improve deduplication process by using pem features

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>
cert-manager · Feb 25, 2024 · 8e1a3ee · 8e1a3ee
1 parent 0dae48b
commit 8e1a3ee
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 16 deletions.
diff --git a/pkg/bundle/sync.go b/pkg/bundle/sync.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"strings"
@@ -307,6 +308,7 @@ type pkcs12Encoder struct {
 }
 
 func (e pkcs12Encoder) encode(trustBundle string) ([]byte, error) {
+	fmt.Printf("trusted bundle %s", trustBundle)
 	cas, err := util.DecodeX509CertificateChainBytes([]byte(trustBundle))
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode trust bundle: %w", err)
@@ -780,17 +782,34 @@ func (b *bundle) migrateConfigMapToApply(ctx context.Context, obj client.Object,
 
 // remove duplicate certificates from bundles
 func deduplicateBundles(bundles []string) []string {
+	var block *pem.Block
+
 	var certificatesHashes = make(map[[32]byte]struct{})
 	var dedupCerts []string
 
 	for _, cert := range bundles {
-		// calculate hash sum of the given certificate
-		hash := sha256.Sum256([]byte(cert))
-		// check existence of the hash
-		if _, ok := certificatesHashes[hash]; !ok {
-			dedupCerts = append(dedupCerts, cert)
-			certificatesHashes[hash] = struct{}{}
+		certBytes := []byte(cert)
+	LOOP:
+		for {
+			block, certBytes = pem.Decode([]byte(certBytes))
+			if block == nil {
+				break LOOP
+			}
+			if block.Type != "CERTIFICATE" {
+				fmt.Println("couldn't decode PEM block containing certificate")
+				continue
+			}
+
+			// calculate hash sum of the given certificate
+			hash := sha256.Sum256(block.Bytes)
+			// check existence of the hash
+			if _, ok := certificatesHashes[hash]; !ok {
+				// neew to trim a newline which is added by Encoder
+				dedupCerts = append(dedupCerts, string(bytes.Trim(pem.EncodeToMemory(block), "\n")))
+				certificatesHashes[hash] = struct{}{}
+			}
 		}
+
 	}
 
 	return dedupCerts

diff --git a/pkg/bundle/sync_test.go b/pkg/bundle/sync_test.go
@@ -1733,22 +1733,14 @@ func Test_certAlias(t *testing.T) {
 func TestBundlesDeduplication(t *testing.T) {
 	// list of certificates
 	bundle := []string{
-		dummy.TestCertificate3Duplicate,
 		dummy.TestCertificate1,
-		dummy.TestCertificate2,
-		dummy.TestCertificate3,
-		dummy.TestCertificate5Duplicate,
-		dummy.TestCertificate4,
-		dummy.TestCertificate5,
+		dummy.JoinCerts(dummy.TestCertificate1, dummy.TestCertificate3),
 	}
 
 	// test bundle
 	testBundle := []string{
-		dummy.TestCertificate3Duplicate,
 		dummy.TestCertificate1,
-		dummy.TestCertificate2,
-		dummy.TestCertificate5Duplicate,
-		dummy.TestCertificate4,
+		dummy.TestCertificate3,
 	}
 
 	resultBundle := deduplicateBundles(bundle)