Fix concurrent map access

pkg/crlcertdb/crlcertdb.go

@@ -24,6 +24,7 @@ import (
 	"io/ioutil"
 	"math/big"
 	"path/filepath"
+	"sync"
 
 	"code.cacert.org/cacert/goocsp/pkg/filewatcher"
 	"code.cacert.org/cacert/goocsp/pkg/ocsp"
@@ -35,6 +36,7 @@ import (
 type CRLCertDB struct {
 	crlPath string
 	content map[string]*ocsp.Response
+	lock    sync.Mutex
 }
 
 func NewCertDB(ctx context.Context, crlPath string) (*CRLCertDB, error) {
@@ -95,6 +97,9 @@ func (d *CRLCertDB) update() error {
 }
 
 func (d *CRLCertDB) UpdateCertificate(update *ocspsource.CertificateUpdate) {
+	d.lock.Lock()
+	defer d.lock.Unlock()
+
 	d.content[update.Serial.Text(16)] = &ocsp.Response{
 		Status:           update.Status,
 		SerialNumber:     update.Serial,
@@ -104,6 +109,9 @@ func (d *CRLCertDB) UpdateCertificate(update *ocspsource.CertificateUpdate) {
 }
 
 func (d *CRLCertDB) LookupResponseTemplate(number *big.Int) *ocsp.Response {
+	d.lock.Lock()
+	defer d.lock.Unlock()
+
 	serial := number.Text(16)
 	if response, ok := d.content[serial]; ok {
 		return response

pkg/opensslcertdb/opensslcertdb.go

@@ -27,6 +27,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"time"
 
 	"code.cacert.org/cacert/goocsp/pkg/filewatcher"
@@ -58,9 +59,13 @@ const (
 type OpenSSLCertDB struct {
 	fileName string
 	content  map[string]*ocsp.Response
+	lock     sync.Mutex
 }
 
 func (o *OpenSSLCertDB) UpdateCertificate(update *ocspsource.CertificateUpdate) {
+	o.lock.Lock()
+	defer o.lock.Unlock()
+
 	o.content[update.Serial.Text(hexBase)] = &ocsp.Response{
 		Status:           update.Status,
 		SerialNumber:     update.Serial,
@@ -138,6 +143,9 @@ func (o *OpenSSLCertDB) update() error {
 
 // LookupResponseTemplate retrieves an OCSP response template for the given certificate serial number.
 func (o *OpenSSLCertDB) LookupResponseTemplate(number *big.Int) *ocsp.Response {
+	o.lock.Lock()
+	defer o.lock.Unlock()
+
 	serial := number.Text(hexBase)
 	if response, ok := o.content[serial]; ok {
 		return response