From owner-svn-src-all@freebsd.org Thu May 21 01:24:00 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC7022FAD22; Thu, 21 May 2020 01:24:00 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49SBjD5YRfz45h5; Thu, 21 May 2020 01:24:00 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA08425690; Thu, 21 May 2020 01:24:00 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 04L1O0wR042791; Thu, 21 May 2020 01:24:00 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 04L1O0HZ042790; Thu, 21 May 2020 01:24:00 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202005210124.04L1O0HZ042790@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Thu, 21 May 2020 01:24:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r361310 - in stable: 11/usr.sbin/certctl 12/usr.sbin/certctl X-SVN-Group: stable-12 X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: in stable: 11/usr.sbin/certctl 12/usr.sbin/certctl X-SVN-Commit-Revision: 361310 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2020 01:24:00 -0000 Author: kevans Date: Thu May 21 01:23:59 2020 New Revision: 361310 URL: https://svnweb.freebsd.org/changeset/base/361310 Log: MFC r361022-r361023, r361148: certctl(8) fixes r361022: certctl(8): don't completely nuke $CERTDESTDIR It's been reported/noted that a well-timed `certctl rehash` will completely obliterate $CERTDESTDIR, which may get used by ports or system administrators. While we can't guarantee the certctl semantics when other non-certctl-controlled bits live here, we should make some amount of effort to play nice. Pruning all existing links, which we'll subsequently rebuild as needed, is sufficient for our needs. This can still be destructive, but it's perhaps less likely to cause issues. I also note that we should probably be pruning /etc/ssl/blacklisted upon rehash as well. r361023: certctl: follow-up to r361022, prune blacklist as well Otherwise, removals from the blacklist may not get processed as they should. While we're here, restructure these to not bother with mkdir(1) if we've already tested them to exist. r361148: certctl: don't fall over flat with relative DESTDIR Up until now, all of our DESTDIR use has been with absolute paths. It turned out that the cd in/out dance we do here breaks us down later on, as the relative path no longer resolves. Convert EXTENSIONS to an ERE that we'll use to grep ls -1 of the dir we're inspecting, rather than cd'ing into it and globbing it up. Modified: stable/12/usr.sbin/certctl/certctl.sh Directory Properties: stable/12/ (props changed) Changes in other areas also in this revision: Modified: stable/11/usr.sbin/certctl/certctl.sh Directory Properties: stable/11/ (props changed) Modified: stable/12/usr.sbin/certctl/certctl.sh ============================================================================== --- stable/12/usr.sbin/certctl/certctl.sh Wed May 20 23:27:01 2020 (r361309) +++ stable/12/usr.sbin/certctl/certctl.sh Thu May 21 01:23:59 2020 (r361310) @@ -34,7 +34,7 @@ : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} -: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} +: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"} : ${VERBOSE:=0} ############################################################ GLOBALS @@ -104,13 +104,11 @@ do_scan() for CPATH in "$@"; do [ -d "$CPATH" ] || continue echo "Scanning $CPATH for certificates..." - cd "$CPATH" - for CFILE in $EXTENSIONS; do - [ -e "$CFILE" ] || continue + for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do + [ -e "$CPATH/$CFILE" ] || continue [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" "$CFUNC" "$CPATH/$CFILE" done - cd - done } @@ -142,9 +140,18 @@ do_list() cmd_rehash() { - [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR" - [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR" - [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + if [ $NOOP -eq 0 ]; then + if [ -e "$CERTDESTDIR" ]; then + find "$CERTDESTDIR" -type link -delete + else + mkdir -p "$CERTDESTDIR" + fi + if [ -e "$BLACKLISTDESTDIR" ]; then + find "$BLACKLISTDESTDIR" -type link -delete + else + mkdir -p "$BLACKLISTDESTDIR" + fi + fi do_scan create_blacklisted "$BLACKLISTPATH" do_scan create_trusted_link "$TRUSTPATH"