryptoutil"
@@ -13,7 +12,6 @@ import (
 // Signer signs x509 certificates and stores them in a Depot
 type Signer struct {
 	depot            Depot
-	mu               sync.Mutex
 	caPass           string
 	allowRenewalDays int
 	validityDays     int
@@ -81,9 +79,6 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		return nil, err
 	}
 
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
 	serial, err := s.depot.Serial()
 	if err != nil {
 		return nil, err