Date: Fri, 24 Jan 2020 15:29:33 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r357082 - in stable: 11/etc/mtree 11/secure 11/secure/caroot 11/share/mk 11/usr.sbin 11/usr.sbin/certctl 11/usr.sbin/etcupdate 11/usr.sbin/mergemaster 12/etc/mtree 12/secure 12/secure/c... Message-ID: <202001241529.00OFTXvc095041@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Fri Jan 24 15:29:33 2020 New Revision: 357082 URL: https://svnweb.freebsd.org/changeset/base/357082 Log: MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure Infrastructure only -- no plans in place currently to commit any certs to these branches. r352948: [1/3] Initial infrastructure for SSL root bundle in base This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. r352949: [2/3] Add certctl(8) This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust. This work was done primarily by allanjude@, with minor contributions by myself. r352950: [3/3] etcupdate and mergemaster support for certctl This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted. This work was done primarily by allanjude@, with minor contributions by myself. r352951: caroot: add @generated tags to extracted .pem As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them. r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950 r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe. r353066: certctl(8): realpath the file before creating the symlink Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted. r353070: certctl(8): let one blacklist based on hashed filenames It seems reasonable to allow, for instance: $ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to. Relnotes: yes Added: stable/11/secure/caroot/ - copied from r352951, head/secure/caroot/ stable/11/usr.sbin/certctl/ - copied from r352951, head/usr.sbin/certctl/ Modified: stable/11/etc/mtree/BSD.usr.dist stable/11/secure/Makefile stable/11/share/mk/src.opts.mk stable/11/usr.sbin/Makefile stable/11/usr.sbin/certctl/certctl.sh stable/11/usr.sbin/etcupdate/etcupdate.sh stable/11/usr.sbin/mergemaster/mergemaster.sh Directory Properties: stable/11/ (props changed) Changes in other areas also in this revision: Added: stable/12/secure/caroot/ - copied from r352951, head/secure/caroot/ stable/12/usr.sbin/certctl/ - copied from r352951, head/usr.sbin/certctl/ Modified: stable/12/etc/mtree/BSD.usr.dist stable/12/secure/Makefile stable/12/share/mk/src.opts.mk stable/12/usr.sbin/Makefile stable/12/usr.sbin/certctl/certctl.sh stable/12/usr.sbin/etcupdate/etcupdate.sh stable/12/usr.sbin/mergemaster/mergemaster.sh Directory Properties: stable/12/ (props changed) Modified: stable/11/etc/mtree/BSD.usr.dist ============================================================================== --- stable/11/etc/mtree/BSD.usr.dist Fri Jan 24 14:58:02 2020 (r357081) +++ stable/11/etc/mtree/BSD.usr.dist Fri Jan 24 15:29:33 2020 (r357082) @@ -178,6 +178,12 @@ uk_UA.KOI8-U .. .. + certs + blacklisted + .. + trusted + .. + .. dict .. doc Modified: stable/11/secure/Makefile ============================================================================== --- stable/11/secure/Makefile Fri Jan 24 14:58:02 2020 (r357081) +++ stable/11/secure/Makefile Fri Jan 24 15:29:33 2020 (r357082) @@ -10,6 +10,8 @@ SUBDIR_PARALLEL= _tests= tests .endif +SUBDIR.${MK_CAROOT}+= caroot + # These are the programs which depend on crypto, but not Kerberos. SPROGS= lib/libfetch lib/libpam lib/libradius lib/libtelnet \ bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet \ Modified: stable/11/share/mk/src.opts.mk ============================================================================== --- stable/11/share/mk/src.opts.mk Fri Jan 24 14:58:02 2020 (r357081) +++ stable/11/share/mk/src.opts.mk Fri Jan 24 15:29:33 2020 (r357082) @@ -68,6 +68,7 @@ __DEFAULT_YES_OPTIONS = \ BZIP2 \ CALENDAR \ CAPSICUM \ + CAROOT \ CASPER \ CCD \ CDDL \ Modified: stable/11/usr.sbin/Makefile ============================================================================== --- stable/11/usr.sbin/Makefile Fri Jan 24 14:58:02 2020 (r357081) +++ stable/11/usr.sbin/Makefile Fri Jan 24 15:29:33 2020 (r357082) @@ -124,6 +124,9 @@ SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall SUBDIR.${MK_BSNMP}+= bsnmpd +.if ${MK_CAROOT} != "no" +SUBDIR.${MK_OPENSSL}+= certctl +.endif SUBDIR.${MK_CTM}+= ctm SUBDIR.${MK_CXGBETOOL}+= cxgbetool SUBDIR.${MK_MLX5TOOL}+= mlx5tool Modified: stable/11/usr.sbin/certctl/certctl.sh ============================================================================== --- head/usr.sbin/certctl/certctl.sh Wed Oct 2 01:27:50 2019 (r352951) +++ stable/11/usr.sbin/certctl/certctl.sh Fri Jan 24 15:29:33 2020 (r357082) @@ -69,16 +69,26 @@ create_trusted_link() return 1 fi [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" - [ $NOOP -eq 0 ] && ln -fs "$1" "$CERTDESTDIR/$hash.0" + [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0" } create_blacklisted() { - local hash + local hash srcfile filename - hash=$( do_hash "$1" ) || return - [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist" - [ $NOOP -eq 0 ] && ln -fs "$1" "$BLACKLISTDESTDIR/$hash.0" + # If it exists as a file, we'll try that; otherwise, we'll scan + if [ -e "$1" ]; then + hash=$( do_hash "$1" ) || return + srcfile=$(realpath "$1") + filename="$hash.0" + elif [ -e "${CERTDESTDIR}/$1" ]; then + srcfile=$(realpath "${CERTDESTDIR}/$1") + filename="$1" + else + return + fi + [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" + [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename" } do_scan() Modified: stable/11/usr.sbin/etcupdate/etcupdate.sh ============================================================================== --- stable/11/usr.sbin/etcupdate/etcupdate.sh Fri Jan 24 14:58:02 2020 (r357081) +++ stable/11/usr.sbin/etcupdate/etcupdate.sh Fri Jan 24 15:29:33 2020 (r357082) @@ -595,6 +595,12 @@ post_install_file() NEWALIAS_WARN=yes fi ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + log "certctl rehash" + if [ -z "$dryrun" ]; then + env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1 + fi + ;; /etc/login.conf) log "cap_mkdb ${DESTDIR}$1" if [ -z "$dryrun" ]; then Modified: stable/11/usr.sbin/mergemaster/mergemaster.sh ============================================================================== --- stable/11/usr.sbin/mergemaster/mergemaster.sh Fri Jan 24 14:58:02 2020 (r357081) +++ stable/11/usr.sbin/mergemaster/mergemaster.sh Fri Jan 24 15:29:33 2020 (r357082) @@ -863,6 +863,9 @@ mm_install () { /etc/mail/aliases) NEED_NEWALIASES=yes ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + NEED_CERTCTL=yes + ;; /etc/login.conf) NEED_CAP_MKDB=yes ;; @@ -1331,6 +1334,23 @@ case "${NEED_PWD_MKDB}" in echo " '/usr/sbin/pwd_mkdb -p /etc/master.passwd'" echo " to rebuild your password files" run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd' + fi + ;; +esac + +case "${NEED_CERTCTL}" in +'') ;; +*) + echo '' + echo "*** You installed files in /etc/ssl/certs, so make sure that you run" + if [ -n "${DESTDIR}" ]; then + echo " 'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash" + else + echo " '/usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "/usr/sbin/certctl rehash" fi ;; esac
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001241529.00OFTXvc095041>