From nobody Thu Apr 30 15:04:16 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5yB90Qw4z6c4Jf for ; Thu, 30 Apr 2026 15:04:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5yB85l2Qz40nf for ; Thu, 30 Apr 2026 15:04:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777561456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=u5ToIQqjwkorrDwSgUyOYULnHhz5hMooJgak37nj7hc=; b=j0hStiHLrpFiuFSXxiK225/4UbdiJ0eKsUM0vg8q7Kk4hf/3lahay4q5PNdJ2mDSy2JsR6 9oGPyzfGLEyJq7P0BL+DIa/Po3Rzw1g2dwP/CdGHTgughSjK8G2bkf+X5Y+0etgOVXyE5i /MTQbd+s4mFUBWBBlXvIAeKW8BtqXmVTUtj3IXdWvr+IdCIv4xU4Poc8OmA17xNuDpqQDV g1aLOtwRNKT7MxWPCT5owSSovaKUhTC6tGsI0VCGxMOBLGbKOZQz0C4NCZBSYEUTanQ7C7 Lj+bxGGPlgdLF0ENcyq5FzXqU+UOZI7X2DCNkxIubnKe+xPm38sZYfYbyH4o6g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777561456; a=rsa-sha256; cv=none; b=l5d09B3GzcIxANc6jawrb+j4n895sTrTJKxTa/kRg0w1Yjjly6CySUrYyH6VudO/Gz9hep WONtS7sfoKeXFSe5xr4tpPXXnKT8IyLWSKVXfE+DXEgKW3XnzSfHASk2Aj8PFiaGdcT/VO JCNLlijIBc4/YQhviF5tsMZcA88UUzNkk4wNQMdfvyEjWtcdxDBrnJb0bIPRUwIz4bHeIH kefPYg7Dun0hHDUH32CTkQb+E/lJ1sXstR0eDDO9Fp7cEDagsh0VVQwlTArSE2mHniORiR JoyqlIa6hcD6wPLt411s8jwohqdwBNTPlPQuVfZAcxo4UvRSVIpAQef92Lc+iw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777561456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=u5ToIQqjwkorrDwSgUyOYULnHhz5hMooJgak37nj7hc=; b=g68uIq0nxEnDx+lJgw4bgpglOTYELS2V5oAdfp3EcNHqr7mdZyLqxoWwGEl+foJ5K6B9OE 4UzADdNxp+mkAy71Ac0c9nMdtL03lfZ/rtwW2AlPCYI3Ssd5eZCx4qtnNkVeym7GiXcJq4 hRzLSyzDFobabl1g8QQg++kI3khurQcLgWaHpB8PplJjEKuMxXY7y8FIigd66fEoeFouxX yKSYYLmX1ES8zxyC5BEgRyW5tHJcXHFysJzvmEvSfCJaZwRs7vIZAPOlZF2awOy8L9VLdz mzV1w3HX4oflHPKFW+hXn5pcK8JuPeVrL+xIbj1Ad0wBv6jLtQn2Ju8hBKa59g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5yB85L7Qz1pl for ; Thu, 30 Apr 2026 15:04:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3fc06 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 30 Apr 2026 15:04:16 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 8547b32728ea - stable/13 - caroot: Generate both trusted and untrusted List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 8547b32728ea27ca1b2fed2d37de6546deea3999 Auto-Submitted: auto-generated Date: Thu, 30 Apr 2026 15:04:16 +0000 Message-Id: <69f36f70.3fc06.56855973@gitrepo.freebsd.org> The branch stable/13 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=8547b32728ea27ca1b2fed2d37de6546deea3999 commit 8547b32728ea27ca1b2fed2d37de6546deea3999 Author: Dag-Erling Smørgrav AuthorDate: 2025-08-25 21:41:36 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-04-30 15:03:22 +0000 caroot: Generate both trusted and untrusted Until now, the untrusted directory has been maintained manually. Modify the script used to maintain the trusted directory so it can handle both. While here, clean it up a bit. MFC after: 1 week Reviewed by: mandree, markj Differential Revision: https://reviews.freebsd.org/D51774 (cherry picked from commit b88b0bb784c7fdcfb8174806e822c1f8983c223f) --- secure/caroot/MAca-bundle.pl | 136 ++++++++++++------------------------- secure/caroot/Makefile | 3 +- secure/caroot/blacklisted/Makefile | 5 +- secure/caroot/trusted/Makefile | 6 +- 4 files changed, 51 insertions(+), 99 deletions(-) diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl index 58cfe1cbf6fa..cb2ca452e455 100755 --- a/secure/caroot/MAca-bundle.pl +++ b/secure/caroot/MAca-bundle.pl @@ -8,6 +8,7 @@ ## Copyright (c) 2011, 2013 Matthias Andree ## All rights reserved. ## Copyright (c) 2018, Allan Jude +## Copyright (c) 2025 Dag-Erling Smørgrav ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions are @@ -34,6 +35,7 @@ ## POSSIBILITY OF SUCH DAMAGE. use strict; +use warnings; use Carp; use MIME::Base64; use Getopt::Long; @@ -44,10 +46,12 @@ my $generated = '@' . 'generated'; my $inputfh = *STDIN; my $debug = 0; my $infile; -my $outputdir; +my $trustdir = "trusted"; +my $untrustdir = "blacklisted"; my %labels; my %certs; my %trusts; +my %expires; $debug++ if defined $ENV{'WITH_DEBUG'} @@ -56,8 +60,9 @@ $debug++ GetOptions ( "debug+" => \$debug, "infile:s" => \$infile, - "outputdir:s" => \$outputdir) - or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n"); + "trustdir:s" => \$trustdir, + "untrustdir:s" => \$untrustdir) + or die("Error in command line arguments\n$0 [-d] [-i input-file] [-t trust-dir] [-u untrust-dir]\n"); if ($infile) { open($inputfh, "<", $infile) or die "Failed to open $infile"; @@ -68,8 +73,7 @@ sub print_header($$) my $dstfile = shift; my $label = shift; - if ($outputdir) { - print $dstfile <) { last if /^END/; - my (undef,@oct) = split /\\/; - my @bin = map(chr(oct), @oct); - $data .= join('', @bin); + $data .= join('', map { chr(oct($_)) } m/\\([0-7]{3})/g); } return $data; @@ -158,18 +139,8 @@ sub grabcert($) { my $distrust_after = graboct($ifh); my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after; - $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100); - my $time_now = time; - # When a CA is distrusted before its NotAfter date, issued certificates - # are valid for a maximum of 398 days after that date. - if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; } - if ($debug) { - printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial, - strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now)); - } - if ($distrust) { - return undef; - } + $distrust_after = timegm_posix($sec, $min, $hour, $mday, $mon - 1, $year + 100); + $expires{$cka_label."\0".$serial} = $distrust_after; } } return ($serial, $cka_label, $certdata); @@ -194,8 +165,7 @@ sub grabtrust($) { $serial = graboct($ifh); } - if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) - { + if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) { if ($1 eq 'CKT_NSS_NOT_TRUSTED') { $distrust = 1; } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { @@ -216,12 +186,6 @@ sub grabtrust($) { return ($serial, $cka_label, $trust); } -if (!$outputdir) { - print_header(*STDOUT, ""); -} - -my $untrusted = 0; - while (<$inputfh>) { if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { my ($serial, $label, $certdata) = grabcert($inputfh); @@ -229,12 +193,10 @@ while (<$inputfh>) { warn "Certificate $label duplicated!\n"; } if (defined $certdata) { - $certs{$label."\0".$serial} = $certdata; - # We store the label in a separate hash because truncating the key - # with \0 was causing garbage data after the end of the text. - $labels{$label."\0".$serial} = $label; - } else { # $certdata undefined? distrust_after in effect - $untrusted ++; + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; } } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { my ($serial, $label, $trust) = grabtrust($inputfh); @@ -254,52 +216,38 @@ sub label_to_filename(@) { return wantarray ? @res : $res[0]; } -# weed out untrusted certificates -foreach my $it (keys %trusts) { - if (!$trusts{$it}) { - if (!exists($certs{$it})) { - warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug; - } else { - delete $certs{$it}; - warn "Skipping untrusted $labels{$it}\n" if $debug; - $untrusted++; - } - } -} - -if (!$outputdir) { - print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; -} -print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; +my $untrusted = 0; +my $trusted = 0; +my $now = time; -my $certcount = 0; foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { my $fh = *STDOUT; + my $outputdir; my $filename; - if (!exists($trusts{$it})) { - die "Found certificate without trust block,\naborting"; - } - if ($outputdir) { - $filename = label_to_filename($labels{$it}); - open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename"; - print_header($fh, $labels{$it}); + if (exists($expires{$it}) && + $now >= $expires{$it} + 398 * 24 * 60 * 60) { + print(STDERR "## Expired: $labels{$it}\n"); + $outputdir = $untrustdir; + $untrusted++; + } elsif (!$trusts{$it}) { + print(STDERR "## Untrusted: $labels{$it}\n"); + $outputdir = $untrustdir; + $untrusted++; + } else { + print(STDERR "## Trusted: $labels{$it}\n"); + $outputdir = $trustdir; + $trusted++; } + $filename = label_to_filename($labels{$it}); + open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $outputdir/$filename"; + print_header($fh, $labels{$it}); printcert($fh, $labels{$it}, $certs{$it}); if ($outputdir) { close($fh) or die "Unable to close: $filename"; } else { print $fh "\n\n\n"; } - $certcount++; - print STDERR "Trusting $certcount: $labels{$it}\n" if $debug; } -if ($certcount < 25) { - die "Certificate count of $certcount is implausibly low.\nAbort"; -} - -if (!$outputdir) { - print "## Number of certificates: $certcount\n"; - print "## End of file.\n"; -} -print STDERR "## Number of certificates: $certcount\n"; +printf STDERR "## Trusted certificates: %4d\n", $trusted; +printf STDERR "## Untrusted certificates: %4d\n", $untrusted; diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile index a132fa407e55..21dd18fcbe35 100644 --- a/secure/caroot/Makefile +++ b/secure/caroot/Makefile @@ -14,4 +14,5 @@ cleancerts: .PHONY @${MAKE} -C ${.CURDIR}/trusted ${.TARGET} updatecerts: .PHONY cleancerts fetchcerts - perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt -o ${.CURDIR}/trusted + perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt \ + -t ${.CURDIR}/trusted -u ${.CURDIR}/blacklisted diff --git a/secure/caroot/blacklisted/Makefile b/secure/caroot/blacklisted/Makefile index c8b62adf11fb..d2fa3ad0532d 100644 --- a/secure/caroot/blacklisted/Makefile +++ b/secure/caroot/blacklisted/Makefile @@ -1,8 +1,11 @@ BINDIR= /usr/share/certs/blacklisted -BLACKLISTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true +BLACKLISTED_CERTS!= (cd ${.CURDIR} && echo *.pem) FILES+= ${BLACKLISTED_CERTS} +cleancerts: .PHONY + @(cd ${.CURDIR} && rm -f ${BLACKLISTED_CERTS}) + .include diff --git a/secure/caroot/trusted/Makefile b/secure/caroot/trusted/Makefile index 20d0ccfcbe23..71aca4dcc116 100644 --- a/secure/caroot/trusted/Makefile +++ b/secure/caroot/trusted/Makefile @@ -1,11 +1,11 @@ BINDIR= /usr/share/certs/trusted -TRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true +TRUSTED_CERTS!= (cd ${.CURDIR} && echo *.pem) FILES+= ${TRUSTED_CERTS} -cleancerts: - @[ -z "${TRUSTED_CERTS}" ] || rm ${TRUSTED_CERTS} +cleancerts: .PHONY + @(cd ${.CURDIR} && rm -f ${TRUSTED_CERTS}) .include