From 40baf73dffb6c0392113ee6bf3f5579e8628de49 Mon Sep 17 00:00:00 2001
From: Raal Goff <raal.goff@zetta.com.au>
Date: Thu, 15 Sep 2022 15:03:42 +0800
Subject: [PATCH] remove incorrect check on revoked certificate dates, add
 mutex lock for generating CRLs,

---
 authority/authority.go | 1 +
 authority/tls.go       | 3 +++
 db/db.go               | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/authority/authority.go b/authority/authority.go
index 619482bd..1b2faf4b 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -71,6 +71,7 @@ type Authority struct {
 
 	// CRL vars
 	crlTicker *time.Ticker
+	crlMutex  sync.Mutex
 
 	// Do not re-initialize
 	initOnce  bool
diff --git a/authority/tls.go b/authority/tls.go
index 5cde341c..4652735a 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -637,6 +637,9 @@ func (a *Authority) GenerateCertificateRevocationList() error {
 		return errors.Errorf("CA does not support CRL Generation")
 	}
 
+	a.crlMutex.Lock() // use a mutex to ensure only one CRL is generated at a time to avoid concurrency issues
+	defer a.crlMutex.Unlock()
+
 	crlInfo, err := crlDB.GetCRL()
 	if err != nil {
 		return errors.Wrap(err, "could not retrieve CRL from database")
diff --git a/db/db.go b/db/db.go
index ee8007c1..a8ae23ee 100644
--- a/db/db.go
+++ b/db/db.go
@@ -255,7 +255,7 @@ func (db *DB) GetRevokedCertificates() (*[]RevokedCertificateInfo, error) {
 			return nil, err
 		}
 
-		if !data.RevokedAt.IsZero() && data.RevokedAt.After(now) {
+		if !data.RevokedAt.IsZero() {
 			revokedCerts = append(revokedCerts, data)
 		} else if data.RevokedAt.IsZero() {
 			cert, err := db.GetCertificate(data.Serial)