certctl(8): let one blacklist based on hashed filenames

It seems reasonable to allow, for instance: $ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to.
svn path=/head/; revision=353070
2019-10-03 20:45:52 +00:00 · 2019-10-03 20:45:52 +00:00 · 94a5245c4c · 2020-12-20 02:59:44 +00:00
commit 94a5245c4c
parent 5989470c37
1 changed files with 14 additions and 4 deletions
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@ -74,11 +74,21 @@ create_trusted_link()

 create_blacklisted()
 {
-	local hash
+	local hash srcfile filename

-	hash=$( do_hash "$1" ) || return
-	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist"
-	[ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$BLACKLISTDESTDIR/$hash.0"
+	# If it exists as a file, we'll try that; otherwise, we'll scan
+	if [ -e "$1" ]; then
+		hash=$( do_hash "$1" ) || return
+		srcfile=$(realpath "$1")
+		filename="$hash.0"
+	elif [ -e "${CERTDESTDIR}/$1" ];  then
+		srcfile=$(realpath "${CERTDESTDIR}/$1")
+		filename="$1"
+	else
+		return
+	fi
+	[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
+	[ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename"
 }

 do_scan()