From 8e1a3eee623cec962c1f4bc39f570a0d742457b9 Mon Sep 17 00:00:00 2001
From: Oleksandr Krutko <alexander.krutko@gmail.com>
Date: Sun, 25 Feb 2024 20:43:08 +0200
Subject: [PATCH] improve deduplication process by using pem features

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>
---
 pkg/bundle/sync.go      | 31 +++++++++++++++++++++++++------
 pkg/bundle/sync_test.go | 12 ++----------
 2 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/pkg/bundle/sync.go b/pkg/bundle/sync.go
index bd02385c..c9321857 100644
--- a/pkg/bundle/sync.go
+++ b/pkg/bundle/sync.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"strings"
@@ -307,6 +308,7 @@ type pkcs12Encoder struct {
 }
 
 func (e pkcs12Encoder) encode(trustBundle string) ([]byte, error) {
+	fmt.Printf("trusted bundle %s", trustBundle)
 	cas, err := util.DecodeX509CertificateChainBytes([]byte(trustBundle))
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode trust bundle: %w", err)
@@ -780,17 +782,34 @@ func (b *bundle) migrateConfigMapToApply(ctx context.Context, obj client.Object,
 
 // remove duplicate certificates from bundles
 func deduplicateBundles(bundles []string) []string {
+	var block *pem.Block
+
 	var certificatesHashes = make(map[[32]byte]struct{})
 	var dedupCerts []string
 
 	for _, cert := range bundles {
-		// calculate hash sum of the given certificate
-		hash := sha256.Sum256([]byte(cert))
-		// check existence of the hash
-		if _, ok := certificatesHashes[hash]; !ok {
-			dedupCerts = append(dedupCerts, cert)
-			certificatesHashes[hash] = struct{}{}
+		certBytes := []byte(cert)
+	LOOP:
+		for {
+			block, certBytes = pem.Decode([]byte(certBytes))
+			if block == nil {
+				break LOOP
+			}
+			if block.Type != "CERTIFICATE" {
+				fmt.Println("couldn't decode PEM block containing certificate")
+				continue
+			}
+
+			// calculate hash sum of the given certificate
+			hash := sha256.Sum256(block.Bytes)
+			// check existence of the hash
+			if _, ok := certificatesHashes[hash]; !ok {
+				// neew to trim a newline which is added by Encoder
+				dedupCerts = append(dedupCerts, string(bytes.Trim(pem.EncodeToMemory(block), "\n")))
+				certificatesHashes[hash] = struct{}{}
+			}
 		}
+
 	}
 
 	return dedupCerts
diff --git a/pkg/bundle/sync_test.go b/pkg/bundle/sync_test.go
index 5734da22..3c5e1b81 100644
--- a/pkg/bundle/sync_test.go
+++ b/pkg/bundle/sync_test.go
@@ -1733,22 +1733,14 @@ func Test_certAlias(t *testing.T) {
 func TestBundlesDeduplication(t *testing.T) {
 	// list of certificates
 	bundle := []string{
-		dummy.TestCertificate3Duplicate,
 		dummy.TestCertificate1,
-		dummy.TestCertificate2,
-		dummy.TestCertificate3,
-		dummy.TestCertificate5Duplicate,
-		dummy.TestCertificate4,
-		dummy.TestCertificate5,
+		dummy.JoinCerts(dummy.TestCertificate1, dummy.TestCertificate3),
 	}
 
 	// test bundle
 	testBundle := []string{
-		dummy.TestCertificate3Duplicate,
 		dummy.TestCertificate1,
-		dummy.TestCertificate2,
-		dummy.TestCertificate5Duplicate,
-		dummy.TestCertificate4,
+		dummy.TestCertificate3,
 	}
 
 	resultBundle := deduplicateBundles(bundle)