From 0049e698311069328f03bb986eaa5f46b68daab4 Mon Sep 17 00:00:00 2001
From: Erik Godding Boye <egboye@gmail.com>
Date: Sat, 12 Oct 2024 18:11:38 +0200
Subject: [PATCH] fix: make PKCS#12 truststores deterministic

Signed-off-by: Erik Godding Boye <egboye@gmail.com>
---
 pkg/bundle/internal/truststore/types.go      | 11 ++++++++---
 pkg/bundle/internal/truststore/types_test.go | 11 ++---------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/pkg/bundle/internal/truststore/types.go b/pkg/bundle/internal/truststore/types.go
index b5eae670..839bc627 100644
--- a/pkg/bundle/internal/truststore/types.go
+++ b/pkg/bundle/internal/truststore/types.go
@@ -21,6 +21,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"math/rand"
 
 	"github.com/pavlo-v-chernykh/keystore-go/v4"
 	"software.sslmate.com/src/go-pkcs12"
@@ -98,10 +99,14 @@ func (e pkcs12Encoder) Encode(trustBundle *util.CertPool) ([]byte, error) {
 		})
 	}
 
-	encoder := pkcs12.LegacyRC2
+	encoder := pkcs12.Passwordless
 
-	if e.password == "" {
-		encoder = pkcs12.Passwordless
+	if e.password != "" {
+		encoder = pkcs12.LegacyRC2.
+			// Short-circuiting the rand generator to make our PKCS#12 truststores deterministic.
+			// This should allow use of unconditional SSA requests from controller.
+			// See: https://cert-manager.io/docs/faq/#why-are-passwords-on-jks-or-pkcs12-files-not-helpful
+			WithRand(rand.New(rand.NewSource(1))) //#nosec G404
 	}
 
 	return encoder.EncodeTrustStoreEntries(entries, e.password)
diff --git a/pkg/bundle/internal/truststore/types_test.go b/pkg/bundle/internal/truststore/types_test.go
index a3f3a9dd..31084e44 100644
--- a/pkg/bundle/internal/truststore/types_test.go
+++ b/pkg/bundle/internal/truststore/types_test.go
@@ -32,8 +32,7 @@ import (
 
 func Test_Encoder_Deterministic(t *testing.T) {
 	tests := map[string]struct {
-		encoder             Encoder
-		expNonDeterministic bool
+		encoder Encoder
 	}{
 		"JKS default password": {
 			encoder: NewJKSEncoder(v1alpha1.DefaultJKSPassword),
@@ -46,8 +45,6 @@ func Test_Encoder_Deterministic(t *testing.T) {
 		},
 		"PKCS#12 custom password": {
 			encoder: NewPKCS12Encoder("my-password"),
-			// FIXME: We should try to make all encoders deterministic
-			expNonDeterministic: true,
 		},
 	}
 
@@ -72,11 +69,7 @@ func Test_Encoder_Deterministic(t *testing.T) {
 				t.Fatalf("didn't expect an error but got: %s", err)
 			}
 
-			if test.expNonDeterministic {
-				assert.NotEqual(t, store, store2, "expected encoder to be non-deterministic")
-			} else {
-				assert.Equal(t, store, store2, "expected encoder to be deterministic")
-			}
+			assert.Equal(t, store, store2, "expected encoder to be deterministic")
 		})
 	}
 }