From nobody Mon Aug 25 21:42:43 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c9kmN1cNzz65hS1; Mon, 25 Aug 2025 21:42:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c9kmN0SHjz3S87; Mon, 25 Aug 2025 21:42:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1756158164; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Au/II7dI8uRII1LQH2FfSjqB1dDwfeeMT1wJluKNiFk=; b=pg5VFfByfqtbwIorIMz3EdxoH9uqmo600HTH7DNlD0jOM1T3HcKO3ciN7kpWQoZ7pqHDtR G832p4ZS16wg56XukEcm5p0Ib3efQFJZw55i2Wr5H0bs1d3TqraMg5aRylS04JwYOxZUCJ y767s6CZxENGy/PRPExlk50q9cVWT+wDHDuTlxAq4BAyX2h6du0obm0USIIZDqGWhVDYGD FfrrJlgDvrGnkmbNV2kSWpZ3sGjXztPHLLUcvZQQs87ULY3piO2gKIj2SdnqDt9X77T6GB aMlFkA2LnrZrgy0HOvnOgRqltTrIxUXuc8VH7mLpRtU3HPeoFMieML1JANpGYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1756158164; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Au/II7dI8uRII1LQH2FfSjqB1dDwfeeMT1wJluKNiFk=; b=gHWMDiF6at8ERWdSm39Yoc0fSpLqdmuUrdKZtPYwn5wnwNyD5zThHQGQssdxvqrDWCc7zy QHimKSfriL+zPMJ76q5mQG+4IZ6baJmQbupjr25Lkegqr9UqSN7tiaIhN63t56pfkiVXre JTkJ6r2JD7lD+p6Be9Hd2bTDrDEyIJUx1KETmYQcrFC9qkc9psAx/5XTdyoETrO/FNAGd2 q+Ki/gmJouzpFafIAlZXwWRq1a79Aw9JxQfy23CstKkTiLDQ8MsG+X+gQ8TAwvDSdyW45z Dj7zpbqO9iJyoNHfRpKeWlqiSPnGhBm+4PhCZHC8fmTTiKU7h2Es+qotSLyD8w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1756158164; a=rsa-sha256; cv=none; b=R/aomgC4mCrvhcOsaxV8ZGoMicS5SSUO+2t5qXTTVIWDiOo2Irhw2ffWH0HB+2rCXU/5MB IMkKrLxgPmuHTThlNC0TEvWAiBjdY7hzrB5WrSNK2C/GZrky+W0pZbIOhHElccJ2cdsGKp MyPdqzxMls+zGQ3fQDG9svHhVHPsEOqyqgRnD7QV/BS3uTbEIfyeULtfD29D8WL2eGsjFc gSMX0rZDwZ3WWDmWbTS5Vt0j9AVqjM6K2bjDfWaOdwKufykgv+lxK7tbY5CUSU7xtGktwB F+PMOx9Edj+AmZIXFTBBBmrFte6ijIdklJIVuDhmVl35ZJW5c50wEn981FN0xg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c9kmM74rLz16S4; Mon, 25 Aug 2025 21:42:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57PLghZn068685; Mon, 25 Aug 2025 21:42:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57PLgh5i068682; Mon, 25 Aug 2025 21:42:43 GMT (envelope-from git) Date: Mon, 25 Aug 2025 21:42:43 GMT Message-Id: <202508252142.57PLgh5i068682@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: b88b0bb784c7 - main - caroot: Generate both trusted and untrusted List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b88b0bb784c7fdcfb8174806e822c1f8983c223f Auto-Submitted: auto-generated The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=b88b0bb784c7fdcfb8174806e822c1f8983c223f commit b88b0bb784c7fdcfb8174806e822c1f8983c223f Author: Dag-Erling Smørgrav AuthorDate: 2025-08-25 21:41:36 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-08-25 21:41:36 +0000 caroot: Generate both trusted and untrusted Until now, the untrusted directory has been maintained manually. Modify the script used to maintain the trusted directory so it can handle both. While here, clean it up a bit. MFC after: 1 week Reviewed by: mandree, markj Differential Revision: https://reviews.freebsd.org/D51774 --- secure/caroot/MAca-bundle.pl | 136 ++++++++++++--------------------------- secure/caroot/Makefile | 3 +- secure/caroot/trusted/Makefile | 6 +- secure/caroot/untrusted/Makefile | 5 +- 4 files changed, 51 insertions(+), 99 deletions(-) diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl index 58cfe1cbf6fa..411d00b9bb61 100755 --- a/secure/caroot/MAca-bundle.pl +++ b/secure/caroot/MAca-bundle.pl @@ -8,6 +8,7 @@ ## Copyright (c) 2011, 2013 Matthias Andree ## All rights reserved. ## Copyright (c) 2018, Allan Jude +## Copyright (c) 2025 Dag-Erling Smørgrav ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions are @@ -34,6 +35,7 @@ ## POSSIBILITY OF SUCH DAMAGE. use strict; +use warnings; use Carp; use MIME::Base64; use Getopt::Long; @@ -44,10 +46,12 @@ my $generated = '@' . 'generated'; my $inputfh = *STDIN; my $debug = 0; my $infile; -my $outputdir; +my $trustdir = "trusted"; +my $untrustdir = "untrusted"; my %labels; my %certs; my %trusts; +my %expires; $debug++ if defined $ENV{'WITH_DEBUG'} @@ -56,8 +60,9 @@ $debug++ GetOptions ( "debug+" => \$debug, "infile:s" => \$infile, - "outputdir:s" => \$outputdir) - or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n"); + "trustdir:s" => \$trustdir, + "untrustdir:s" => \$untrustdir) + or die("Error in command line arguments\n$0 [-d] [-i input-file] [-t trust-dir] [-u untrust-dir]\n"); if ($infile) { open($inputfh, "<", $infile) or die "Failed to open $infile"; @@ -68,8 +73,7 @@ sub print_header($$) my $dstfile = shift; my $label = shift; - if ($outputdir) { - print $dstfile <) { last if /^END/; - my (undef,@oct) = split /\\/; - my @bin = map(chr(oct), @oct); - $data .= join('', @bin); + $data .= join('', map { chr(oct($_)) } m/\\([0-7]{3})/g); } return $data; @@ -158,18 +139,8 @@ sub grabcert($) { my $distrust_after = graboct($ifh); my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after; - $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100); - my $time_now = time; - # When a CA is distrusted before its NotAfter date, issued certificates - # are valid for a maximum of 398 days after that date. - if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; } - if ($debug) { - printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial, - strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now)); - } - if ($distrust) { - return undef; - } + $distrust_after = timegm_posix($sec, $min, $hour, $mday, $mon - 1, $year + 100); + $expires{$cka_label."\0".$serial} = $distrust_after; } } return ($serial, $cka_label, $certdata); @@ -194,8 +165,7 @@ sub grabtrust($) { $serial = graboct($ifh); } - if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) - { + if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) { if ($1 eq 'CKT_NSS_NOT_TRUSTED') { $distrust = 1; } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { @@ -216,12 +186,6 @@ sub grabtrust($) { return ($serial, $cka_label, $trust); } -if (!$outputdir) { - print_header(*STDOUT, ""); -} - -my $untrusted = 0; - while (<$inputfh>) { if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { my ($serial, $label, $certdata) = grabcert($inputfh); @@ -229,12 +193,10 @@ while (<$inputfh>) { warn "Certificate $label duplicated!\n"; } if (defined $certdata) { - $certs{$label."\0".$serial} = $certdata; - # We store the label in a separate hash because truncating the key - # with \0 was causing garbage data after the end of the text. - $labels{$label."\0".$serial} = $label; - } else { # $certdata undefined? distrust_after in effect - $untrusted ++; + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; } } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { my ($serial, $label, $trust) = grabtrust($inputfh); @@ -254,52 +216,38 @@ sub label_to_filename(@) { return wantarray ? @res : $res[0]; } -# weed out untrusted certificates -foreach my $it (keys %trusts) { - if (!$trusts{$it}) { - if (!exists($certs{$it})) { - warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug; - } else { - delete $certs{$it}; - warn "Skipping untrusted $labels{$it}\n" if $debug; - $untrusted++; - } - } -} - -if (!$outputdir) { - print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; -} -print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; +my $untrusted = 0; +my $trusted = 0; +my $now = time; -my $certcount = 0; foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { my $fh = *STDOUT; + my $outputdir; my $filename; - if (!exists($trusts{$it})) { - die "Found certificate without trust block,\naborting"; - } - if ($outputdir) { - $filename = label_to_filename($labels{$it}); - open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename"; - print_header($fh, $labels{$it}); + if (exists($expires{$it}) && + $now >= $expires{$it} + 398 * 24 * 60 * 60) { + print(STDERR "## Expired: $labels{$it}\n"); + $outputdir = $untrustdir; + $untrusted++; + } elsif (!$trusts{$it}) { + print(STDERR "## Untrusted: $labels{$it}\n"); + $outputdir = $untrustdir; + $untrusted++; + } else { + print(STDERR "## Trusted: $labels{$it}\n"); + $outputdir = $trustdir; + $trusted++; } + $filename = label_to_filename($labels{$it}); + open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $outputdir/$filename"; + print_header($fh, $labels{$it}); printcert($fh, $labels{$it}, $certs{$it}); if ($outputdir) { close($fh) or die "Unable to close: $filename"; } else { print $fh "\n\n\n"; } - $certcount++; - print STDERR "Trusting $certcount: $labels{$it}\n" if $debug; } -if ($certcount < 25) { - die "Certificate count of $certcount is implausibly low.\nAbort"; -} - -if (!$outputdir) { - print "## Number of certificates: $certcount\n"; - print "## End of file.\n"; -} -print STDERR "## Number of certificates: $certcount\n"; +printf STDERR "## Trusted certificates: %4d\n", $trusted; +printf STDERR "## Untrusted certificates: %4d\n", $untrusted; diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile index ace802a906a3..d48285437f10 100644 --- a/secure/caroot/Makefile +++ b/secure/caroot/Makefile @@ -13,4 +13,5 @@ cleancerts: .PHONY @${MAKE} -C ${.CURDIR}/trusted ${.TARGET} updatecerts: .PHONY cleancerts fetchcerts - perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt -o ${.CURDIR}/trusted + perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt \ + -t ${.CURDIR}/trusted -u ${.CURDIR}/untrusted diff --git a/secure/caroot/trusted/Makefile b/secure/caroot/trusted/Makefile index b2fe43fcb802..a47e781262b8 100644 --- a/secure/caroot/trusted/Makefile +++ b/secure/caroot/trusted/Makefile @@ -1,10 +1,10 @@ BINDIR= /usr/share/certs/trusted -TRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true +TRUSTED_CERTS!= (cd ${.CURDIR} && echo *.pem) FILES+= ${TRUSTED_CERTS} -cleancerts: - @[ -z "${TRUSTED_CERTS}" ] || rm ${TRUSTED_CERTS} +cleancerts: .PHONY + @(cd ${.CURDIR} && rm -f ${TRUSTED_CERTS}) .include diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile index 19d7359ddcb9..45df0a55ebd9 100644 --- a/secure/caroot/untrusted/Makefile +++ b/secure/caroot/untrusted/Makefile @@ -1,7 +1,10 @@ BINDIR= /usr/share/certs/untrusted -UNTRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true +UNTRUSTED_CERTS!= (cd ${.CURDIR} && echo *.pem) FILES+= ${UNTRUSTED_CERTS} +cleancerts: .PHONY + @(cd ${.CURDIR} && rm -f ${UNTRUSTED_CERTS}) + .include