secure/caroot, certctl: Rename secure/caroot/blacklisted

Old certctl commands still work for compatability, but are deprecated.

Approved by:	secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807

ObsoleteFiles.inc

@@ -44,6 +44,44 @@
 OLD_FILES+=usr/share/man/man9/crypto_cursor_segbase.9.gz
 OLD_FILES+=usr/share/man/man9/crypto_cursor_seglen.9.gz
 
+# 20210618: rename of usr/share/certs/blacklisted
+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Certum_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
+OLD_FILES+=usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem
+OLD_FILES+=usr/share/certs/blacklisted/EC-ACC.pem
+OLD_FILES+=usr/share/certs/blacklisted/EE_Certification_Centre_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem
+OLD_FILES+=usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem
+OLD_FILES+=usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
+OLD_FILES+=usr/share/certs/blacklisted/Taiwan_GRCA.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
+OLD_DIRS+=usr/share/certs/blacklisted
 # 20210613: new clang import which bumps version from 11.0.1 to 12.0.0.
 OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/algorithm
 OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/complex

UPDATING

@@ -27,6 +27,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+202106xx:
+	The directory "blacklisted" under /usr/share/certs/ has been
+	renamed to "untrusted".
+
 20210611:
 	svnlite has been removed from base. Should you need svn for any reason
 	please install the svn package or port.

etc/mtree/BSD.usr.dist

@@ -205,10 +205,10 @@
             ..
         ..
         certs
-            blacklisted tags=package=caroot
-            ..
             trusted tags=package=caroot
             ..
+            untrusted tags=package=caroot
+            ..
         ..
         dict
         ..

secure/caroot/Makefile

@@ -3,7 +3,7 @@
 CLEANFILES+=	certdata.txt
 
 SUBDIR+=	trusted
-SUBDIR+=	blacklisted
+SUBDIR+=	untrusted
 
 .include <bsd.obj.mk>
 

secure/caroot/README

@@ -14,8 +14,8 @@ It will:
 
 Then the results should manually be inspected (svn status)
 	1) Any no-longer-trusted certificates should be moved to the
-	blacklisted directory (svn mv)
-	2) any newly added certificates will need to be added (svn add)
+	untrusted directory (git mv)
+	2) any newly added certificates will need to be added (git add)
 
 
 The following make targets exist:

secure/caroot/blacklisted/Makefile

@@ -1,9 +0,0 @@
-# $FreeBSD$
-
-BINDIR=		/usr/share/certs/blacklisted
-
-BLACKLISTED_CERTS!=	echo ${.CURDIR}/*.pem 2> /dev/null || true
-
-FILES+=	 ${BLACKLISTED_CERTS}
-
-.include <bsd.prog.mk>

secure/caroot/untrusted/Makefile

@@ -0,0 +1,9 @@
+# $FreeBSD$
+
+BINDIR=		/usr/share/certs/untrusted
+
+UNTRUSTED_CERTS!=	echo ${.CURDIR}/*.pem 2> /dev/null || true
+
+FILES+=	 ${UNTRUSTED_CERTS}
+
+.include <bsd.prog.mk>

usr.sbin/certctl/certctl.8

@@ -26,19 +26,19 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 7, 2021
+.Dd June 18, 2021
 .Dt CERTCTL 8
 .Os
 .Sh NAME
 .Nm certctl
-.Nd "tool for managing trusted and blacklist TLS certificates"
+.Nd "tool for managing trusted and untrusted TLS certificates"
 .Sh SYNOPSIS
 .Nm
 .Op Fl v
 .Ic list
 .Nm
 .Op Fl v
-.Ic blacklisted
+.Ic untrusted
 .Nm
 .Op Fl nUv
 .Op Fl D Ar destdir
@@ -46,10 +46,10 @@
 .Ic rehash
 .Nm
 .Op Fl nv
-.Ic blacklist Ar file
+.Ic untrust Ar file
 .Nm
 .Op Fl nv
-.Ic unblacklist Ar file
+.Ic trust Ar file
 .Sh DESCRIPTION
 The
 .Nm
@@ -72,28 +72,28 @@ Do record the ownership in the METALOG file.
 .El
 .Pp
 Primary command functions:
-.Bl -tag -width blacklisted
+.Bl -tag -width untrusted
 .It Ic list
 List all currently trusted certificate authorities.
-.It Ic blacklisted
-List all currently blacklisted certificates.
+.It Ic untrusted
+List all currently untrusted certificates.
 .It Ic rehash
 Rebuild the list of trusted certificate authorities by scanning all directories
 in
 .Ev TRUSTPATH
-and all blacklisted certificates in
-.Ev BLACKLISTPATH .
+and all untrusted certificates in
+.Ev UNTRUSTPATH .
 A symbolic link to each trusted certificate is placed in
 .Ev CERTDESTDIR
-and each blacklisted certificate in
-.Ev BLACKLISTDESTDIR .
-.It Ic blacklist
-Add the specified file to the blacklist.
-.It Ic unblacklist
-Remove the specified file from the blacklist.
+and each untrusted certificate in
+.Ev UNTRUSTDESTDIR .
+.It Ic untrust
+Add the specified file to the untrusted list.
+.It Ic trust
+Remove the specified file from the untrusted list.
 .El
 .Sh ENVIRONMENT
-.Bl -tag -width BLACKLISTDESTDIR
+.Bl -tag -width UNTRUSTDESTDIR
 .It Ev DESTDIR
 Alternate destination directory to operate on.
 .It Ev TRUSTPATH
@@ -101,19 +101,20 @@ List of paths to search for trusted certificates.
 Default:
 .Pa <DESTDIR>/usr/share/certs/trusted
 .Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs
-.It Ev BLACKLISTPATH
-List of paths to search for blacklisted certificates.
+.It Ev UNTRUSTPATH
+List of paths to search for untrusted certificates.
 Default:
-.Pa <DESTDIR>/usr/share/certs/blacklisted
+.Pa <DESTDIR>/usr/share/certs/untrusted
+.Pa <DESTDIR>/usr/local/etc/ssl/untrusted
 .Pa <DESTDIR>/usr/local/etc/ssl/blacklisted
 .It Ev CERTDESTDIR
 Destination directory for symbolic links to trusted certificates.
 Default:
 .Pa <DESTDIR>/etc/ssl/certs
-.It Ev BLACKLISTDESTDIR
-Destination directory for symbolic links to blacklisted certificates.
+.It Ev UNTRUSTDESTDIR
+Destination directory for symbolic links to untrusted certificates.
 Default:
-.Pa <DESTDIR>/etc/ssl/blacklisted
+.Pa <DESTDIR>/etc/ssl/untrusted
 .It Ev EXTENSIONS
 List of file extensions to read as certificate files.
 Default: *.pem *.crt *.cer *.crl *.0

usr.sbin/certctl/certctl.sh

@@ -79,10 +79,10 @@ create_trusted_link()
 
 	hash=$( do_hash "$1" ) || return
 	certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint )
-	for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
+	for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
 		blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint )
 		if [ "$certhash" = "$blisthash" ]; then
-			echo "Skipping blacklisted certificate $1 ($blistfile)"
+			echo "Skipping untrusted certificate $1 ($blistfile)"
 			return 1
 		fi
 	done
@@ -102,19 +102,19 @@ resolve_certname()
 	if [ -e "$1" ]; then
 		hash=$( do_hash "$1" ) || return
 		srcfile=$(realpath "$1")
-		suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
+		suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
 		filename="$hash.$suffix"
 		echo "$srcfile" "$hash.$suffix"
 	elif [ -e "${CERTDESTDIR}/$1" ];  then
 		srcfile=$(realpath "${CERTDESTDIR}/$1")
 		hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//')
-		suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
+		suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
 		filename="$hash.$suffix"
 		echo "$srcfile" "$hash.$suffix"
 	fi
 }
 
-create_blacklisted()
+create_untrusted()
 {
 	local srcfile filename
 
@@ -126,8 +126,8 @@ create_blacklisted()
 		return
 	fi
 
-	[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
-	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
+	[ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list"
+	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
 }
 
 do_scan()
@@ -185,14 +185,14 @@ cmd_rehash()
 		else
 			mkdir -p "$CERTDESTDIR"
 		fi
-		if [ -e "$BLACKLISTDESTDIR" ]; then
-			find "$BLACKLISTDESTDIR" -type link -delete
+		if [ -e "$UNTRUSTDESTDIR" ]; then
+			find "$UNTRUSTDESTDIR" -type link -delete
 		else
-			mkdir -p "$BLACKLISTDESTDIR"
+			mkdir -p "$UNTRUSTDESTDIR"
 		fi
 	fi
 
-	do_scan create_blacklisted "$BLACKLISTPATH"
+	do_scan create_untrusted "$UNTRUSTPATH"
 	do_scan create_trusted_link "$TRUSTPATH"
 }
 
@@ -202,19 +202,19 @@ cmd_list()
 	do_list "$CERTDESTDIR"
 }
 
-cmd_blacklist()
+cmd_untrust()
 {
 	local BPATH
 
 	shift # verb
-	[ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
+	[ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR"
 	for BFILE in "$@"; do
-		echo "Adding $BFILE to blacklist"
-		create_blacklisted "$BFILE"
+		echo "Adding $BFILE to untrusted list"
+		create_untrusted "$BFILE"
 	done
 }
 
-cmd_unblacklist()
+cmd_trust()
 {
 	local BFILE blisthash certhash hash
 
@@ -223,16 +223,16 @@ cmd_unblacklist()
 		if [ -s "$BFILE" ]; then
 			hash=$( do_hash "$BFILE" )
 			certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint )
-			for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
+			for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
 				blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint )
 				if [ "$certhash" = "$blisthash" ]; then
-					echo "Removing $(basename "$BLISTEDFILE") from blacklist"
+					echo "Removing $(basename "$BLISTEDFILE") from untrusted list"
 					[ $NOOP -eq 0 ] && rm -f $BLISTEDFILE
 				fi
 			done
-		elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
-			echo "Removing $BFILE from blacklist"
-			[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
+		elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then
+			echo "Removing $BFILE from untrusted list"
+			[ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE"
 		else
 			echo "Cannot find $BFILE" >&2
 			ERRORS=$(( $ERRORS + 1 ))
@@ -240,10 +240,10 @@ cmd_unblacklist()
 	done
 }
 
-cmd_blacklisted()
+cmd_untrusted()
 {
-	echo "Listing Blacklisted Certificates:"
-	do_list "$BLACKLISTDESTDIR"
+	echo "Listing Untrusted Certificates:"
+	do_list "$UNTRUSTDESTDIR"
 }
 
 usage()
@@ -252,14 +252,14 @@ usage()
 	echo "Manage the TLS trusted certificates on the system"
 	echo "	$SCRIPTNAME [-v] list"
 	echo "		List trusted certificates"
-	echo "	$SCRIPTNAME [-v] blacklisted"
-	echo "		List blacklisted certificates"
+	echo "	$SCRIPTNAME [-v] untrusted"
+	echo "		List untrusted certificates"
 	echo "	$SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
 	echo "		Generate hash links for all certificates"
-	echo "	$SCRIPTNAME [-nv] blacklist <file>"
-	echo "		Add <file> to the list of blacklisted certificates"
-	echo "	$SCRIPTNAME [-nv] unblacklist <file>"
-	echo "		Remove <file> from the list of blacklisted certificates"
+	echo "	$SCRIPTNAME [-nv] untrust <file>"
+	echo "		Add <file> to the list of untrusted certificates"
+	echo "	$SCRIPTNAME [-nv] trust <file>"
+	echo "		Remove <file> from the list of untrusted certificates"
 	exit 64
 }
 
@@ -281,17 +281,20 @@ INSTALLFLAGS=
 [ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
 : ${LOCALBASE:=$(sysctl -n user.localbase)}
 : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}
-: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
+: ${UNTRUSTPATH:=${DESTDIR}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
 : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
-: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
+: ${UNTRUSTDESTDIR:=${DESTDIR}/etc/ssl/untrusted}
 
 [ $# -gt 0 ] || usage
 case "$1" in
 list)		cmd_list ;;
 rehash)		cmd_rehash ;;
-blacklist)	cmd_blacklist "$@" ;;
-unblacklist)	cmd_unblacklist "$@" ;;
-blacklisted)	cmd_blacklisted ;;
+blacklist)	cmd_untrust "$@" ;;
+untrust)	cmd_untrust "$@" ;;
+trust)		cmd_trust "$@" ;;
+unblacklist)	cmd_trust "$@" ;;
+untrusted)	cmd_untrusted ;;
+blacklisted)	cmd_untrusted ;;
 *)		usage # NOTREACHED
 esac
 

usr.sbin/etcupdate/etcupdate.sh

@@ -600,7 +600,7 @@ post_install_file()
 				NEWALIAS_WARN=yes
 			fi
 			;;
-		/usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+		/usr/share/certs/trusted/* | /usr/share/certs/untrusted/*)
 			log "certctl rehash"
 			if [ -z "$dryrun" ]; then
 				env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1

usr.sbin/mergemaster/mergemaster.sh

@@ -884,7 +884,7 @@ mm_install () {
     /etc/mail/aliases)
       NEED_NEWALIASES=yes
       ;;
-    /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+    /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*)
       NEED_CERTCTL=yes
       ;;
     /etc/login.conf)