x509roots: generate a stable sort, for real this time

Sort based on the stringified subject, then break ties based on the raw
DER (which will, actually, be unique this time).

Change-Id: I3dd912fb19b103e92fabfb4562e31c6dcec40614
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505695
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/x509roots/gen_fallback_bundle.go b/x509roots/gen_fallback_bundle.go
index 761dfb9..c22d1b0 100644
--- a/x509roots/gen_fallback_bundle.go
+++ b/x509roots/gen_fallback_bundle.go
@@ -96,7 +96,16 @@ func main() {
 	}
 
 	sort.Slice(certs, func(i, j int) bool {
-		return string(certs[i].X509.RawSubjectPublicKeyInfo) < string(certs[j].X509.RawSubjectPublicKeyInfo)
+		// Sort based on the stringified subject (which may not be unique), and
+		// break any ties by just sorting on the raw DER (which will be unique,
+		// but is expensive). This should produce a stable sorting, which should
+		// be mostly readable by a human looking for a specific root or set of
+		// roots.
+		subjI, subjJ := certs[i].X509.Subject.String(), certs[j].X509.Subject.String()
+		if subjI == subjJ {
+			return string(certs[i].X509.Raw) < string(certs[j].X509.Raw)
+		}
+		return subjI < subjJ
 	})
 
 	b := new(bytes.Buffer)