@@ -3,12 +3,8 @@
|
||||
PACKAGE= certctl
|
||||
PROG= certctl
|
||||
MAN= certctl.8
|
||||
LIBADD= crypto util
|
||||
LIBADD= crypto
|
||||
HAS_TESTS=
|
||||
SUBDIR.${MK_TESTS}= tests
|
||||
|
||||
.ifdef BOOTSTRAPPING
|
||||
CFLAGS+=-DBOOTSTRAPPING
|
||||
.endif
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
||||
@@ -38,7 +38,7 @@
|
||||
.Op Fl lv
|
||||
.Ic untrusted
|
||||
.Nm
|
||||
.Op Fl BNnUv
|
||||
.Op Fl BnUv
|
||||
.Op Fl D Ar destdir
|
||||
.Op Fl M Ar metalog
|
||||
.Ic rehash
|
||||
@@ -75,11 +75,6 @@ default:
|
||||
This option is only valid in conjunction with the
|
||||
.Ic rehash
|
||||
command.
|
||||
.It Fl N
|
||||
Base the file name on the certificate's name instead of its hash.
|
||||
This option is only valid in conjunction with the
|
||||
.Ic rehash
|
||||
command.
|
||||
.It Fl n
|
||||
Dry-run mode.
|
||||
Do not actually perform any actions except write the metalog.
|
||||
|
||||
+28
-66
@@ -4,6 +4,7 @@
|
||||
* SPDX-License-Identifier: BSD-2-Clause
|
||||
*/
|
||||
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/tree.h>
|
||||
|
||||
@@ -12,8 +13,6 @@
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <fts.h>
|
||||
#include <libgen.h>
|
||||
#include <libutil.h>
|
||||
#include <paths.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
@@ -21,7 +20,6 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
#define info(fmt, ...) \
|
||||
@@ -60,7 +58,6 @@ static void usage(void);
|
||||
static bool dryrun;
|
||||
static bool longnames;
|
||||
static bool nobundle;
|
||||
static bool nohash;
|
||||
static bool unprivileged;
|
||||
static bool verbose;
|
||||
|
||||
@@ -384,58 +381,14 @@ write_certs(const char *dir, struct cert_tree *tree)
|
||||
if (file->c == INT_MAX)
|
||||
errx(1, "unable to disambiguate %08lx", cert->hash);
|
||||
free(cert->path);
|
||||
if (nohash) {
|
||||
X509_NAME *xn;
|
||||
X509_NAME_ENTRY *xe;
|
||||
ASN1_STRING *as;
|
||||
unsigned char *us = NULL;
|
||||
int xi, usl;
|
||||
|
||||
xn = X509_get_subject_name(cert->x509);
|
||||
xi = X509_NAME_get_index_by_NID(xn, NID_commonName, -1);
|
||||
if (xi < 0) {
|
||||
warnx("%08lx.%d: certificate has no CN",
|
||||
cert->hash, file->c);
|
||||
xi = X509_NAME_get_index_by_NID(xn,
|
||||
NID_organizationalUnitName, -1);
|
||||
}
|
||||
if (xi < 0) {
|
||||
warnx("%08lx.%d: certificate has no OU",
|
||||
cert->hash, file->c);
|
||||
xi = X509_NAME_get_index_by_NID(xn,
|
||||
NID_organizationName, -1);
|
||||
}
|
||||
if (xi < 0) {
|
||||
warnx("%08lx.%d: certificate has no O",
|
||||
cert->hash, file->c);
|
||||
cert->path = xasprintf("%08lx.%d", cert->hash,
|
||||
file->c);
|
||||
}
|
||||
xe = X509_NAME_get_entry(xn, xi);
|
||||
as = X509_NAME_ENTRY_get_data(xe);
|
||||
usl = ASN1_STRING_to_UTF8(&us, as);
|
||||
if (usl < 0) {
|
||||
errx(1, "%08lx.%d: %s", cert->hash, file->c,
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
}
|
||||
cert->path = xasprintf("%s.pem", (char *)us);
|
||||
OPENSSL_free(us);
|
||||
} else {
|
||||
cert->path = xasprintf("%08lx.%d", cert->hash, file->c);
|
||||
}
|
||||
cert->path = xasprintf("%08lx.%d", cert->hash, file->c);
|
||||
}
|
||||
/*
|
||||
* Open and scan the directory.
|
||||
*/
|
||||
if ((d = open(dir, O_DIRECTORY | O_RDONLY)) < 0 ||
|
||||
#ifdef BOOTSTRAPPING
|
||||
(ndents = scandir(dir, &dents, NULL, lexisort))
|
||||
#else
|
||||
(ndents = fdscandir(d, &dents, NULL, lexisort))
|
||||
#endif
|
||||
< 0)
|
||||
(ndents = fdscandir(d, &dents, NULL, lexisort)) < 0)
|
||||
err(1, "%s", dir);
|
||||
|
||||
/*
|
||||
* Iterate over the directory listing and the certificate listing
|
||||
* in parallel. If the directory listing gets ahead of the
|
||||
@@ -645,7 +598,7 @@ load_trusted(bool all, struct cert_tree *exclude)
|
||||
* Returns the number of certificates loaded.
|
||||
*/
|
||||
static unsigned int
|
||||
load_untrusted(bool all, struct cert_tree *exclude)
|
||||
load_untrusted(bool all)
|
||||
{
|
||||
char *path;
|
||||
unsigned int i, n;
|
||||
@@ -653,19 +606,19 @@ load_untrusted(bool all, struct cert_tree *exclude)
|
||||
|
||||
/* load external untrusted certs */
|
||||
for (i = n = 0; all && untrusted_paths[i] != NULL; i++) {
|
||||
ret = read_certs(untrusted_paths[i], &untrusted, exclude);
|
||||
ret = read_certs(untrusted_paths[i], &untrusted, NULL);
|
||||
if (ret > 0)
|
||||
n += ret;
|
||||
}
|
||||
|
||||
/* load installed untrusted certs */
|
||||
ret = read_certs(untrusted_dest, &untrusted, exclude);
|
||||
ret = read_certs(untrusted_dest, &untrusted, NULL);
|
||||
if (ret > 0)
|
||||
n += ret;
|
||||
|
||||
/* load legacy untrusted certs */
|
||||
path = expand_path(LEGACY_PATH);
|
||||
ret = read_certs(path, &untrusted, exclude);
|
||||
ret = read_certs(path, &untrusted, NULL);
|
||||
if (ret > 0) {
|
||||
warnx("certificates found in legacy directory %s",
|
||||
path);
|
||||
@@ -795,7 +748,7 @@ certctl_untrusted(int argc, char **argv __unused)
|
||||
if (argc > 1)
|
||||
usage();
|
||||
/* load untrusted certificates */
|
||||
load_untrusted(false, NULL);
|
||||
load_untrusted(false);
|
||||
/* list them */
|
||||
list_certs(&untrusted);
|
||||
free_certs(&untrusted);
|
||||
@@ -822,7 +775,7 @@ certctl_rehash(int argc, char **argv __unused)
|
||||
}
|
||||
|
||||
/* load untrusted certs first */
|
||||
load_untrusted(true, NULL);
|
||||
load_untrusted(true);
|
||||
|
||||
/* load trusted certs, excluding any that are already untrusted */
|
||||
load_trusted(true, &untrusted);
|
||||
@@ -855,7 +808,7 @@ certctl_trust(int argc, char **argv)
|
||||
usage();
|
||||
|
||||
/* load untrusted certs first */
|
||||
load_untrusted(true, NULL);
|
||||
load_untrusted(true);
|
||||
|
||||
/* load trusted certs, excluding any that are already untrusted */
|
||||
load_trusted(true, &untrusted);
|
||||
@@ -916,7 +869,7 @@ certctl_untrust(int argc, char **argv)
|
||||
usage();
|
||||
|
||||
/* load untrusted certs first */
|
||||
load_untrusted(true, NULL);
|
||||
load_untrusted(true);
|
||||
|
||||
/* now load the additional untrusted certificates */
|
||||
n = 0;
|
||||
@@ -947,10 +900,22 @@ static void
|
||||
set_defaults(void)
|
||||
{
|
||||
const char *value;
|
||||
char *str;
|
||||
size_t len;
|
||||
|
||||
if (localbase == NULL &&
|
||||
(localbase = getenv("LOCALBASE")) == NULL)
|
||||
localbase = getlocalbase();
|
||||
(localbase = getenv("LOCALBASE")) == NULL) {
|
||||
if ((str = malloc((len = PATH_MAX) + 1)) == NULL)
|
||||
err(1, NULL);
|
||||
while (sysctlbyname("user.localbase", str, &len, NULL, 0) < 0) {
|
||||
if (errno != ENOMEM)
|
||||
err(1, "sysctl(user.localbase)");
|
||||
if ((str = realloc(str, len + 1)) == NULL)
|
||||
err(1, NULL);
|
||||
}
|
||||
str[len] = '\0';
|
||||
localbase = str;
|
||||
}
|
||||
|
||||
if (destdir == NULL &&
|
||||
(destdir = getenv("DESTDIR")) == NULL)
|
||||
@@ -1019,7 +984,7 @@ usage(void)
|
||||
{
|
||||
fprintf(stderr, "usage: certctl [-lv] [-D destdir] list\n"
|
||||
" certctl [-lv] [-D destdir] untrusted\n"
|
||||
" certctl [-BNnUv] [-D destdir] [-M metalog] rehash\n"
|
||||
" certctl [-BnUv] [-D destdir] [-M metalog] rehash\n"
|
||||
" certctl [-nv] [-D destdir] untrust <file>\n"
|
||||
" certctl [-nv] [-D destdir] trust <file>\n");
|
||||
exit(1);
|
||||
@@ -1031,7 +996,7 @@ main(int argc, char *argv[])
|
||||
const char *command;
|
||||
int opt;
|
||||
|
||||
while ((opt = getopt(argc, argv, "BcD:g:lL:M:Nno:Uv")) != -1)
|
||||
while ((opt = getopt(argc, argv, "BcD:g:lL:M:no:Uv")) != -1)
|
||||
switch (opt) {
|
||||
case 'B':
|
||||
nobundle = true;
|
||||
@@ -1054,9 +1019,6 @@ main(int argc, char *argv[])
|
||||
case 'M':
|
||||
metalog = optarg;
|
||||
break;
|
||||
case 'N':
|
||||
nohash = true;
|
||||
break;
|
||||
case 'n':
|
||||
dryrun = true;
|
||||
break;
|
||||
@@ -1081,7 +1043,7 @@ main(int argc, char *argv[])
|
||||
|
||||
command = *argv;
|
||||
|
||||
if ((nobundle || nohash || unprivileged || metalog != NULL) &&
|
||||
if ((nobundle || unprivileged || metalog != NULL) &&
|
||||
strcmp(command, "rehash") != 0)
|
||||
usage();
|
||||
if (!unprivileged && metalog != NULL) {
|
||||
|
||||
Reference in New Issue
Block a user