Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983e.
This commit is contained in:
Dag-Erling Smørgrav
2025-08-14 00:37:52 +02:00
parent 42ac41983e
commit 2f8bbfe587
3 changed files with 30 additions and 77 deletions
+1 -5
View File
@@ -3,12 +3,8 @@
PACKAGE= certctl
PROG= certctl
MAN= certctl.8
LIBADD= crypto util
LIBADD= crypto
HAS_TESTS=
SUBDIR.${MK_TESTS}= tests
.ifdef BOOTSTRAPPING
CFLAGS+=-DBOOTSTRAPPING
.endif
.include <bsd.prog.mk>
+1 -6
View File
@@ -38,7 +38,7 @@
.Op Fl lv
.Ic untrusted
.Nm
.Op Fl BNnUv
.Op Fl BnUv
.Op Fl D Ar destdir
.Op Fl M Ar metalog
.Ic rehash
@@ -75,11 +75,6 @@ default:
This option is only valid in conjunction with the
.Ic rehash
command.
.It Fl N
Base the file name on the certificate's name instead of its hash.
This option is only valid in conjunction with the
.Ic rehash
command.
.It Fl n
Dry-run mode.
Do not actually perform any actions except write the metalog.
+28 -66
View File
@@ -4,6 +4,7 @@
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <sys/sysctl.h>
#include <sys/stat.h>
#include <sys/tree.h>
@@ -12,8 +13,6 @@
#include <errno.h>
#include <fcntl.h>
#include <fts.h>
#include <libgen.h>
#include <libutil.h>
#include <paths.h>
#include <stdbool.h>
#include <stdio.h>
@@ -21,7 +20,6 @@
#include <string.h>
#include <unistd.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#define info(fmt, ...) \
@@ -60,7 +58,6 @@ static void usage(void);
static bool dryrun;
static bool longnames;
static bool nobundle;
static bool nohash;
static bool unprivileged;
static bool verbose;
@@ -384,58 +381,14 @@ write_certs(const char *dir, struct cert_tree *tree)
if (file->c == INT_MAX)
errx(1, "unable to disambiguate %08lx", cert->hash);
free(cert->path);
if (nohash) {
X509_NAME *xn;
X509_NAME_ENTRY *xe;
ASN1_STRING *as;
unsigned char *us = NULL;
int xi, usl;
xn = X509_get_subject_name(cert->x509);
xi = X509_NAME_get_index_by_NID(xn, NID_commonName, -1);
if (xi < 0) {
warnx("%08lx.%d: certificate has no CN",
cert->hash, file->c);
xi = X509_NAME_get_index_by_NID(xn,
NID_organizationalUnitName, -1);
}
if (xi < 0) {
warnx("%08lx.%d: certificate has no OU",
cert->hash, file->c);
xi = X509_NAME_get_index_by_NID(xn,
NID_organizationName, -1);
}
if (xi < 0) {
warnx("%08lx.%d: certificate has no O",
cert->hash, file->c);
cert->path = xasprintf("%08lx.%d", cert->hash,
file->c);
}
xe = X509_NAME_get_entry(xn, xi);
as = X509_NAME_ENTRY_get_data(xe);
usl = ASN1_STRING_to_UTF8(&us, as);
if (usl < 0) {
errx(1, "%08lx.%d: %s", cert->hash, file->c,
ERR_error_string(ERR_get_error(), NULL));
}
cert->path = xasprintf("%s.pem", (char *)us);
OPENSSL_free(us);
} else {
cert->path = xasprintf("%08lx.%d", cert->hash, file->c);
}
cert->path = xasprintf("%08lx.%d", cert->hash, file->c);
}
/*
* Open and scan the directory.
*/
if ((d = open(dir, O_DIRECTORY | O_RDONLY)) < 0 ||
#ifdef BOOTSTRAPPING
(ndents = scandir(dir, &dents, NULL, lexisort))
#else
(ndents = fdscandir(d, &dents, NULL, lexisort))
#endif
< 0)
(ndents = fdscandir(d, &dents, NULL, lexisort)) < 0)
err(1, "%s", dir);
/*
* Iterate over the directory listing and the certificate listing
* in parallel. If the directory listing gets ahead of the
@@ -645,7 +598,7 @@ load_trusted(bool all, struct cert_tree *exclude)
* Returns the number of certificates loaded.
*/
static unsigned int
load_untrusted(bool all, struct cert_tree *exclude)
load_untrusted(bool all)
{
char *path;
unsigned int i, n;
@@ -653,19 +606,19 @@ load_untrusted(bool all, struct cert_tree *exclude)
/* load external untrusted certs */
for (i = n = 0; all && untrusted_paths[i] != NULL; i++) {
ret = read_certs(untrusted_paths[i], &untrusted, exclude);
ret = read_certs(untrusted_paths[i], &untrusted, NULL);
if (ret > 0)
n += ret;
}
/* load installed untrusted certs */
ret = read_certs(untrusted_dest, &untrusted, exclude);
ret = read_certs(untrusted_dest, &untrusted, NULL);
if (ret > 0)
n += ret;
/* load legacy untrusted certs */
path = expand_path(LEGACY_PATH);
ret = read_certs(path, &untrusted, exclude);
ret = read_certs(path, &untrusted, NULL);
if (ret > 0) {
warnx("certificates found in legacy directory %s",
path);
@@ -795,7 +748,7 @@ certctl_untrusted(int argc, char **argv __unused)
if (argc > 1)
usage();
/* load untrusted certificates */
load_untrusted(false, NULL);
load_untrusted(false);
/* list them */
list_certs(&untrusted);
free_certs(&untrusted);
@@ -822,7 +775,7 @@ certctl_rehash(int argc, char **argv __unused)
}
/* load untrusted certs first */
load_untrusted(true, NULL);
load_untrusted(true);
/* load trusted certs, excluding any that are already untrusted */
load_trusted(true, &untrusted);
@@ -855,7 +808,7 @@ certctl_trust(int argc, char **argv)
usage();
/* load untrusted certs first */
load_untrusted(true, NULL);
load_untrusted(true);
/* load trusted certs, excluding any that are already untrusted */
load_trusted(true, &untrusted);
@@ -916,7 +869,7 @@ certctl_untrust(int argc, char **argv)
usage();
/* load untrusted certs first */
load_untrusted(true, NULL);
load_untrusted(true);
/* now load the additional untrusted certificates */
n = 0;
@@ -947,10 +900,22 @@ static void
set_defaults(void)
{
const char *value;
char *str;
size_t len;
if (localbase == NULL &&
(localbase = getenv("LOCALBASE")) == NULL)
localbase = getlocalbase();
(localbase = getenv("LOCALBASE")) == NULL) {
if ((str = malloc((len = PATH_MAX) + 1)) == NULL)
err(1, NULL);
while (sysctlbyname("user.localbase", str, &len, NULL, 0) < 0) {
if (errno != ENOMEM)
err(1, "sysctl(user.localbase)");
if ((str = realloc(str, len + 1)) == NULL)
err(1, NULL);
}
str[len] = '\0';
localbase = str;
}
if (destdir == NULL &&
(destdir = getenv("DESTDIR")) == NULL)
@@ -1019,7 +984,7 @@ usage(void)
{
fprintf(stderr, "usage: certctl [-lv] [-D destdir] list\n"
" certctl [-lv] [-D destdir] untrusted\n"
" certctl [-BNnUv] [-D destdir] [-M metalog] rehash\n"
" certctl [-BnUv] [-D destdir] [-M metalog] rehash\n"
" certctl [-nv] [-D destdir] untrust <file>\n"
" certctl [-nv] [-D destdir] trust <file>\n");
exit(1);
@@ -1031,7 +996,7 @@ main(int argc, char *argv[])
const char *command;
int opt;
while ((opt = getopt(argc, argv, "BcD:g:lL:M:Nno:Uv")) != -1)
while ((opt = getopt(argc, argv, "BcD:g:lL:M:no:Uv")) != -1)
switch (opt) {
case 'B':
nobundle = true;
@@ -1054,9 +1019,6 @@ main(int argc, char *argv[])
case 'M':
metalog = optarg;
break;
case 'N':
nohash = true;
break;
case 'n':
dryrun = true;
break;
@@ -1081,7 +1043,7 @@ main(int argc, char *argv[])
command = *argv;
if ((nobundle || nohash || unprivileged || metalog != NULL) &&
if ((nobundle || unprivileged || metalog != NULL) &&
strcmp(command, "rehash") != 0)
usage();
if (!unprivileged && metalog != NULL) {