From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: update cert.pem
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Fri, 1 Nov 2024 10:59:43 +0000

On 2024/11/01 11:41, Theo Buehler wrote:
> Baltimore will expire shortly after 7.7 release (May 12, 2025)
> Apart from a warning on that, there was only the usual Unizeto error:
> 
> ERROR: '/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2' cannot be verified with libressl

The usual date format issue.

> Nothing particularly interesting this time. Comodo was hoisted over
> COMODO again.

This is because of lc() in the sort order; the order of the "equal
except for case" lines then depends on the perl hash order which is
random.

The diff below makes the output from format-pem repeatable (at the cost
of one-off churn). Do we want that? (I think so).

Index: format-pem.pl
===================================================================
RCS file: /cvs/src/lib/libcrypto/format-pem.pl,v
diff -u -p -r1.6 format-pem.pl
--- format-pem.pl	3 Jul 2022 15:02:04 -0000	1.6
+++ format-pem.pl	1 Nov 2024 10:48:58 -0000
@@ -115,9 +115,9 @@ while(<>) {
 close $tmp;
 chomp $rcsid;
 print $rcsid;
-foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
+foreach my $o (sort{$a cmp $b} keys %ca) {
 	print "\n### $o\n\n";
-	foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
+	foreach my $subj (sort{$a cmp $b} keys %{ $ca{$o} }) {
 		if ($ca{$o}{$subj}{'valid'} == 1) {
 			print "=== $subj\n";
 			print $ca{$o}{$subj}{'info'};
@@ -127,9 +127,9 @@ foreach my $o (sort{lc($a) cmp lc($b)} k
 }

 # print a visual summary at the end
-foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
+foreach my $o (sort{$a cmp $b} keys %ca) {
 	print STDERR "\n$o\n";
-	foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
+	foreach my $subj (sort{$a cmp $b} keys %{ $ca{$o} }) {
 		print STDERR "  $subj\n";
 	}
 }