Commit Graph

17 Commits

Author SHA1 Message Date
Kyle Evans
3016c5c2bf caroot: reroll the remaining certs
This adds a specific note that these are explicitly trusted for
server auth.

MFC after:	3 days
2021-04-13 16:59:34 -05:00
Kyle Evans
fac832b271 caroot: remove certs distrusted for server auth
- Fifteen (15) removed

MFC after:	3 days
2021-04-13 16:59:34 -05:00
Kyle Evans
c3510c941c caroot: update CA bundle processor
Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.

Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.

MFC after:	3 days
2021-04-13 16:59:24 -05:00
Kyle Evans
446169e0b6 caroot: routine cert update
- Three (3) added
- Two (2) removed

MFC after:	3 days
2021-04-13 16:56:03 -05:00
Kyle Evans
f20c0e3319 caroot: drop $FreeBSD$ expansion from root bundle
This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.

MFC after:	3 days
2020-12-27 21:47:41 -06:00
Kyle Evans
15d474afee caroot: update bundle
Summary:
- One (1) added
- Ten (10) removed

MFC after:	3 days
2020-12-11 18:14:43 +00:00
Kyle Evans
eef96401a9 caroot: update base store
Count:
- Two (2) removed
- Three (3) added

MFC after:	3 days
2020-09-19 01:59:17 +00:00
Kyle Evans
8e0dc55e68 caroot: properly remove old distrusted roots
The proper procedure was not followed in r364943; all of these that were
deleted should have instead been moved over to the blacklist so that certctl
can DTRT.

Users must still `certctl rehash` after this, but this should generally be
done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
that freebsd-update doesn't come into play for this particular update, as
these have not yet made it into a release.

Future work (after svn -> git) will likely change the script that updatecert
invokes to facilitate the process, rather than trusting that kevans or
whomever updates in the future will remember.

Reported by:	Helge Oldach <freebsd oldach net>
MFC after:	3 days
2020-09-02 12:57:34 +00:00
Kyle Evans
681d595125 carrot: update bundle
Stats:
- Seven (7) removed
- Four (4) added

MFC after:	3 days
2020-08-29 02:46:25 +00:00
Kyle Evans
cc249d7800 caroot: switch to using echo+shell glob to enumerate certs
This solves an issue on stable/12 that causes certs to not get installed.
ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up
blank and nothing gets installed. We don't really require anything
ls-specific, though, so let's just simplify it.

MFC after:	3 days
2020-08-23 23:56:57 +00:00
Kyle Evans
fbd46fe94a pkgbase: fix caroot packaging and add post-install script
The original intention for caroot was to be packaged separately, perhaps so
that users can have a more/less conservative upgrade policy for this
separated from the rest of base.

secure/caroot/Makefile doesn't have anything interesting to package, but its
subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted
and trusted get packaged consistently into the correct one rather than the
default -utilities. Also tag the directories for package=caroot, as they
could also be empty; blacklisted is empty by default, but trusted is not.

Add a post-install script to do certctl rehash, along with a note should we
eventually come up with a way to detect that files have been added or
removed that requires a rehash.

-caroot gets a dependency on -utilities, as that's where we provide certctl
at the moment. We can perhaps reconsider this and put certctl into this
package in the future, but there are some bits within -utilities that
unconditionally invoke certctl so let's hold off for now.

Reviewed by:	manu (earlier version, before -utilities dep added)
Differential Revision:	https://reviews.freebsd.org/D23352
2020-01-29 18:47:08 +00:00
Kyle Evans
bb302e707a caroot: blacklisted: automatically pick up *.pem in the tree
This kind of automagica got picked up in trusted/ prior to the initial
commit, but never got applied over in blacklisted. Ideally no one will be
using blacklisted/ to store arbitrary certs that they don't intend to
blacklist, so we should just install anything that's in here rather than
force consumer to first copy cert into place and then modify the file
listing in the Makefile.

Wise man once say: "it is better to restrict too much, than not enough.
sometimes."
2020-01-28 03:02:18 +00:00
Kyle Evans
0428b669a6 caroot: use bsd.obj.mk, not bsd.prog.mk
This directory stages certdata into .OBJDIR and processes it, but does not
actually build a prog-shaped object; bsd.obj.mk provides the minimal support
that we actually need, an .OBJDIR and descent into subdirs. This is
admittedly the nittiest of nits.
2020-01-24 16:43:02 +00:00
Kyle Evans
ce32663b93 caroot update to latest tip: one (1) addition, none (0) removed
Added:
- Entrust Root Certification Authority - G4
2019-12-04 02:59:50 +00:00
Kyle Evans
b25bf676f0 caroot: commit initial bundle
Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
    certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
    certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from:	secteam
Relnotes:	Definite maybe
2019-10-04 02:34:20 +00:00
Kyle Evans
a9fe8c68aa caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are
still generated.  If they end up in a review, it would be helpful to also
take the hint and hide them.
2019-10-02 01:27:50 +00:00
Kyle Evans
f27f39db77 [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16856
2019-10-02 01:05:29 +00:00