crypto/x509: update iOS bundled roots to version 55161.140.3

FiloSottile · FiloSottile · commit 3fad58f12efa · 2020-11-09T15:09:58.000Z
Extended the sorting logic to be stable even when there are two roots with the same name and notBefore timestamp, like the GlobalSign ones. Updates #38843 Change-Id: Ie4db0bb8b6a8b5ffbb7390b6bd527fc0c3badaca Reviewed-on: https://go-review.googlesource.com/c/go/+/266677 Reviewed-by: Katie Hockman <katie@golang.org> Trust: Filippo Valsorda <filippo@golang.org>
diff --git a/src/crypto/x509/root.go b/src/crypto/x509/root.go
@@ -4,7 +4,7 @@
 
 package x509
 
-//go:generate go run root_ios_gen.go -version 55161.80.1
+//go:generate go run root_ios_gen.go -version 55161.140.3
 
 import "sync"
 
diff --git a/src/crypto/x509/root_ios.go b/src/crypto/x509/root_ios.go
diff --git a/src/crypto/x509/root_ios_gen.go b/src/crypto/x509/root_ios_gen.go
@@ -124,7 +124,11 @@ func main() {
 		if strings.ToLower(certName(certs[i])) != strings.ToLower(certName(certs[j])) {
 			return strings.ToLower(certName(certs[i])) < strings.ToLower(certName(certs[j]))
 		}
-		return certs[i].NotBefore.Before(certs[j].NotBefore)
+		if !certs[i].NotBefore.Equal(certs[j].NotBefore) {
+			return certs[i].NotBefore.Before(certs[j].NotBefore)
+		}
+		fi, fj := sha256.Sum256(certs[i].Raw), sha256.Sum256(certs[j].Raw)
+		return bytes.Compare(fi[:], fj[:]) < 0
 	})
 
 	out := new(bytes.Buffer)
