diff options
-rw-r--r-- | ObsoleteFiles.inc | 38 | ||||
-rw-r--r-- | UPDATING | 4 | ||||
-rw-r--r-- | etc/mtree/BSD.usr.dist | 4 | ||||
-rw-r--r-- | secure/caroot/Makefile | 2 | ||||
-rw-r--r-- | secure/caroot/README | 4 | ||||
-rw-r--r-- | secure/caroot/blacklisted/Makefile | 9 | ||||
-rw-r--r-- | secure/caroot/untrusted/AddTrust_External_Root.pem (renamed from secure/caroot/blacklisted/AddTrust_External_Root.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem (renamed from secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem (renamed from secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem (renamed from secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Certum_Root_CA.pem (renamed from secure/caroot/blacklisted/Certum_Root_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem (renamed from secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem (renamed from secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/EC-ACC.pem (renamed from secure/caroot/blacklisted/EC-ACC.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem (renamed from secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/GeoTrust_Global_CA.pem (renamed from secure/caroot/blacklisted/GeoTrust_Global_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem (renamed from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem (renamed from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem (renamed from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/GeoTrust_Universal_CA.pem (renamed from secure/caroot/blacklisted/GeoTrust_Universal_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem (renamed from secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem (renamed from secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/LuxTrust_Global_Root_2.pem (renamed from secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Makefile | 9 | ||||
-rw-r--r-- | secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem (renamed from secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem (renamed from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem (renamed from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem (renamed from secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem (renamed from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem (renamed from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem (renamed from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem (renamed from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Taiwan_GRCA.pem (renamed from secure/caroot/blacklisted/Taiwan_GRCA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Trustis_FPS_Root_CA.pem (renamed from secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem (renamed from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (renamed from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem (renamed from secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem (renamed from secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem (renamed from secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (renamed from secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/thawte_Primary_Root_CA.pem (renamed from secure/caroot/blacklisted/thawte_Primary_Root_CA.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem (renamed from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem) | 0 | ||||
-rw-r--r-- | secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem (renamed from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem) | 0 | ||||
-rw-r--r-- | usr.sbin/certctl/certctl.8 | 47 | ||||
-rwxr-xr-x | usr.sbin/certctl/certctl.sh | 73 | ||||
-rwxr-xr-x | usr.sbin/etcupdate/etcupdate.sh | 2 | ||||
-rwxr-xr-x | usr.sbin/mergemaster/mergemaster.sh | 2 |
47 files changed, 120 insertions, 74 deletions
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 3802307d7761..468d967efdcc 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -44,6 +44,44 @@ OLD_FILES+=usr/share/man/man9/crypto_cursor_segbase.9.gz OLD_FILES+=usr/share/man/man9/crypto_cursor_seglen.9.gz +# 20210618: rename of usr/share/certs/blacklisted +OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/Certum_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem +OLD_FILES+=usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem +OLD_FILES+=usr/share/certs/blacklisted/EC-ACC.pem +OLD_FILES+=usr/share/certs/blacklisted/EE_Certification_Centre_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem +OLD_FILES+=usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem +OLD_FILES+=usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem +OLD_FILES+=usr/share/certs/blacklisted/Taiwan_GRCA.pem +OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem +OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem +OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem +OLD_DIRS+=usr/share/certs/blacklisted # 20210613: new clang import which bumps version from 11.0.1 to 12.0.0. OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/algorithm OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/complex @@ -27,6 +27,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +202106xx: + The directory "blacklisted" under /usr/share/certs/ has been + renamed to "untrusted". + 20210611: svnlite has been removed from base. Should you need svn for any reason please install the svn package or port. diff --git a/etc/mtree/BSD.usr.dist b/etc/mtree/BSD.usr.dist index a4a247b7eefd..2bdb65f7b2ab 100644 --- a/etc/mtree/BSD.usr.dist +++ b/etc/mtree/BSD.usr.dist @@ -205,10 +205,10 @@ .. .. certs - blacklisted tags=package=caroot - .. trusted tags=package=caroot .. + untrusted tags=package=caroot + .. .. dict .. diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile index 50f92ecc6542..c685c5f6cc7a 100644 --- a/secure/caroot/Makefile +++ b/secure/caroot/Makefile @@ -3,7 +3,7 @@ CLEANFILES+= certdata.txt SUBDIR+= trusted -SUBDIR+= blacklisted +SUBDIR+= untrusted .include <bsd.obj.mk> diff --git a/secure/caroot/README b/secure/caroot/README index 9a4fc0320e2a..1e123080559e 100644 --- a/secure/caroot/README +++ b/secure/caroot/README @@ -14,8 +14,8 @@ It will: Then the results should manually be inspected (svn status) 1) Any no-longer-trusted certificates should be moved to the - blacklisted directory (svn mv) - 2) any newly added certificates will need to be added (svn add) + untrusted directory (git mv) + 2) any newly added certificates will need to be added (git add) The following make targets exist: diff --git a/secure/caroot/blacklisted/Makefile b/secure/caroot/blacklisted/Makefile deleted file mode 100644 index b7ccfbe88c03..000000000000 --- a/secure/caroot/blacklisted/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $FreeBSD$ - -BINDIR= /usr/share/certs/blacklisted - -BLACKLISTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true - -FILES+= ${BLACKLISTED_CERTS} - -.include <bsd.prog.mk> diff --git a/secure/caroot/blacklisted/AddTrust_External_Root.pem b/secure/caroot/untrusted/AddTrust_External_Root.pem index 701bc7bce072..701bc7bce072 100644 --- a/secure/caroot/blacklisted/AddTrust_External_Root.pem +++ b/secure/caroot/untrusted/AddTrust_External_Root.pem diff --git a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem index 0595db909a49..0595db909a49 100644 --- a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem +++ b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem diff --git a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem index cf7de6cc122b..cf7de6cc122b 100644 --- a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem +++ b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem diff --git a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem index b1fa96bc405e..b1fa96bc405e 100644 --- a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem +++ b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem diff --git a/secure/caroot/blacklisted/Certum_Root_CA.pem b/secure/caroot/untrusted/Certum_Root_CA.pem index f815c49ddae0..f815c49ddae0 100644 --- a/secure/caroot/blacklisted/Certum_Root_CA.pem +++ b/secure/caroot/untrusted/Certum_Root_CA.pem diff --git a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem index 1e3864180a66..1e3864180a66 100644 --- a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem +++ b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem diff --git a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem index debf7b30c2ef..debf7b30c2ef 100644 --- a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem +++ b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem diff --git a/secure/caroot/blacklisted/EC-ACC.pem b/secure/caroot/untrusted/EC-ACC.pem index a4b43b39414b..a4b43b39414b 100644 --- a/secure/caroot/blacklisted/EC-ACC.pem +++ b/secure/caroot/untrusted/EC-ACC.pem diff --git a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem index 2fa258f19ee8..2fa258f19ee8 100644 --- a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem +++ b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem b/secure/caroot/untrusted/GeoTrust_Global_CA.pem index 49934ff8c673..49934ff8c673 100644 --- a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem +++ b/secure/caroot/untrusted/GeoTrust_Global_CA.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem index 91907ba216f0..91907ba216f0 100644 --- a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem +++ b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem index b03758a63c98..b03758a63c98 100644 --- a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem +++ b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem index 2d127e574a0e..2d127e574a0e 100644 --- a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem +++ b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem index 021d3dd07b38..021d3dd07b38 100644 --- a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem +++ b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem index 3ad5dfa8a1ac..3ad5dfa8a1ac 100644 --- a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem +++ b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem diff --git a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem index cd9bebaf8c0f..cd9bebaf8c0f 100644 --- a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem +++ b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem diff --git a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem index 9b1aa35e7037..9b1aa35e7037 100644 --- a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem +++ b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile new file mode 100644 index 000000000000..e988841071d2 --- /dev/null +++ b/secure/caroot/untrusted/Makefile @@ -0,0 +1,9 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/untrusted + +UNTRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true + +FILES+= ${UNTRUSTED_CERTS} + +.include <bsd.prog.mk> diff --git a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem index 08ea553a9e80..08ea553a9e80 100644 --- a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem +++ b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem index 2f36eaed33af..2f36eaed33af 100644 --- a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem +++ b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem index 14a79c4c3e24..14a79c4c3e24 100644 --- a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem +++ b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem diff --git a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem index f4678f629684..f4678f629684 100644 --- a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem +++ b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem index ffac924e93ac..ffac924e93ac 100644 --- a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem +++ b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem index 019c97a13d34..019c97a13d34 100644 --- a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem +++ b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem index 97c6caf2b862..97c6caf2b862 100644 --- a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem +++ b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem index df9468c1249e..df9468c1249e 100644 --- a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem +++ b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem diff --git a/secure/caroot/blacklisted/Taiwan_GRCA.pem b/secure/caroot/untrusted/Taiwan_GRCA.pem index 1d7bf6ad8ce9..1d7bf6ad8ce9 100644 --- a/secure/caroot/blacklisted/Taiwan_GRCA.pem +++ b/secure/caroot/untrusted/Taiwan_GRCA.pem diff --git a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem index 476ba64dfd63..476ba64dfd63 100644 --- a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem +++ b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem index cd10cc02f295..cd10cc02f295 100644 --- a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem +++ b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem index 75bf34ee90f2..75bf34ee90f2 100644 --- a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem +++ b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem diff --git a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem index 353f709ad531..353f709ad531 100644 --- a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem +++ b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem diff --git a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem index d060de75b329..d060de75b329 100644 --- a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem +++ b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem index 89400caf7eb6..89400caf7eb6 100644 --- a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem +++ b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem index 823fcd0b4e9d..823fcd0b4e9d 100644 --- a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem +++ b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem index 087274ba4c19..087274ba4c19 100644 --- a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem +++ b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem index 0abe25c5f88c..0abe25c5f88c 100644 --- a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem +++ b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem index c877ca070321..c877ca070321 100644 --- a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem +++ b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 index 8ca2cd37dee5..9af2adaba757 100644 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -26,19 +26,19 @@ .\" .\" $FreeBSD$ .\" -.Dd January 7, 2021 +.Dd June 18, 2021 .Dt CERTCTL 8 .Os .Sh NAME .Nm certctl -.Nd "tool for managing trusted and blacklist TLS certificates" +.Nd "tool for managing trusted and untrusted TLS certificates" .Sh SYNOPSIS .Nm .Op Fl v .Ic list .Nm .Op Fl v -.Ic blacklisted +.Ic untrusted .Nm .Op Fl nUv .Op Fl D Ar destdir @@ -46,10 +46,10 @@ .Ic rehash .Nm .Op Fl nv -.Ic blacklist Ar file +.Ic untrust Ar file .Nm .Op Fl nv -.Ic unblacklist Ar file +.Ic trust Ar file .Sh DESCRIPTION The .Nm @@ -72,28 +72,28 @@ Do record the ownership in the METALOG file. .El .Pp Primary command functions: -.Bl -tag -width blacklisted +.Bl -tag -width untrusted .It Ic list List all currently trusted certificate authorities. -.It Ic blacklisted -List all currently blacklisted certificates. +.It Ic untrusted +List all currently untrusted certificates. .It Ic rehash Rebuild the list of trusted certificate authorities by scanning all directories in .Ev TRUSTPATH -and all blacklisted certificates in -.Ev BLACKLISTPATH . +and all untrusted certificates in +.Ev UNTRUSTPATH . A symbolic link to each trusted certificate is placed in .Ev CERTDESTDIR -and each blacklisted certificate in -.Ev BLACKLISTDESTDIR . -.It Ic blacklist -Add the specified file to the blacklist. -.It Ic unblacklist -Remove the specified file from the blacklist. +and each untrusted certificate in +.Ev UNTRUSTDESTDIR . +.It Ic untrust +Add the specified file to the untrusted list. +.It Ic trust +Remove the specified file from the untrusted list. .El .Sh ENVIRONMENT -.Bl -tag -width BLACKLISTDESTDIR +.Bl -tag -width UNTRUSTDESTDIR .It Ev DESTDIR Alternate destination directory to operate on. .It Ev TRUSTPATH @@ -101,19 +101,20 @@ List of paths to search for trusted certificates. Default: .Pa <DESTDIR>/usr/share/certs/trusted .Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs -.It Ev BLACKLISTPATH -List of paths to search for blacklisted certificates. +.It Ev UNTRUSTPATH +List of paths to search for untrusted certificates. Default: -.Pa <DESTDIR>/usr/share/certs/blacklisted +.Pa <DESTDIR>/usr/share/certs/untrusted +.Pa <DESTDIR>/usr/local/etc/ssl/untrusted .Pa <DESTDIR>/usr/local/etc/ssl/blacklisted .It Ev CERTDESTDIR Destination directory for symbolic links to trusted certificates. Default: .Pa <DESTDIR>/etc/ssl/certs -.It Ev BLACKLISTDESTDIR -Destination directory for symbolic links to blacklisted certificates. +.It Ev UNTRUSTDESTDIR +Destination directory for symbolic links to untrusted certificates. Default: -.Pa <DESTDIR>/etc/ssl/blacklisted +.Pa <DESTDIR>/etc/ssl/untrusted .It Ev EXTENSIONS List of file extensions to read as certificate files. Default: *.pem *.crt *.cer *.crl *.0 diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh index 1a491cf3a047..327eaa6381a6 100755 --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -79,10 +79,10 @@ create_trusted_link() hash=$( do_hash "$1" ) || return certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint ) - for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do + for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint ) if [ "$certhash" = "$blisthash" ]; then - echo "Skipping blacklisted certificate $1 ($blistfile)" + echo "Skipping untrusted certificate $1 ($blistfile)" return 1 fi done @@ -102,19 +102,19 @@ resolve_certname() if [ -e "$1" ]; then hash=$( do_hash "$1" ) || return srcfile=$(realpath "$1") - suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") + suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash") filename="$hash.$suffix" echo "$srcfile" "$hash.$suffix" elif [ -e "${CERTDESTDIR}/$1" ]; then srcfile=$(realpath "${CERTDESTDIR}/$1") hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//') - suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") + suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash") filename="$hash.$suffix" echo "$srcfile" "$hash.$suffix" fi } -create_blacklisted() +create_untrusted() { local srcfile filename @@ -126,8 +126,8 @@ create_blacklisted() return fi - [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" - [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" + [ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list" + [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename" } do_scan() @@ -185,14 +185,14 @@ cmd_rehash() else mkdir -p "$CERTDESTDIR" fi - if [ -e "$BLACKLISTDESTDIR" ]; then - find "$BLACKLISTDESTDIR" -type link -delete + if [ -e "$UNTRUSTDESTDIR" ]; then + find "$UNTRUSTDESTDIR" -type link -delete else - mkdir -p "$BLACKLISTDESTDIR" + mkdir -p "$UNTRUSTDESTDIR" fi fi - do_scan create_blacklisted "$BLACKLISTPATH" + do_scan create_untrusted "$UNTRUSTPATH" do_scan create_trusted_link "$TRUSTPATH" } @@ -202,19 +202,19 @@ cmd_list() do_list "$CERTDESTDIR" } -cmd_blacklist() +cmd_untrust() { local BPATH shift # verb - [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + [ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR" for BFILE in "$@"; do - echo "Adding $BFILE to blacklist" - create_blacklisted "$BFILE" + echo "Adding $BFILE to untrusted list" + create_untrusted "$BFILE" done } -cmd_unblacklist() +cmd_trust() { local BFILE blisthash certhash hash @@ -223,16 +223,16 @@ cmd_unblacklist() if [ -s "$BFILE" ]; then hash=$( do_hash "$BFILE" ) certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint ) - for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do + for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint ) if [ "$certhash" = "$blisthash" ]; then - echo "Removing $(basename "$BLISTEDFILE") from blacklist" + echo "Removing $(basename "$BLISTEDFILE") from untrusted list" [ $NOOP -eq 0 ] && rm -f $BLISTEDFILE fi done - elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then - echo "Removing $BFILE from blacklist" - [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" + elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then + echo "Removing $BFILE from untrusted list" + [ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE" else echo "Cannot find $BFILE" >&2 ERRORS=$(( $ERRORS + 1 )) @@ -240,10 +240,10 @@ cmd_unblacklist() done } -cmd_blacklisted() +cmd_untrusted() { - echo "Listing Blacklisted Certificates:" - do_list "$BLACKLISTDESTDIR" + echo "Listing Untrusted Certificates:" + do_list "$UNTRUSTDESTDIR" } usage() @@ -252,14 +252,14 @@ usage() echo "Manage the TLS trusted certificates on the system" echo " $SCRIPTNAME [-v] list" echo " List trusted certificates" - echo " $SCRIPTNAME [-v] blacklisted" - echo " List blacklisted certificates" + echo " $SCRIPTNAME [-v] untrusted" + echo " List untrusted certificates" echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash" echo " Generate hash links for all certificates" - echo " $SCRIPTNAME [-nv] blacklist <file>" - echo " Add <file> to the list of blacklisted certificates" - echo " $SCRIPTNAME [-nv] unblacklist <file>" - echo " Remove <file> from the list of blacklisted certificates" + echo " $SCRIPTNAME [-nv] untrust <file>" + echo " Add <file> to the list of untrusted certificates" + echo " $SCRIPTNAME [-nv] trust <file>" + echo " Remove <file> from the list of untrusted certificates" exit 64 } @@ -281,17 +281,20 @@ INSTALLFLAGS= [ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}" : ${LOCALBASE:=$(sysctl -n user.localbase)} : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs} -: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted} +: ${UNTRUSTPATH:=${DESTDIR}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted} : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} -: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} +: ${UNTRUSTDESTDIR:=${DESTDIR}/etc/ssl/untrusted} [ $# -gt 0 ] || usage case "$1" in list) cmd_list ;; rehash) cmd_rehash ;; -blacklist) cmd_blacklist "$@" ;; -unblacklist) cmd_unblacklist "$@" ;; -blacklisted) cmd_blacklisted ;; +blacklist) cmd_untrust "$@" ;; +untrust) cmd_untrust "$@" ;; +trust) cmd_trust "$@" ;; +unblacklist) cmd_trust "$@" ;; +untrusted) cmd_untrusted ;; +blacklisted) cmd_untrusted ;; *) usage # NOTREACHED esac diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh index acfc601b93af..162a44059e3e 100755 --- a/usr.sbin/etcupdate/etcupdate.sh +++ b/usr.sbin/etcupdate/etcupdate.sh @@ -600,7 +600,7 @@ post_install_file() NEWALIAS_WARN=yes fi ;; - /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*) log "certctl rehash" if [ -z "$dryrun" ]; then env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1 diff --git a/usr.sbin/mergemaster/mergemaster.sh b/usr.sbin/mergemaster/mergemaster.sh index 7703e2856111..5b7a656c1cd9 100755 --- a/usr.sbin/mergemaster/mergemaster.sh +++ b/usr.sbin/mergemaster/mergemaster.sh @@ -884,7 +884,7 @@ mm_install () { /etc/mail/aliases) NEED_NEWALIASES=yes ;; - /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*) NEED_CERTCTL=yes ;; /etc/login.conf) |