From: Andrew Hewus Fresh <andrew@afresh1.com>
Subject: Re: update cert.pem
To: Theo Buehler <tb@theobuehler.org>, tech@openbsd.org
Date: Fri, 1 Nov 2024 21:13:26 -0700

On Fri, Nov 01, 2024 at 10:59:43AM +0000, Stuart Henderson wrote:
> On 2024/11/01 11:41, Theo Buehler wrote:
> > Baltimore will expire shortly after 7.7 release (May 12, 2025)
> > Apart from a warning on that, there was only the usual Unizeto error:
> > 
> > ERROR: '/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2' cannot be verified with libressl
> 
> The usual date format issue.
> 
> > Nothing particularly interesting this time. Comodo was hoisted over
> > COMODO again.
> 
> This is because of lc() in the sort order; the order of the "equal
> except for case" lines then depends on the perl hash order which is
> random.
> 
> The diff below makes the output from format-pem repeatable (at the cost
> of one-off churn). Do we want that? (I think so).

You could do something like this to avoid a little churn:

(although I don't know quite where to get ca-bundle.crt to test it)
(also, I don't like the name)

Index: format-pem.pl
===================================================================
RCS file: /cvs/src/lib/libcrypto/format-pem.pl,v
diff -u -p -r1.6 format-pem.pl
--- format-pem.pl	3 Jul 2022 15:02:04 -0000	1.6
+++ format-pem.pl	2 Nov 2024 04:11:24 -0000
@@ -33,6 +33,8 @@ if (! eval {require Date::Parse;1;}) {
 	use Date::Parse;
 }
 
+sub without_case_reliably { lc($a) cmp lc($b) || $a cmp $b }
+
 my $tmp = File::Temp->new(TEMPLATE => '/tmp/splitcert.XXXXXXXX');
 my $t = $tmp->filename;
 
@@ -115,9 +117,9 @@ while(<>) {
 close $tmp;
 chomp $rcsid;
 print $rcsid;
-foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
+foreach my $o (sort without_case_reliably keys %ca) {
 	print "\n### $o\n\n";
-	foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
+	foreach my $subj (sort without_case_reliably keys %{ $ca{$o} }) {
 		if ($ca{$o}{$subj}{'valid'} == 1) {
 			print "=== $subj\n";
 			print $ca{$o}{$subj}{'info'};
@@ -127,9 +129,9 @@ foreach my $o (sort{lc($a) cmp lc($b)} k
 }
 
 # print a visual summary at the end
-foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
+foreach my $o (sort without_case_reliably keys %ca) {
 	print STDERR "\n$o\n";
-	foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
+	foreach my $subj (sort without_case_reliably keys %{ $ca{$o} }) {
 		print STDERR "  $subj\n";
 	}
 }