From owner-svn-src-stable-12@freebsd.org Fri Jan 24 15:29:36 2020 Return-Path: Delivered-To: svn-src-stable-12@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B055B1F36D7; Fri, 24 Jan 2020 15:29:36 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48433N3z4qz49p6; Fri, 24 Jan 2020 15:29:36 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 837342949F; Fri, 24 Jan 2020 15:29:36 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00OFTasJ095060; Fri, 24 Jan 2020 15:29:36 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00OFTZ80095053; Fri, 24 Jan 2020 15:29:35 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202001241529.00OFTZ80095053@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Fri, 24 Jan 2020 15:29:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r357082 - in stable: 11/etc/mtree 11/secure 11/secure/caroot 11/share/mk 11/usr.sbin 11/usr.sbin/certctl 11/usr.sbin/etcupdate 11/usr.sbin/mergemaster 12/etc/mtree 12/secure 12/secure/c... X-SVN-Group: stable-12 X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: in stable: 11/etc/mtree 11/secure 11/secure/caroot 11/share/mk 11/usr.sbin 11/usr.sbin/certctl 11/usr.sbin/etcupdate 11/usr.sbin/mergemaster 12/etc/mtree 12/secure 12/secure/caroot 12/share/mk 12/usr.... X-SVN-Commit-Revision: 357082 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-12@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 12-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2020 15:29:36 -0000 Author: kevans Date: Fri Jan 24 15:29:33 2020 New Revision: 357082 URL: https://svnweb.freebsd.org/changeset/base/357082 Log: MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure Infrastructure only -- no plans in place currently to commit any certs to these branches. r352948: [1/3] Initial infrastructure for SSL root bundle in base This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. r352949: [2/3] Add certctl(8) This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust. This work was done primarily by allanjude@, with minor contributions by myself. r352950: [3/3] etcupdate and mergemaster support for certctl This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted. This work was done primarily by allanjude@, with minor contributions by myself. r352951: caroot: add @generated tags to extracted .pem As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them. r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950 r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe. r353066: certctl(8): realpath the file before creating the symlink Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted. r353070: certctl(8): let one blacklist based on hashed filenames It seems reasonable to allow, for instance: $ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to. Relnotes: yes Added: stable/12/secure/caroot/ - copied from r352951, head/secure/caroot/ stable/12/usr.sbin/certctl/ - copied from r352951, head/usr.sbin/certctl/ Modified: stable/12/etc/mtree/BSD.usr.dist stable/12/secure/Makefile stable/12/share/mk/src.opts.mk stable/12/usr.sbin/Makefile stable/12/usr.sbin/certctl/certctl.sh stable/12/usr.sbin/etcupdate/etcupdate.sh stable/12/usr.sbin/mergemaster/mergemaster.sh Directory Properties: stable/12/ (props changed) Changes in other areas also in this revision: Added: stable/11/secure/caroot/ - copied from r352951, head/secure/caroot/ stable/11/usr.sbin/certctl/ - copied from r352951, head/usr.sbin/certctl/ Modified: stable/11/etc/mtree/BSD.usr.dist stable/11/secure/Makefile stable/11/share/mk/src.opts.mk stable/11/usr.sbin/Makefile stable/11/usr.sbin/certctl/certctl.sh stable/11/usr.sbin/etcupdate/etcupdate.sh stable/11/usr.sbin/mergemaster/mergemaster.sh Directory Properties: stable/11/ (props changed) Modified: stable/12/etc/mtree/BSD.usr.dist ============================================================================== --- stable/12/etc/mtree/BSD.usr.dist Fri Jan 24 14:58:02 2020 (r357081) +++ stable/12/etc/mtree/BSD.usr.dist Fri Jan 24 15:29:33 2020 (r357082) @@ -200,6 +200,12 @@ uk_UA.KOI8-U .. .. + certs + blacklisted + .. + trusted + .. + .. dict .. doc Modified: stable/12/secure/Makefile ============================================================================== --- stable/12/secure/Makefile Fri Jan 24 14:58:02 2020 (r357081) +++ stable/12/secure/Makefile Fri Jan 24 15:29:33 2020 (r357082) @@ -8,6 +8,8 @@ SUBDIR_PARALLEL= SUBDIR.${MK_TESTS}+= tests +SUBDIR.${MK_CAROOT}+= caroot + # These are the programs which depend on crypto, but not Kerberos. SPROGS= lib/libfetch lib/libpam lib/libradius lib/libtelnet \ bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet \ Modified: stable/12/share/mk/src.opts.mk ============================================================================== --- stable/12/share/mk/src.opts.mk Fri Jan 24 14:58:02 2020 (r357081) +++ stable/12/share/mk/src.opts.mk Fri Jan 24 15:29:33 2020 (r357082) @@ -76,6 +76,7 @@ __DEFAULT_YES_OPTIONS = \ BZIP2 \ CALENDAR \ CAPSICUM \ + CAROOT \ CASPER \ CCD \ CDDL \ Modified: stable/12/usr.sbin/Makefile ============================================================================== --- stable/12/usr.sbin/Makefile Fri Jan 24 14:58:02 2020 (r357081) +++ stable/12/usr.sbin/Makefile Fri Jan 24 15:29:33 2020 (r357082) @@ -125,6 +125,9 @@ SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall SUBDIR.${MK_BSNMP}+= bsnmpd +.if ${MK_CAROOT} != "no" +SUBDIR.${MK_OPENSSL}+= certctl +.endif SUBDIR.${MK_CTM}+= ctm SUBDIR.${MK_CXGBETOOL}+= cxgbetool SUBDIR.${MK_DIALOG}+= bsdconfig Modified: stable/12/usr.sbin/certctl/certctl.sh ============================================================================== --- head/usr.sbin/certctl/certctl.sh Wed Oct 2 01:27:50 2019 (r352951) +++ stable/12/usr.sbin/certctl/certctl.sh Fri Jan 24 15:29:33 2020 (r357082) @@ -69,16 +69,26 @@ create_trusted_link() return 1 fi [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" - [ $NOOP -eq 0 ] && ln -fs "$1" "$CERTDESTDIR/$hash.0" + [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0" } create_blacklisted() { - local hash + local hash srcfile filename - hash=$( do_hash "$1" ) || return - [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist" - [ $NOOP -eq 0 ] && ln -fs "$1" "$BLACKLISTDESTDIR/$hash.0" + # If it exists as a file, we'll try that; otherwise, we'll scan + if [ -e "$1" ]; then + hash=$( do_hash "$1" ) || return + srcfile=$(realpath "$1") + filename="$hash.0" + elif [ -e "${CERTDESTDIR}/$1" ]; then + srcfile=$(realpath "${CERTDESTDIR}/$1") + filename="$1" + else + return + fi + [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" + [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename" } do_scan() Modified: stable/12/usr.sbin/etcupdate/etcupdate.sh ============================================================================== --- stable/12/usr.sbin/etcupdate/etcupdate.sh Fri Jan 24 14:58:02 2020 (r357081) +++ stable/12/usr.sbin/etcupdate/etcupdate.sh Fri Jan 24 15:29:33 2020 (r357082) @@ -595,6 +595,12 @@ post_install_file() NEWALIAS_WARN=yes fi ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + log "certctl rehash" + if [ -z "$dryrun" ]; then + env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1 + fi + ;; /etc/login.conf) log "cap_mkdb ${DESTDIR}$1" if [ -z "$dryrun" ]; then Modified: stable/12/usr.sbin/mergemaster/mergemaster.sh ============================================================================== --- stable/12/usr.sbin/mergemaster/mergemaster.sh Fri Jan 24 14:58:02 2020 (r357081) +++ stable/12/usr.sbin/mergemaster/mergemaster.sh Fri Jan 24 15:29:33 2020 (r357082) @@ -884,6 +884,9 @@ mm_install () { /etc/mail/aliases) NEED_NEWALIASES=yes ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + NEED_CERTCTL=yes + ;; /etc/login.conf) NEED_CAP_MKDB=yes ;; @@ -1352,6 +1355,23 @@ case "${NEED_PWD_MKDB}" in echo " '/usr/sbin/pwd_mkdb -p /etc/master.passwd'" echo " to rebuild your password files" run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd' + fi + ;; +esac + +case "${NEED_CERTCTL}" in +'') ;; +*) + echo '' + echo "*** You installed files in /etc/ssl/certs, so make sure that you run" + if [ -n "${DESTDIR}" ]; then + echo " 'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash" + else + echo " '/usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "/usr/sbin/certctl rehash" fi ;; esac