svn commit: r361310 - in stable: 11/usr.sbin/certctl 12/usr.sbin/certctl

[Kyle Evans]

Author: kevans
Date: Thu May 21 01:23:59 2020
New Revision: 361310
URL: https://svnweb.freebsd.org/changeset/base/361310

Log:
  MFC r361022-r361023, r361148: certctl(8) fixes
  
  r361022: certctl(8): don't completely nuke $CERTDESTDIR
  
  It's been reported/noted that a well-timed `certctl rehash` will completely
  obliterate $CERTDESTDIR, which may get used by ports or system
  administrators. While we can't guarantee the certctl semantics when other
  non-certctl-controlled bits live here, we should make some amount of effort
  to play nice.
  
  Pruning all existing links, which we'll subsequently rebuild as needed, is
  sufficient for our needs. This can still be destructive, but it's perhaps
  less likely to cause issues.
  
  I also note that we should probably be pruning /etc/ssl/blacklisted upon
  rehash as well.
  
  r361023: certctl: follow-up to r361022, prune blacklist as well
  
  Otherwise, removals from the blacklist may not get processed as they should.
  
  While we're here, restructure these to not bother with mkdir(1) if we've
  already tested them to exist.
  
  r361148: certctl: don't fall over flat with relative DESTDIR
  
  Up until now, all of our DESTDIR use has been with absolute paths. It turned
  out that the cd in/out dance we do here breaks us down later on, as the
  relative path no longer resolves.
  
  Convert EXTENSIONS to an ERE that we'll use to grep ls -1 of the dir we're
  inspecting, rather than cd'ing into it and globbing it up.

Modified:
  stable/11/usr.sbin/certctl/certctl.sh
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/usr.sbin/certctl/certctl.sh
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/usr.sbin/certctl/certctl.sh
==============================================================================
--- stable/11/usr.sbin/certctl/certctl.sh	Wed May 20 23:27:01 2020	(r361309)
+++ stable/11/usr.sbin/certctl/certctl.sh	Thu May 21 01:23:59 2020	(r361310)
@@ -34,7 +34,7 @@
 : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
 : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
 : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
-: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"}
+: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"}
 : ${VERBOSE:=0}
 
 ############################################################ GLOBALS
@@ -104,13 +104,11 @@ do_scan()
 	for CPATH in "$@"; do
 		[ -d "$CPATH" ] || continue
 		echo "Scanning $CPATH for certificates..."
-		cd "$CPATH"
-		for CFILE in $EXTENSIONS; do
-			[ -e "$CFILE" ] || continue
+		for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do
+			[ -e "$CPATH/$CFILE" ] || continue
 			[ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
 			"$CFUNC" "$CPATH/$CFILE"
 		done
-		cd -
 	done
 }
 
@@ -142,9 +140,18 @@ do_list()
 cmd_rehash()
 {
 
-	[ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR"
-	[ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR"
-	[ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
+	if [ $NOOP -eq 0 ]; then
+		if [ -e "$CERTDESTDIR" ]; then
+			find "$CERTDESTDIR" -type link -delete
+		else
+			mkdir -p "$CERTDESTDIR"
+		fi
+		if [ -e "$BLACKLISTDESTDIR" ]; then
+			find "$BLACKLISTDESTDIR" -type link -delete
+		else
+			mkdir -p "$BLACKLISTDESTDIR"
+		fi
+	fi
 
 	do_scan create_blacklisted "$BLACKLISTPATH"
 	do_scan create_trusted_link "$TRUSTPATH"