git: 87945a082980 - main - certctl: Fix recent regressions.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Fri, 20 Oct 2023 10:29:42 UTC
The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=87945a082980260b52507ad5bfb3a0ce773a80da

commit 87945a082980260b52507ad5bfb3a0ce773a80da
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2023-10-20 10:29:06 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-10-20 10:29:40 +0000

    certctl: Fix recent regressions.
    
    - If an untrusted certificate is also found in the list of trusted
      certificate, issue a warning and skip it, but don't fail.
    - Split on -+BEGIN CERTIFICATE-+ instead of "Certificate:" since
      that's what we're really looking for.
    
    Also fix a long-standing bug: .crl files are not certificates, so we
    should not include them when searching for certificates.
    
    Reported by:    madpilot, netchild, tijl
    Reviewed by:    netchild, allanjude
    Differential Revision:  https://reviews.freebsd.org/D42276
---
 usr.sbin/certctl/certctl.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index b7d3a95bc7d7..2ffa94bc7db7 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -67,8 +67,7 @@ cert_files_in()
 	find -L "$@" -type f \( \
 	     -name '*.pem' -or \
 	     -name '*.crt' -or \
-	     -name '*.cer' -or \
-	     -name '*.crl' \
+	     -name '*.cer' \
 	\) 2>/dev/null
 }
 
@@ -114,7 +113,7 @@ create_trusted()
 		otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout -fingerprint)
 		if [ "$certhash" = "$otherhash" ] ; then
 			info "Skipping untrusted certificate $hash ($otherfile)"
-			return 1
+			return 0
 		fi
 	done
 	for otherfile in $(find $CERTDESTDIR -name "$hash.*") ; do
@@ -182,7 +181,7 @@ do_scan()
 	IFS="$oldIFS"
 	for CFILE in $(cert_files_in "$@") ; do
 		verbose "Reading $CFILE"
-		case $(grep -c '^Certificate:$' "$CFILE") in
+		case $(egrep -c '^-+BEGIN CERTIFICATE-+$' "$CFILE") in
 		0)
 			;;
 		1)
@@ -191,8 +190,8 @@ do_scan()
 		*)
 			verbose "Multiple certificates found, splitting..."
 			SPLITDIR=$(mktemp -d)
-			egrep '^[^#]' "$CFILE" | \
-				split -p '^Certificate:$' - "$SPLITDIR/x"
+			egrep '^(---|[0-9A-Za-z/+=]+$)' "$CFILE" | \
+				split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x"
 			for CERT in $(find "$SPLITDIR" -type f) ; do
 				"$CFUNC" "$CERT"
 			done