crypto/x509: update iOS bundled roots to version 55161.140.3

Extended the sorting logic to be stable even when there are two roots with the same name and notBefore timestamp, like the GlobalSign ones. Updates #38843 Change-Id: Ie4db0bb8b6a8b5ffbb7390b6bd527fc0c3badaca Reviewed-on: https://go-review.googlesource.com/c/go/+/266677 Reviewed-by: Katie Hockman <katie@golang.org> Trust: Filippo Valsorda <filippo@golang.org>
golang · Nov 9, 2020 · 3fad58f · 3fad58f
1 parent 564ec48
commit 3fad58f
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 180 deletions.
diff --git a/src/crypto/x509/root.go b/src/crypto/x509/root.go
@@ -4,7 +4,7 @@
 
 package x509
 
-//go:generate go run root_ios_gen.go -version 55161.80.1
+//go:generate go run root_ios_gen.go -version 55161.140.3
 
 import "sync"
 

diff --git a/src/crypto/x509/root_ios.go b/src/crypto/x509/root_ios.go
diff --git a/src/crypto/x509/root_ios_gen.go b/src/crypto/x509/root_ios_gen.go
@@ -124,7 +124,11 @@ func main() {
 		if strings.ToLower(certName(certs[i])) != strings.ToLower(certName(certs[j])) {
 			return strings.ToLower(certName(certs[i])) < strings.ToLower(certName(certs[j]))
 		}
-		return certs[i].NotBefore.Before(certs[j].NotBefore)
+		if !certs[i].NotBefore.Equal(certs[j].NotBefore) {
+			return certs[i].NotBefore.Before(certs[j].NotBefore)
+		}
+		fi, fj := sha256.Sum256(certs[i].Raw), sha256.Sum256(certs[j].Raw)
+		return bytes.Compare(fi[:], fj[:]) < 0
 	})
 
 	out := new(bytes.Buffer)