svn commit: r357082 - in stable: 11/etc/mtree 11/secure 11/secure/caroot 11/share/mk 11/usr.sbin 11/usr.sbin/certctl 11/usr.sbin/etcupdate 11/usr.sbin/mergemaster 12/etc/mtree 12/secure 12/secure/c...
Kyle Evans
kevans at FreeBSD.org
Fri Jan 24 15:29:36 UTC 2020
Author: kevans
Date: Fri Jan 24 15:29:33 2020
New Revision: 357082
URL: https://svnweb.freebsd.org/changeset/base/357082
Log:
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
Infrastructure only -- no plans in place currently to commit any certs to
these branches.
r352948:
[1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.
This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by
myself.
r352949:
[2/3] Add certctl(8)
This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.
This work was done primarily by allanjude@, with minor contributions by
myself.
r352950:
[3/3] etcupdate and mergemaster support for certctl
This commit add support for certctl in mergemaster and etcupdate. Both will
either rehash or prompt for rehash as new certificates are
trusted/blacklisted.
This work was done primarily by allanjude@, with minor contributions by
myself.
r352951:
caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are
still generated. If they end up in a review, it would be helpful to also
take the hint and hide them.
r353002:
Unbreak etcupdate(8) and mergemaster(8) after r352950
r352950 introduced improper case fall-through for shell scripts. Fix it with
a pipe.
r353066:
certctl(8): realpath the file before creating the symlink
Otherwise we end up creating broken relative symlinks in
/etc/ssl/blacklisted.
r353070:
certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:
$ certctl list
# reviews output -- ah, yeah, I don't trust that one
$ certctl blacklist ce5e74ef.0
$ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
described it to them in `certctl list` output -- I see little sense in
forcing another level of filesystem inspection to determien what cert file
this physically corresponds to.
Relnotes: yes
Added:
stable/12/secure/caroot/
- copied from r352951, head/secure/caroot/
stable/12/usr.sbin/certctl/
- copied from r352951, head/usr.sbin/certctl/
Modified:
stable/12/etc/mtree/BSD.usr.dist
stable/12/secure/Makefile
stable/12/share/mk/src.opts.mk
stable/12/usr.sbin/Makefile
stable/12/usr.sbin/certctl/certctl.sh
stable/12/usr.sbin/etcupdate/etcupdate.sh
stable/12/usr.sbin/mergemaster/mergemaster.sh
Directory Properties:
stable/12/ (props changed)
Changes in other areas also in this revision:
Added:
stable/11/secure/caroot/
- copied from r352951, head/secure/caroot/
stable/11/usr.sbin/certctl/
- copied from r352951, head/usr.sbin/certctl/
Modified:
stable/11/etc/mtree/BSD.usr.dist
stable/11/secure/Makefile
stable/11/share/mk/src.opts.mk
stable/11/usr.sbin/Makefile
stable/11/usr.sbin/certctl/certctl.sh
stable/11/usr.sbin/etcupdate/etcupdate.sh
stable/11/usr.sbin/mergemaster/mergemaster.sh
Directory Properties:
stable/11/ (props changed)
Modified: stable/12/etc/mtree/BSD.usr.dist
==============================================================================
--- stable/12/etc/mtree/BSD.usr.dist Fri Jan 24 14:58:02 2020 (r357081)
+++ stable/12/etc/mtree/BSD.usr.dist Fri Jan 24 15:29:33 2020 (r357082)
@@ -200,6 +200,12 @@
uk_UA.KOI8-U
..
..
+ certs
+ blacklisted
+ ..
+ trusted
+ ..
+ ..
dict
..
doc
Modified: stable/12/secure/Makefile
==============================================================================
--- stable/12/secure/Makefile Fri Jan 24 14:58:02 2020 (r357081)
+++ stable/12/secure/Makefile Fri Jan 24 15:29:33 2020 (r357082)
@@ -8,6 +8,8 @@ SUBDIR_PARALLEL=
SUBDIR.${MK_TESTS}+= tests
+SUBDIR.${MK_CAROOT}+= caroot
+
# These are the programs which depend on crypto, but not Kerberos.
SPROGS= lib/libfetch lib/libpam lib/libradius lib/libtelnet \
bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet \
Modified: stable/12/share/mk/src.opts.mk
==============================================================================
--- stable/12/share/mk/src.opts.mk Fri Jan 24 14:58:02 2020 (r357081)
+++ stable/12/share/mk/src.opts.mk Fri Jan 24 15:29:33 2020 (r357082)
@@ -76,6 +76,7 @@ __DEFAULT_YES_OPTIONS = \
BZIP2 \
CALENDAR \
CAPSICUM \
+ CAROOT \
CASPER \
CCD \
CDDL \
Modified: stable/12/usr.sbin/Makefile
==============================================================================
--- stable/12/usr.sbin/Makefile Fri Jan 24 14:58:02 2020 (r357081)
+++ stable/12/usr.sbin/Makefile Fri Jan 24 15:29:33 2020 (r357082)
@@ -125,6 +125,9 @@ SUBDIR.${MK_BLUETOOTH}+= bluetooth
SUBDIR.${MK_BOOTPARAMD}+= bootparamd
SUBDIR.${MK_BSDINSTALL}+= bsdinstall
SUBDIR.${MK_BSNMP}+= bsnmpd
+.if ${MK_CAROOT} != "no"
+SUBDIR.${MK_OPENSSL}+= certctl
+.endif
SUBDIR.${MK_CTM}+= ctm
SUBDIR.${MK_CXGBETOOL}+= cxgbetool
SUBDIR.${MK_DIALOG}+= bsdconfig
Modified: stable/12/usr.sbin/certctl/certctl.sh
==============================================================================
--- head/usr.sbin/certctl/certctl.sh Wed Oct 2 01:27:50 2019 (r352951)
+++ stable/12/usr.sbin/certctl/certctl.sh Fri Jan 24 15:29:33 2020 (r357082)
@@ -69,16 +69,26 @@ create_trusted_link()
return 1
fi
[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
- [ $NOOP -eq 0 ] && ln -fs "$1" "$CERTDESTDIR/$hash.0"
+ [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0"
}
create_blacklisted()
{
- local hash
+ local hash srcfile filename
- hash=$( do_hash "$1" ) || return
- [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist"
- [ $NOOP -eq 0 ] && ln -fs "$1" "$BLACKLISTDESTDIR/$hash.0"
+ # If it exists as a file, we'll try that; otherwise, we'll scan
+ if [ -e "$1" ]; then
+ hash=$( do_hash "$1" ) || return
+ srcfile=$(realpath "$1")
+ filename="$hash.0"
+ elif [ -e "${CERTDESTDIR}/$1" ]; then
+ srcfile=$(realpath "${CERTDESTDIR}/$1")
+ filename="$1"
+ else
+ return
+ fi
+ [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
+ [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename"
}
do_scan()
Modified: stable/12/usr.sbin/etcupdate/etcupdate.sh
==============================================================================
--- stable/12/usr.sbin/etcupdate/etcupdate.sh Fri Jan 24 14:58:02 2020 (r357081)
+++ stable/12/usr.sbin/etcupdate/etcupdate.sh Fri Jan 24 15:29:33 2020 (r357082)
@@ -595,6 +595,12 @@ post_install_file()
NEWALIAS_WARN=yes
fi
;;
+ /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+ log "certctl rehash"
+ if [ -z "$dryrun" ]; then
+ env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
+ fi
+ ;;
/etc/login.conf)
log "cap_mkdb ${DESTDIR}$1"
if [ -z "$dryrun" ]; then
Modified: stable/12/usr.sbin/mergemaster/mergemaster.sh
==============================================================================
--- stable/12/usr.sbin/mergemaster/mergemaster.sh Fri Jan 24 14:58:02 2020 (r357081)
+++ stable/12/usr.sbin/mergemaster/mergemaster.sh Fri Jan 24 15:29:33 2020 (r357082)
@@ -884,6 +884,9 @@ mm_install () {
/etc/mail/aliases)
NEED_NEWALIASES=yes
;;
+ /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+ NEED_CERTCTL=yes
+ ;;
/etc/login.conf)
NEED_CAP_MKDB=yes
;;
@@ -1352,6 +1355,23 @@ case "${NEED_PWD_MKDB}" in
echo " '/usr/sbin/pwd_mkdb -p /etc/master.passwd'"
echo " to rebuild your password files"
run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd'
+ fi
+ ;;
+esac
+
+case "${NEED_CERTCTL}" in
+'') ;;
+*)
+ echo ''
+ echo "*** You installed files in /etc/ssl/certs, so make sure that you run"
+ if [ -n "${DESTDIR}" ]; then
+ echo " 'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'"
+ echo " to rebuild your certificate authority database"
+ run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash"
+ else
+ echo " '/usr/sbin/certctl rehash'"
+ echo " to rebuild your certificate authority database"
+ run_it_now "/usr/sbin/certctl rehash"
fi
;;
esac
More information about the svn-src-stable
mailing list