| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ever since certctl was rewritten in C, the rehash command has reingested
TRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.
This seemed like a good idea at the time but was, in retrospect, a
mistake, as it means a (un)trusted certificate remains (un)trusted
forever (or at least until it expires) even if it is removed from
(UN)TRUSTPATH. Among other issues, it causes ports QA to fail for any
port that either installs certificates or depends on a port that does.
Although this behavior was undocumented, the change may surprise users
who have added certificates manually, so update the manual page to point
it out and add prominent warnings to the trust and untrust commands.
PR: 290078
MFC after: 1 week
Reviewed by: kevans, bcr
Differential Revision: https://reviews.freebsd.org/D56617
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With the reimplementation in C of certctl, the environment variable
previously known as CERTDESTDIR was renamed to TRUSTDESTDIR for
consistency.
Although the previous variable is still valid, prefer the new one, as it
is described in the manual page, while the old one is not.
Reviewed by: des
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54044
|
| |
|
|
|
|
|
|
|
| |
- Fix a typo.
- Provide the default path.
Reviewed by: des
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53001
|
| |
|
|
|
|
|
|
|
| |
This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be including sys/types.h directly since it uses
size_t.
MFC after: 1 week
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.
Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52121
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.
* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.
* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.
* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.
* We now also have tests.
Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).
This revert should be reverted once that is ready to land; I just need
this out of the tree temporarily because breakage is interfering with
release engineering for the upcoming 15.0-RELEASE.
Unsquashed reversions:
Revert "etc: add missing mtree entry for certctl tests"
This reverts commit f751757259158a8d3b81d4fb7576b3ebe226dece.
Revert "certctl: Fix bootstrap build"
This reverts commit c989e3cc3da1bfd8ac3ec5a05d1e86ab8ff719f7.
Revert "certctl: Reimplement in C"
This reverts commit 81d8827ad8752e35411204541f1f09df1481e417.
With hat: re@
|
| |
|
|
| |
Fixes: 81d8827ad875 ("certctl: Reimplement in C")
|
| |
|
|
| |
This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.
|
| |
|
|
| |
Fixes: 81d8827ad875 ("certctl: Reimplement in C")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.
* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.
* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.
* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.
* We now also have rudimentary tests.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is slower than linking but is the only method that works for all
cases, including running certctl from outside a jail that does not
contain the raw certificate data.
While here, fix a bug that occurs in unprivileged mode if DESTDIR
is unset or the root directory.
MFC after: 1 week
Reviewed by: dfr
Differential Revision: https://reviews.freebsd.org/D51373
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets the correct ownership values when building base.txz
This is an updated version of commit 10fa3f2518d4, omitting the
`-N ${DESTDIR}${DISTBASE}/etc` from the original commit.
install(1) does not validate the arguments passed to -o or -g
(see PR283355) so there's no need to have the passwd db available
for now. Future work includes plumbing the appropriate passwd db
path through certctl, and validating uid and gid in install(1).
PR: 283340
Reviewed by: jrtc27
Differential Revision: https://reviews.freebsd.org/D48506
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a circular dependency because it requires an existing
dbdir for install -N, which might not yet exist.
I imagine we can use install -o 0 -g -0, avoiding the need for the
dbdir, but install emits uname=0 gname=0 rather than uid=0 gid=0.
So just revert for now pending a full fix.
This reverts commit 10fa3f2518d4582c98d74527f79af9f30b1eceab.
PR: 283340
Event: January 2025 Bug-busting session
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
| |
This sets the correct ownership values when building base.txz
PR: 283340
Reviewed by: allanjude
Pull request: https://github.com/freebsd/freebsd-src/pull/1550
Signed-off-by: Pat Maddox <pat@patmaddox.com>
|
| |
|
|
|
|
|
| |
After building packages we have a number of new
and updated Makefile.depend files
Reviewed by: stevek
|
| |
|
|
|
|
|
| |
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
|
|
| |
Unfortunately tar will not be able to extract base.txz to a system where
/etc and /usr are not on the same filesystem if the certificates are
hard links.
PR: 277828
Reviewed by: mp
Differential Revision: https://reviews.freebsd.org/D44496
|
| |
|
|
|
|
|
|
|
|
| |
This ensures that certificate files or bundles with DOS or Mac line
endings are recognized as such and handled identically to those with
Unix line endings.
PR: 274952
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D42490
|
| |
|
|
|
|
|
|
| |
Document the LOCALBASE variable and that it's set to user.localbase by
default. Update path defaults that depend on it.
Reviewed by: bcr
Differential Revision: https://reviews.freebsd.org/D40529
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- If an untrusted certificate is also found in the list of trusted
certificate, issue a warning and skip it, but don't fail.
- Split on -+BEGIN CERTIFICATE-+ instead of "Certificate:" since
that's what we're really looking for.
Also fix a long-standing bug: .crl files are not certificates, so we
should not include them when searching for certificates.
Reported by: madpilot, netchild, tijl
Reviewed by: netchild, allanjude
Differential Revision: https://reviews.freebsd.org/D42276
|
| |
|
|
|
|
|
|
|
|
| |
This allows 'certctl rehash' to do the right thing when ca_root_nss is
installed, instead of linking the entire bundle to the hash of the
first certificate it contains.
MFC after: 3 days
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D42087
|
| |
|
|
|
|
| |
MFC after: 3 days
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D42086
|
| |
|
|
| |
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
|
|
|
|
|
| |
This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.
PR: 272816
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D41321
|
| |
|
|
|
|
|
|
|
| |
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
|
|
| |
Solves duplicate slashes in paths
Scanning //usr/share/certs/trusted for certificates...
Scanning //usr/local/share/certs for certificates...
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/595
|
| |
|
|
|
|
|
|
|
|
|
| |
This will be used by Makefile.inc1 to fix -DNO_ROOT distributeworld,
which needs to split out DESTDIR from DISTBASE so the METALOG file
includes the base/ prefix.
Reviewed by: kevans
Obtained from: CheriBSD
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35808
|
| |
|
|
|
|
|
|
|
|
| |
There is no reason that this shouldn't be there.
Change the dependency of caroot from utilities to openssl as it's
the only command that it uses not in runtime.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33458
|
| |
|
|
|
|
|
| |
Old certctl commands still work for compatability, but are deprecated.
Approved by: secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807
|
| |
|
|
|
|
|
|
| |
create_blacklisted() will identify a cert whether it's provided a path to
a cert or the hash.serial format that is shown by `certctl list`.
Factor this logic out into a resolve_certname() so that it may be reused
elsewhere.
|
| |
|
|
|
|
|
| |
Use the new user.localbase sysctl here as well, to reduce the number of
hardcoded localbase by one (1).
MFC after: 3 days (note: just use a literal /usr/local default)
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first issue was lack of quoting around INSTALLFLAGS, which set it
incorrectly and produced an error on -M.
The second issue was that we weren't actually doing the install in
unprivileged mode, making it effectively useless. This was designed to pass
through the proper metalog/unpriv flags to install(1), so just let it
happen.
MFC after: 3 days
Notes:
svn path=/head/; revision=365756
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, certctl rehash will just keep clobbering .0 rather than
incrementing the suffix upon encountering a duplicate. Do this, and do it
for blacklisted certs as well.
This also improves the situation with the blacklist to be a little less
flakey, comparing cert fingerprints for all certs with a matching subject
hash in the blacklist to determine if the cert we're looking at can be
installed.
Future work needs to completely revamp the blacklist to align more with how
it's described in PR 246614. In particular, /etc/ssl/blacklisted should go
away to avoid potential confusion -- OpenSSL will not read it, it's
basically certctl internal.
PR: 246614
Reviewed by: Michael Osipov <michael.osipov siemens com>
Tested by: Michael Osipov
With suggestions from: Michael Osipov
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D26167
Notes:
svn path=/head/; revision=365500
|
| |
|
|
|
|
|
|
|
| |
test doesn't understand &&, but it does understand -a.
MFC after: 1 week
Notes:
svn path=/head/; revision=361683
|
| |
|
|
|
|
|
|
|
|
|
| |
certctl was merged to stable/12 after 12.1 was branched.
PR: 246190
Reported by: Michael Osipov <michael.osipov@siemens.com>
MFC after: 3 days
Notes:
svn path=/head/; revision=361655
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flags. For ease of integration, use the same flags as install:
-U unprivileged mode
-D <destdir> Specify DESTDIR (overrides the environment)
-M <metalog> Full path to METALOG file
Reviewed by: kevans
Obtained from: CheriBSD
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D24932
Notes:
svn path=/head/; revision=361397
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Up until now, all of our DESTDIR use has been with absolute paths. It turned
out that the cd in/out dance we do here breaks us down later on, as the
relative path no longer resolves.
Convert EXTENSIONS to an ERE that we'll use to grep ls -1 of the dir we're
inspecting, rather than cd'ing into it and globbing it up.
MFC after: 3 days
Notes:
svn path=/head/; revision=361148
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, removals from the blacklist may not get processed as they should.
While we're here, restructure these to not bother with mkdir(1) if we've
already tested them to exist.
MFC after: 3 days
Notes:
svn path=/head/; revision=361023
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's been reported/noted that a well-timed `certctl rehash` will completely
obliterate $CERTDESTDIR, which may get used by ports or system
administrators. While we can't guarantee the certctl semantics when other
non-certctl-controlled bits live here, we should make some amount of effort
to play nice.
Pruning all existing links, which we'll subsequently rebuild as needed, is
sufficient for our needs. This can still be destructive, but it's perhaps
less likely to cause issues.
I also note that we should probably be pruning /etc/ssl/blacklisted upon
rehash as well.
Reported by: cem's dovecot server
MFC after: 3 days
Notes:
svn path=/head/; revision=361022
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
"Oops" - ln(1) is fine and dandy, but when you're using DESTDIR...it's not-
the path will almost certainly be invalid once the root you've just
installed to is relocated, perhaps to /.
Switch to install(1) using `-l rs` to calculate the relative symlink between
the two, which should work just fine in all cases.
MFC after: 1 week
Notes:
svn path=/head/; revision=358091
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems reasonable to allow, for instance:
$ certctl list
# reviews output -- ah, yeah, I don't trust that one
$ certctl blacklist ce5e74ef.0
$ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
described it to them in `certctl list` output -- I see little sense in
forcing another level of filesystem inspection to determien what cert file
this physically corresponds to.
Notes:
svn path=/head/; revision=353070
|
| |
|
|
|
|
|
|
| |
Otherwise we end up creating broken relative symlinks in
/etc/ssl/blacklisted.
Notes:
svn path=/head/; revision=353066
|
|
|
This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.
This work was done primarily by allanjude@, with minor contributions by
myself.
No objection from: secteam
Differential Revision: https://reviews.freebsd.org/D16857
Notes:
svn path=/head/; revision=352949
|
