370508 |
04-Sep-2021 |
kevans |
caroot: update CA bundle processor
Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER.
Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot.
(cherry picked from commit c3510c941c0dddd09389915a9395e6f059088bab)
Git Hash: a12641eaecc3dab730b27149b7d48fb0a86d38c7 Git Author: kevans@FreeBSD.org |
364793 |
26-Aug-2020 |
kevans |
Partial revert of r364792: caroot: switch to using echo+shell glob
On stable/11, I mistakenly only tested installation of trusted certs. When the dir is empty, the glob remains unexpanded when it gets added to FILES.
On stable/11 (but not 12 or head), this ends up being erroneous; it kind of looks like the glob is being expanded to a single-word empty string rather than leaving us with an empty FILES. Regardless, this isn't worth fixing on stable/11, so back it out. |
364792 |
26-Aug-2020 |
kevans |
MFC r364600: caroot: switch to using echo+shell glob to enumerate certs
This solves an issue on stable/12 that causes certs to not get installed. ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up blank and nothing gets installed. We don't really require anything ls-specific, though, so let's just simplify it. |
357633 |
06-Feb-2020 |
kevans |
MFC r357193: caroot: blacklisted: automatically pick up *.pem in the tree
This kind of automagica got picked up in trusted/ prior to the initial commit, but never got applied over in blacklisted. Ideally no one will be using blacklisted/ to store arbitrary certs that they don't intend to blacklist, so we should just install anything that's in here rather than force consumer to first copy cert into place and then modify the file listing in the Makefile.
Wise man once say: "it is better to restrict too much, than not enough. sometimes." |
357192 |
28-Jan-2020 |
kevans |
MFC r357084: caroot: use bsd.obj.mk, not bsd.prog.mk
This directory stages certdata into .OBJDIR and processes it, but does not actually build a prog-shaped object; bsd.obj.mk provides the minimal support that we actually need, an .OBJDIR and descent into subdirs. This is admittedly the nittiest of nits. |
357082 |
24-Jan-2020 |
kevans |
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
Infrastructure only -- no plans in place currently to commit any certs to these branches.
r352948: [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle to base.
This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by myself.
r352949: [2/3] Add certctl(8)
This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust.
This work was done primarily by allanjude@, with minor contributions by myself.
r352950: [3/3] etcupdate and mergemaster support for certctl
This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted.
This work was done primarily by allanjude@, with minor contributions by myself.
r352951: caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them.
r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950
r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe.
r353066: certctl(8): realpath the file before creating the symlink
Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted.
r353070: certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:
$ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to.
Relnotes: yes |
352948 |
02-Oct-2019 |
kevans |
[1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle to base.
This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by myself.
No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856
|