Commit Graph

15 Commits

Author SHA1 Message Date
Kyle Evans
8c4094f38c certctl: factor out certname resolution
create_blacklisted() will identify a cert whether it's provided a path to
a cert or the hash.serial format that is shown by `certctl list`.

Factor this logic out into a resolve_certname() so that it may be reused
elsewhere.
2021-01-08 22:36:22 -06:00
Kyle Evans
b799d38a2a certctl: replace hardcoded uses of /usr/local
Use the new user.localbase sysctl here as well, to reduce the number of
hardcoded localbase by one (1).

MFC after:	3 days (note: just use a literal /usr/local default)
2021-01-08 22:06:42 -06:00
Mateusz Piotrowski
0199cbf641 Fix a typo
MFC after:	3 days
2021-01-07 15:28:29 +01:00
Kyle Evans
9e9d3e134b certctl: fix unprivileged mode
The first issue was lack of quoting around INSTALLFLAGS, which set it
incorrectly and produced an error on -M.

The second issue was that we weren't actually doing the install in
unprivileged mode, making it effectively useless. This was designed to pass
through the proper metalog/unpriv flags to install(1), so just let it
happen.

MFC after:	3 days
2020-09-15 17:13:29 +00:00
Kyle Evans
05a16147fb certctl: fix hashed link generation with duplicate subjects
Currently, certctl rehash will just keep clobbering .0 rather than
incrementing the suffix upon encountering a duplicate. Do this, and do it
for blacklisted certs as well.

This also improves the situation with the blacklist to be a little less
flakey, comparing cert fingerprints for all certs with a matching subject
hash in the blacklist to determine if the cert we're looking at can be
installed.

Future work needs to completely revamp the blacklist to align more with how
it's described in PR 246614. In particular, /etc/ssl/blacklisted should go
away to avoid potential confusion -- OpenSSL will not read it, it's
basically certctl internal.

PR:		246614
Reviewed by:	Michael Osipov <michael.osipov siemens com>
Tested by:	Michael Osipov
With suggestions from:	Michael Osipov
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D26167
2020-09-09 09:08:09 +00:00
Kyle Evans
7e7655d7d7 certctl: fix test syntax
test doesn't understand &&, but it does understand -a.

MFC after:	1 week
2020-06-01 01:25:19 +00:00
Mark Johnston
b0763b5ddd certctl.8: Correct the HISTORY section.
certctl was merged to stable/12 after 12.1 was branched.

PR:		246190
Reported by:	Michael Osipov <michael.osipov@siemens.com>
MFC after:	3 days
2020-05-30 19:15:29 +00:00
Brooks Davis
48e9fb855b Add an unprivileged mode where calls to install are passed appropriate
flags.  For ease of integration, use the same flags as install:

 -U		unprivileged mode
 -D <destdir>	Specify DESTDIR (overrides the environment)
 -M <metalog>	Full path to METALOG file

Reviewed by:	kevans
Obtained from:	CheriBSD
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D24932
2020-05-22 17:45:07 +00:00
Kyle Evans
09841aabfa certctl: don't fall over flat with relative DESTDIR
Up until now, all of our DESTDIR use has been with absolute paths. It turned
out that the cd in/out dance we do here breaks us down later on, as the
relative path no longer resolves.

Convert EXTENSIONS to an ERE that we'll use to grep ls -1 of the dir we're
inspecting, rather than cd'ing into it and globbing it up.

MFC after:	3 days
2020-05-18 01:35:44 +00:00
Kyle Evans
5e6c628e4f certctl: follow-up to r361022, prune blacklist as well
Otherwise, removals from the blacklist may not get processed as they should.

While we're here, restructure these to not bother with mkdir(1) if we've
already tested them to exist.

MFC after:	3 days
2020-05-14 03:30:27 +00:00
Kyle Evans
bb33c91077 certctl(8): don't completely nuke $CERTDESTDIR
It's been reported/noted that a well-timed `certctl rehash` will completely
obliterate $CERTDESTDIR, which may get used by ports or system
administrators. While we can't guarantee the certctl semantics when other
non-certctl-controlled bits live here, we should make some amount of effort
to play nice.

Pruning all existing links, which we'll subsequently rebuild as needed, is
sufficient for our needs. This can still be destructive, but it's perhaps
less likely to cause issues.

I also note that we should probably be pruning /etc/ssl/blacklisted upon
rehash as well.

Reported by:	cem's dovecot server
MFC after:	3 days
2020-05-14 03:25:12 +00:00
Kyle Evans
946966d161 certctl(8): switch to install(1) to fix DESTDIR support
"Oops" - ln(1) is fine and dandy, but when you're using DESTDIR...it's not-
the path will almost certainly be invalid once the root you've just
installed to is relocated, perhaps to /.

Switch to install(1) using `-l rs` to calculate the relative symlink between
the two, which should work just fine in all cases.

MFC after:	1 week
2020-02-19 02:34:56 +00:00
Kyle Evans
94a5245c4c certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:

$ certctl list
# reviews output -- ah, yeah, I don't trust that one
$ certctl blacklist ce5e74ef.0
$ certctl rehash

We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
described it to them in `certctl list` output -- I see little sense in
forcing another level of filesystem inspection to determien what cert file
this physically corresponds to.
2019-10-03 20:45:52 +00:00
Kyle Evans
fa0e0c0269 certctl(8): realpath the file before creating the symlink
Otherwise we end up creating broken relative symlinks in
/etc/ssl/blacklisted.
2019-10-03 20:05:46 +00:00
Kyle Evans
ccdcb388ba [2/3] Add certctl(8)
This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Differential Revision:	https://reviews.freebsd.org/D16857
2019-10-02 01:05:53 +00:00