Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Jan 2020 15:29:33 +0000 (UTC)
From:      Kyle Evans <kevans@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r357082 - in stable: 11/etc/mtree 11/secure 11/secure/caroot 11/share/mk 11/usr.sbin 11/usr.sbin/certctl 11/usr.sbin/etcupdate 11/usr.sbin/mergemaster 12/etc/mtree 12/secure 12/secure/c...
Message-ID:  <202001241529.00OFTXvc095041@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kevans
Date: Fri Jan 24 15:29:33 2020
New Revision: 357082
URL: https://svnweb.freebsd.org/changeset/base/357082

Log:
  MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
  
  Infrastructure only -- no plans in place currently to commit any certs to
  these branches.
  
  r352948:
  [1/3] Initial infrastructure for SSL root bundle in base
  
  This setup will add the trusted certificates from the Mozilla NSS bundle
  to base.
  
  This commit includes:
  - CAROOT option to opt out of installation of certs
  - mtree amendments for final destinations
  - infrastructure to fetch/update certs, along with instructions
  
  A follow-up commit will add a certctl(8) utility to give the user control
  over trust specifics. Another follow-up commit will actually commit the
  initial result of updatecerts.
  
  This work was done primarily by allanjude@, with minor contributions by
  myself.
  
  r352949:
  [2/3] Add certctl(8)
  
  This is a simple utility to hash all trusted on the system into
  /etc/ssl/certs. It also allows the user to blacklist certificates they do
  not trust.
  
  This work was done primarily by allanjude@, with minor contributions by
  myself.
  
  r352950:
  [3/3] etcupdate and mergemaster support for certctl
  
  This commit add support for certctl in mergemaster and etcupdate. Both will
  either rehash or prompt for rehash as new certificates are
  trusted/blacklisted.
  
  This work was done primarily by allanjude@, with minor contributions by
  myself.
  
  r352951:
  caroot: add @generated tags to extracted .pem
  
  As is the current trend; while these files are manually curated, they are
  still generated.  If they end up in a review, it would be helpful to also
  take the hint and hide them.
  
  r353002:
  Unbreak etcupdate(8) and mergemaster(8) after r352950
  
  r352950 introduced improper case fall-through for shell scripts. Fix it with
  a pipe.
  
  r353066:
  certctl(8): realpath the file before creating the symlink
  
  Otherwise we end up creating broken relative symlinks in
  /etc/ssl/blacklisted.
  
  r353070:
  certctl(8): let one blacklist based on hashed filenames
  
  It seems reasonable to allow, for instance:
  
  $ certctl list
  # reviews output -- ah, yeah, I don't trust that one
  $ certctl blacklist ce5e74ef.0
  $ certctl rehash
  
  We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
  described it to them in `certctl list` output -- I see little sense in
  forcing another level of filesystem inspection to determien what cert file
  this physically corresponds to.
  
  Relnotes:	yes

Added:
  stable/11/secure/caroot/
     - copied from r352951, head/secure/caroot/
  stable/11/usr.sbin/certctl/
     - copied from r352951, head/usr.sbin/certctl/
Modified:
  stable/11/etc/mtree/BSD.usr.dist
  stable/11/secure/Makefile
  stable/11/share/mk/src.opts.mk
  stable/11/usr.sbin/Makefile
  stable/11/usr.sbin/certctl/certctl.sh
  stable/11/usr.sbin/etcupdate/etcupdate.sh
  stable/11/usr.sbin/mergemaster/mergemaster.sh
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Added:
  stable/12/secure/caroot/
     - copied from r352951, head/secure/caroot/
  stable/12/usr.sbin/certctl/
     - copied from r352951, head/usr.sbin/certctl/
Modified:
  stable/12/etc/mtree/BSD.usr.dist
  stable/12/secure/Makefile
  stable/12/share/mk/src.opts.mk
  stable/12/usr.sbin/Makefile
  stable/12/usr.sbin/certctl/certctl.sh
  stable/12/usr.sbin/etcupdate/etcupdate.sh
  stable/12/usr.sbin/mergemaster/mergemaster.sh
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/etc/mtree/BSD.usr.dist
==============================================================================
--- stable/11/etc/mtree/BSD.usr.dist	Fri Jan 24 14:58:02 2020	(r357081)
+++ stable/11/etc/mtree/BSD.usr.dist	Fri Jan 24 15:29:33 2020	(r357082)
@@ -178,6 +178,12 @@
             uk_UA.KOI8-U
             ..
         ..
+        certs
+            blacklisted
+            ..
+            trusted
+            ..
+        ..
         dict
         ..
         doc

Modified: stable/11/secure/Makefile
==============================================================================
--- stable/11/secure/Makefile	Fri Jan 24 14:58:02 2020	(r357081)
+++ stable/11/secure/Makefile	Fri Jan 24 15:29:33 2020	(r357082)
@@ -10,6 +10,8 @@ SUBDIR_PARALLEL=
 _tests=	tests
 .endif
 
+SUBDIR.${MK_CAROOT}+= caroot
+
 # These are the programs which depend on crypto, but not Kerberos.
 SPROGS=	lib/libfetch lib/libpam lib/libradius lib/libtelnet	\
 	bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet	\

Modified: stable/11/share/mk/src.opts.mk
==============================================================================
--- stable/11/share/mk/src.opts.mk	Fri Jan 24 14:58:02 2020	(r357081)
+++ stable/11/share/mk/src.opts.mk	Fri Jan 24 15:29:33 2020	(r357082)
@@ -68,6 +68,7 @@ __DEFAULT_YES_OPTIONS = \
     BZIP2 \
     CALENDAR \
     CAPSICUM \
+    CAROOT \
     CASPER \
     CCD \
     CDDL \

Modified: stable/11/usr.sbin/Makefile
==============================================================================
--- stable/11/usr.sbin/Makefile	Fri Jan 24 14:58:02 2020	(r357081)
+++ stable/11/usr.sbin/Makefile	Fri Jan 24 15:29:33 2020	(r357082)
@@ -124,6 +124,9 @@ SUBDIR.${MK_BLUETOOTH}+=	bluetooth
 SUBDIR.${MK_BOOTPARAMD}+=	bootparamd
 SUBDIR.${MK_BSDINSTALL}+=	bsdinstall
 SUBDIR.${MK_BSNMP}+=	bsnmpd
+.if ${MK_CAROOT} != "no"
+SUBDIR.${MK_OPENSSL}+=	certctl
+.endif
 SUBDIR.${MK_CTM}+=	ctm
 SUBDIR.${MK_CXGBETOOL}+=	cxgbetool
 SUBDIR.${MK_MLX5TOOL}+=	mlx5tool

Modified: stable/11/usr.sbin/certctl/certctl.sh
==============================================================================
--- head/usr.sbin/certctl/certctl.sh	Wed Oct  2 01:27:50 2019	(r352951)
+++ stable/11/usr.sbin/certctl/certctl.sh	Fri Jan 24 15:29:33 2020	(r357082)
@@ -69,16 +69,26 @@ create_trusted_link()
 		return 1
 	fi
 	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
-	[ $NOOP -eq 0 ] && ln -fs "$1" "$CERTDESTDIR/$hash.0"
+	[ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0"
 }
 
 create_blacklisted()
 {
-	local hash
+	local hash srcfile filename
 
-	hash=$( do_hash "$1" ) || return
-	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist"
-	[ $NOOP -eq 0 ] && ln -fs "$1" "$BLACKLISTDESTDIR/$hash.0"
+	# If it exists as a file, we'll try that; otherwise, we'll scan
+	if [ -e "$1" ]; then
+		hash=$( do_hash "$1" ) || return
+		srcfile=$(realpath "$1")
+		filename="$hash.0"
+	elif [ -e "${CERTDESTDIR}/$1" ];  then
+		srcfile=$(realpath "${CERTDESTDIR}/$1")
+		filename="$1"
+	else
+		return
+	fi
+	[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
+	[ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename"
 }
 
 do_scan()

Modified: stable/11/usr.sbin/etcupdate/etcupdate.sh
==============================================================================
--- stable/11/usr.sbin/etcupdate/etcupdate.sh	Fri Jan 24 14:58:02 2020	(r357081)
+++ stable/11/usr.sbin/etcupdate/etcupdate.sh	Fri Jan 24 15:29:33 2020	(r357082)
@@ -595,6 +595,12 @@ post_install_file()
 				NEWALIAS_WARN=yes
 			fi
 			;;
+		/usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+			log "certctl rehash"
+			if [ -z "$dryrun" ]; then
+				env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
+			fi
+			;;
 		/etc/login.conf)
 			log "cap_mkdb ${DESTDIR}$1"
 			if [ -z "$dryrun" ]; then

Modified: stable/11/usr.sbin/mergemaster/mergemaster.sh
==============================================================================
--- stable/11/usr.sbin/mergemaster/mergemaster.sh	Fri Jan 24 14:58:02 2020	(r357081)
+++ stable/11/usr.sbin/mergemaster/mergemaster.sh	Fri Jan 24 15:29:33 2020	(r357082)
@@ -863,6 +863,9 @@ mm_install () {
     /etc/mail/aliases)
       NEED_NEWALIASES=yes
       ;;
+    /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+      NEED_CERTCTL=yes
+      ;;
     /etc/login.conf)
       NEED_CAP_MKDB=yes
       ;;
@@ -1331,6 +1334,23 @@ case "${NEED_PWD_MKDB}" in
     echo "    '/usr/sbin/pwd_mkdb -p /etc/master.passwd'"
     echo "     to rebuild your password files"
     run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd'
+  fi
+  ;;
+esac
+
+case "${NEED_CERTCTL}" in
+'') ;;
+*)
+  echo ''
+  echo "*** You installed files in /etc/ssl/certs, so make sure that you run"
+  if [ -n "${DESTDIR}" ]; then
+    echo "    'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash"
+  else
+    echo "    '/usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "/usr/sbin/certctl rehash"
   fi
   ;;
 esac



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001241529.00OFTXvc095041>