From nobody Thu Oct  5 15:11:30 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S1ZlR1H1tz4vjl0;
	Thu,  5 Oct 2023 15:11:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S1ZlR0p0qz4YnD;
	Thu,  5 Oct 2023 15:11:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1696518691;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zREOov4CzYLhADlObb84aoLq76IiOOCoGfP9YpZDJ2A=;
	b=tPknnupsp0QlJt4poxMS9LDabPvFBheJljnXBOsHzDeyf7MUR4NfEinJvwh5GueFEn6tY9
	WbS3pbXyb/oQtTvQLjasq4o9LU3UzakDN9NeXmn6QKoFSGAdw+ux8qg9xmAsXyRgLTQLU8
	iGyraxfulkd0d8+vFUdHk3SCIO0bPdG630JIhJ57czhRT3PE67fBCsuPSUsz7gaIQ6Mtqg
	E9b9RukUDSnavHXrVloBvI2TvadNxqZtkeJDV/GPMpysAqpIjefNC8VYz/Uj6UEW6aJcIj
	GaqPOTqjnCGc73am+t6CB1w0BWaiprZ3RmqpTd90J/w1nKbHsjm+K/y7PhqeHA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696518691; a=rsa-sha256; cv=none;
	b=SDUjPous+mNa3iwi9S0WrNqrY0iL4qbAGfRlOu6Gc16//cTLNyBtX0y5HaThvm+lcnCu4m
	BQXxUnnNTSjA/y9A0ag7/qqtiedG5MtGV91XJPWHtLsCN41T98DRM0Z/CnTSRVdjeRS+ZC
	Vkx7X5DA/2vADsD0iKSBO9871fGKriJidhHBVG8dJByOZyDnNUbk66cxs3I/odkYYP0EFI
	VQRkAiXv2BqrX+qohvG8Tq0NF7Jq+bDZQxfBzQoxzj2PXNC4fS2F8/RemlKm7XfiGf2hPp
	SHe1hIRoitsL3GyTHEHOBHA2LtJJE4RjHZWSHyRBrLsVTOUGp2fIMCiBUwrxsQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1696518691;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zREOov4CzYLhADlObb84aoLq76IiOOCoGfP9YpZDJ2A=;
	b=qHzaWyJxDRsvrrUrD18OAZibAfENfWcf2F//dfcr16oafuUkq9DCjxxm5JNceGPOm55yJJ
	8os11w9aIzCgVNROT0c8eaAEysuZS3blmwa3d6KJgt6wfLvHpAlBhNZtAAShoLA0iAOHQv
	SuaZ14QSPzaKTtN8X6Il7jSwdq6XJJsniRtvuVSa5OXFF8HoHBX24cSCbxWxBM8e5E0ssk
	T5n8gl4plA0YsZoLF7icj9IL+Tei87dus3hGr6oIM8VITzsTNlRFAIziSTExZYUN/0UJVD
	5yYZbqYGm/FGcAnhiTtuzJrRSLHW7LtcVniImVrO4mgDcP2w4sjBgR+eYGVmGQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S1ZlQ6gfpz1PZH;
	Thu,  5 Oct 2023 15:11:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 395FBUu3072794;
	Thu, 5 Oct 2023 15:11:30 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 395FBUK8072791;
	Thu, 5 Oct 2023 15:11:30 GMT
	(envelope-from git)
Date: Thu, 5 Oct 2023 15:11:30 GMT
Message-Id: <202310051511.395FBUK8072791@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
Subject: git: 1525625c7c94 - main - certctl: Clean up.
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1525625c7c945856d4814987fd65784fd62cba74
Auto-Submitted: auto-generated

The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=1525625c7c945856d4814987fd65784fd62cba74

commit 1525625c7c945856d4814987fd65784fd62cba74
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2023-10-05 14:49:53 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-10-05 15:11:22 +0000

    certctl: Clean up.
    
    MFC after:      3 days
    Reviewed by:    allanjude
    Differential Revision:  https://reviews.freebsd.org/D42086
---
 usr.sbin/certctl/certctl.sh | 173 +++++++++++++++++++++++++-------------------
 1 file changed, 99 insertions(+), 74 deletions(-)

diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index c216734a6e9a..02d055102c33 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -26,32 +26,53 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #
 
+set -u
+
 ############################################################ CONFIGURATION
 
 : ${DESTDIR:=}
 : ${DISTBASE:=}
 : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$"}
-: ${VERBOSE:=0}
 
 ############################################################ GLOBALS
 
 SCRIPTNAME="${0##*/}"
 ERRORS=0
-NOOP=0
-UNPRIV=0
+NOOP=false
+UNPRIV=false
+VERBOSE=false
 
 ############################################################ FUNCTIONS
 
+info()
+{
+	echo "${0##*/}: $@" >&2
+}
+
+verbose()
+{
+	if "${VERBOSE}" ; then
+		info "$@"
+	fi
+}
+
+perform()
+{
+	if ! "${NOOP}" ; then
+		"$@"
+	fi
+}
+
 do_hash()
 {
 	local hash
 
-	if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then
+	if hash=$(openssl x509 -noout -subject_hash -in "$1") ; then
 		echo "$hash"
 		return 0
 	else
-		echo "Error: $1" >&2
-		ERRORS=$(( $ERRORS + 1 ))
+		info "Error: $1"
+		ERRORS=$((ERRORS + 1))
 		return 1
 	fi
 }
@@ -64,7 +85,7 @@ get_decimal()
 	hash=$2
 	decimal=0
 
-	while [ -e "$checkdir/$hash.$decimal" ]; do
+	while [ -e "$checkdir/$hash.$decimal" ] ; do
 		decimal=$((decimal + 1))
 	done
 
@@ -74,22 +95,21 @@ get_decimal()
 
 create_trusted_link()
 {
-	local blisthash certhash hash
+	local hash certhash otherfile otherhash
 	local suffix
 
-	hash=$( do_hash "$1" ) || return
-	certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint )
-	for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
-		blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint )
-		if [ "$certhash" = "$blisthash" ]; then
-			echo "Skipping untrusted certificate $1 ($blistfile)"
+	hash=$(do_hash "$1") || return
+	certhash=$(openssl x509 -sha1 -in "$1" -noout -fingerprint)
+	for otherfile in $(find $UNTRUSTDESTDIR -name "$hash.*") ; do
+		otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout -fingerprint)
+		if [ "$certhash" = "$otherhash" ] ; then
+			info "Skipping untrusted certificate $1 ($otherfile)"
 			return 1
 		fi
 	done
 	suffix=$(get_decimal "$CERTDESTDIR" "$hash")
-	[ $VERBOSE -gt 0 ] && echo "Adding $hash.$suffix to trust store"
-	[ $NOOP -eq 0 ] && \
-		install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$suffix"
+	verbose "Adding $hash.$suffix to trust store"
+	perform install ${INSTALLFLAGS} -lrs "$(realpath "$1")" "$CERTDESTDIR/$hash.$suffix"
 }
 
 # Accepts either dot-hash form from `certctl list` or a path to a valid cert.
@@ -99,13 +119,13 @@ resolve_certname()
 	local suffix
 
 	# If it exists as a file, we'll try that; otherwise, we'll scan
-	if [ -e "$1" ]; then
-		hash=$( do_hash "$1" ) || return
+	if [ -e "$1" ] ; then
+		hash=$(do_hash "$1") || return
 		srcfile=$(realpath "$1")
 		suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
 		filename="$hash.$suffix"
 		echo "$srcfile" "$hash.$suffix"
-	elif [ -e "${CERTDESTDIR}/$1" ];  then
+	elif [ -e "${CERTDESTDIR}/$1" ] ;  then
 		srcfile=$(realpath "${CERTDESTDIR}/$1")
 		hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//')
 		suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
@@ -122,12 +142,12 @@ create_untrusted()
 	srcfile=$1
 	filename=$2
 
-	if [ -z "$srcfile" -o -z "$filename" ]; then
+	if [ -z "$srcfile" -o -z "$filename" ] ; then
 		return
 	fi
 
-	[ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list"
-	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
+	verbose "Adding $filename to untrusted list"
+	perform install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
 }
 
 do_scan()
@@ -142,10 +162,10 @@ do_scan()
 	IFS="$oldIFS"
 	for CPATH in "$@"; do
 		[ -d "$CPATH" ] || continue
-		echo "Scanning $CPATH for certificates..."
-		for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do
+		info "Scanning $CPATH for certificates..."
+		for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}") ; do
 			[ -e "$CPATH/$CFILE" ] || continue
-			[ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
+			verbose "Reading $CFILE"
 			"$CFUNC" "$CPATH/$CFILE"
 		done
 	done
@@ -155,21 +175,21 @@ do_list()
 {
 	local CFILE subject
 
-	if [ -e "$1" ]; then
+	if [ -e "$1" ] ; then
 		cd "$1"
-		for CFILE in *.[0-9]; do
-			if [ ! -s "$CFILE" ]; then
-				echo "Unable to read $CFILE" >&2
-				ERRORS=$(( $ERRORS + 1 ))
+		for CFILE in *.[0-9] ; do
+			if [ ! -s "$CFILE" ] ; then
+				info "Unable to read $CFILE"
+				ERRORS=$((ERRORS + 1))
 				continue
 			fi
 			subject=
-			if [ $VERBOSE -eq 0 ]; then
-				subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" |
-				    sed -n '/commonName/s/.*= //p' )
+			if [ $VERBOSE -eq 0 ] ; then
+				subject=$(openssl x509 -noout -subject -nameopt multiline -in "$CFILE" |
+				    sed -n '/commonName/s/.*= //p')
 			fi
 			[ "$subject" ] ||
-			    subject=$( openssl x509 -noout -subject -in "$CFILE" )
+			    subject=$(openssl x509 -noout -subject -in "$CFILE")
 			printf "%s\t%s\n" "$CFILE" "$subject"
 		done
 		cd -
@@ -179,17 +199,15 @@ do_list()
 cmd_rehash()
 {
 
-	if [ $NOOP -eq 0 ]; then
-		if [ -e "$CERTDESTDIR" ]; then
-			find "$CERTDESTDIR" -type link -delete
-		else
-			mkdir -p "$CERTDESTDIR"
-		fi
-		if [ -e "$UNTRUSTDESTDIR" ]; then
-			find "$UNTRUSTDESTDIR" -type link -delete
-		else
-			mkdir -p "$UNTRUSTDESTDIR"
-		fi
+	if [ -e "$CERTDESTDIR" ] ; then
+		perform find "$CERTDESTDIR" -type link -delete
+	else
+		perform install -d -m 0755 "$CERTDESTDIR"
+	fi
+	if [ -e "$UNTRUSTDESTDIR" ] ; then
+		perform find "$UNTRUSTDESTDIR" -type link -delete
+	else
+		perform install -d -m 0755 "$UNTRUSTDESTDIR"
 	fi
 
 	do_scan create_untrusted "$UNTRUSTPATH"
@@ -198,51 +216,51 @@ cmd_rehash()
 
 cmd_list()
 {
-	echo "Listing Trusted Certificates:"
+	info "Listing Trusted Certificates:"
 	do_list "$CERTDESTDIR"
 }
 
 cmd_untrust()
 {
-	local BPATH
+	local UTFILE
 
 	shift # verb
-	[ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR"
-	for BFILE in "$@"; do
-		echo "Adding $BFILE to untrusted list"
-		create_untrusted "$BFILE"
+	perform install -d -m 0755 "$UNTRUSTDESTDIR"
+	for UTFILE in "$@"; do
+		info "Adding $UTFILE to untrusted list"
+		create_untrusted "$UTFILE"
 	done
 }
 
 cmd_trust()
 {
-	local BFILE blisthash certhash hash
+	local UTFILE untrustedhash certhash hash
 
 	shift # verb
-	for BFILE in "$@"; do
-		if [ -s "$BFILE" ]; then
-			hash=$( do_hash "$BFILE" )
-			certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint )
-			for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
-				blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint )
-				if [ "$certhash" = "$blisthash" ]; then
-					echo "Removing $(basename "$BLISTEDFILE") from untrusted list"
-					[ $NOOP -eq 0 ] && rm -f $BLISTEDFILE
+	for UTFILE in "$@"; do
+		if [ -s "$UTFILE" ] ; then
+			hash=$(do_hash "$UTFILE")
+			certhash=$(openssl x509 -sha1 -in "$UTFILE" -noout -fingerprint)
+			for UNTRUSTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*") ; do
+				untrustedhash=$(openssl x509 -sha1 -in "$UNTRUSTEDFILE" -noout -fingerprint)
+				if [ "$certhash" = "$untrustedhash" ] ; then
+					info "Removing $(basename "$UNTRUSTEDFILE") from untrusted list"
+					perform rm -f $UNTRUSTEDFILE
 				fi
 			done
-		elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then
-			echo "Removing $BFILE from untrusted list"
-			[ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE"
+		elif [ -e "$UNTRUSTDESTDIR/$UTFILE" ] ; then
+			info "Removing $UTFILE from untrusted list"
+			perform rm -f "$UNTRUSTDESTDIR/$UTFILE"
 		else
-			echo "Cannot find $BFILE" >&2
-			ERRORS=$(( $ERRORS + 1 ))
+			info "Cannot find $UTFILE"
+			ERRORS=$((ERRORS + 1))
 		fi
 	done
 }
 
 cmd_untrusted()
 {
-	echo "Listing Untrusted Certificates:"
+	info "Listing Untrusted Certificates:"
 	do_list "$UNTRUSTDESTDIR"
 }
 
@@ -270,18 +288,23 @@ while getopts D:d:M:nUv flag; do
 	D) DESTDIR=${OPTARG} ;;
 	d) DISTBASE=${OPTARG} ;;
 	M) METALOG=${OPTARG} ;;
-	n) NOOP=1 ;;
-	U) UNPRIV=1 ;;
-	v) VERBOSE=$(( $VERBOSE + 1 )) ;;
+	n) NOOP=true ;;
+	U) UNPRIV=true ;;
+	v) VERBOSE=true ;;
 	esac
 done
-shift $(( $OPTIND - 1 ))
+shift $((OPTIND - 1))
 
 DESTDIR=${DESTDIR%/}
 
+if ! [ -z "${CERTCTL_VERBOSE:-}" ] ; then
+	VERBOSE=true
+fi
 : ${METALOG:=${DESTDIR}/METALOG}
 INSTALLFLAGS=
-[ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
+if "$UNPRIV" ; then
+	INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
+fi
 : ${LOCALBASE:=$(sysctl -n user.localbase)}
 : ${TRUSTPATH:=${DESTDIR}${DISTBASE}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}
 : ${UNTRUSTPATH:=${DESTDIR}${DISTBASE}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
@@ -302,7 +325,9 @@ blacklisted)	cmd_untrusted ;;
 esac
 
 retval=$?
-[ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2
+if [ $ERRORS -gt 0 ] ; then
+	info "Encountered $ERRORS errors"
+fi
 exit $retval
 
 ################################################################################