From nobody Fri Oct 20 10:29:42 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SBgnL6ctMz4xc6l;
	Fri, 20 Oct 2023 10:29:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SBgnL62tRz4Rnf;
	Fri, 20 Oct 2023 10:29:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1697797782;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kQdiDtAq3YiEWfqVoTrS9sRKTohhgv/5GrQTciWekFU=;
	b=FUYQxe2FlRZChl/lqlphMS94r2xvGHp2orf3xBi9OaBF0Z10bv/WIGuB9rl+fYcTzfPLSF
	ZTqkpehrN1U6dXcfQHi6beYHuZTg5SsZuHvIuQqtIN+Gi0F5kstmp9xhKVEnkeTGYTgRmI
	qwae8SAxpTndM59Smydt0dJUVytG5fADnibQHbv58E/07KOD5VDXoqPNVHsQYgNkN7u/4P
	TCKZYLrMzhTG/fAgsTp0NeIW2uyO7QPdqOyWiO0PyPiML/NnTqr6uUF78GLnJbr0tNeUJm
	cM+Vle5oUscBHFEOKZ3Myk+j4tOEoIwpF2vgBKrj7R1cHZcj3r2X90w1tWBbJw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697797782; a=rsa-sha256; cv=none;
	b=xZB67giLcPwdHSNHaD4CYb6Oxgop0XZ2/xEWXmciB97kxB20Mr+fiuBAer7p7JW/oCsNYI
	V+NhLFeF40QXArkGx8xz+QyhU1PePNaLmmFA6RC8LuceMJlwDyhn/+Ty0nrOPaNHM96HNG
	ls3Zw0JwniOdAlJXoH0biLQwZSjO8OXRCxBDhFGOpJ405QSS88LdlnaJbN68YedCkgGUI4
	51b12Kn3+PY3Zhx8x7CWsZEZpttcz2XSwpDBG51iqdYSr7ZNJvXHlTrRJ4BFMwpLpipFdJ
	peQ4Y8ihzRNSmc4kglbj6tWzqapvIGZ+NrqB6sgz6Y6qYXH0l7yn9CZsYNiy6g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1697797782;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kQdiDtAq3YiEWfqVoTrS9sRKTohhgv/5GrQTciWekFU=;
	b=dnCuiPnfGu0bAiOa68JeKDxT2NHaW6dJmgckBkHPcoN5i5RSVE9mazRXYaIvEjfs7w7frk
	ylhg91rg5Mo0qralnHBXzCQuSO0s14CgWJyNxkhGw9ctQWb/fTxB+nu+r3tvQW9PHYBA1+
	9qjErgbsOelwY4/SVQjHV3pEqOjfwDMI0PSkcLaKi97QfVzPG308T37kxMBGUJvlDhanhH
	Jsu+7AV+wa0ICw4w66NDHKVBB9xPZL1qw4slQgWPCWJkVRZaDRTmNVDkxFHRB/DtN6os6D
	+pVpkk+RNVoiVamleSojD/96sDUb2cEy9y2if0jOKQheaZ4J1/POb5qE6U6gjQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SBgnL55ZLzTtt;
	Fri, 20 Oct 2023 10:29:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39KATg15073740;
	Fri, 20 Oct 2023 10:29:42 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39KATgpX073737;
	Fri, 20 Oct 2023 10:29:42 GMT
	(envelope-from git)
Date: Fri, 20 Oct 2023 10:29:42 GMT
Message-Id: <202310201029.39KATgpX073737@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
Subject: git: 87945a082980 - main - certctl: Fix recent regressions.
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 87945a082980260b52507ad5bfb3a0ce773a80da
Auto-Submitted: auto-generated

The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=87945a082980260b52507ad5bfb3a0ce773a80da

commit 87945a082980260b52507ad5bfb3a0ce773a80da
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2023-10-20 10:29:06 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-10-20 10:29:40 +0000

    certctl: Fix recent regressions.
    
    - If an untrusted certificate is also found in the list of trusted
      certificate, issue a warning and skip it, but don't fail.
    - Split on -+BEGIN CERTIFICATE-+ instead of "Certificate:" since
      that's what we're really looking for.
    
    Also fix a long-standing bug: .crl files are not certificates, so we
    should not include them when searching for certificates.
    
    Reported by:    madpilot, netchild, tijl
    Reviewed by:    netchild, allanjude
    Differential Revision:  https://reviews.freebsd.org/D42276
---
 usr.sbin/certctl/certctl.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index b7d3a95bc7d7..2ffa94bc7db7 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -67,8 +67,7 @@ cert_files_in()
 	find -L "$@" -type f \( \
 	     -name '*.pem' -or \
 	     -name '*.crt' -or \
-	     -name '*.cer' -or \
-	     -name '*.crl' \
+	     -name '*.cer' \
 	\) 2>/dev/null
 }
 
@@ -114,7 +113,7 @@ create_trusted()
 		otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout -fingerprint)
 		if [ "$certhash" = "$otherhash" ] ; then
 			info "Skipping untrusted certificate $hash ($otherfile)"
-			return 1
+			return 0
 		fi
 	done
 	for otherfile in $(find $CERTDESTDIR -name "$hash.*") ; do
@@ -182,7 +181,7 @@ do_scan()
 	IFS="$oldIFS"
 	for CFILE in $(cert_files_in "$@") ; do
 		verbose "Reading $CFILE"
-		case $(grep -c '^Certificate:$' "$CFILE") in
+		case $(egrep -c '^-+BEGIN CERTIFICATE-+$' "$CFILE") in
 		0)
 			;;
 		1)
@@ -191,8 +190,8 @@ do_scan()
 		*)
 			verbose "Multiple certificates found, splitting..."
 			SPLITDIR=$(mktemp -d)
-			egrep '^[^#]' "$CFILE" | \
-				split -p '^Certificate:$' - "$SPLITDIR/x"
+			egrep '^(---|[0-9A-Za-z/+=]+$)' "$CFILE" | \
+				split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x"
 			for CERT in $(find "$SPLITDIR" -type f) ; do
 				"$CFUNC" "$CERT"
 			done