]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: adae8af) | patch
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
authorKyle Evans <kevans@FreeBSD.org>
Fri, 24 Jan 2020 15:29:33 +0000 (15:29 +0000)
committerKyle Evans <kevans@FreeBSD.org>
Fri, 24 Jan 2020 15:29:33 +0000 (15:29 +0000)
commitf26c34220a07be30602c7356b1c6cb1860eb2c4d
tree286e66d15af1559c7a15e9d192e3f855438664fftree | snapshot
parentadae8af6c5163d774bdd53ba8017c23cd57b8ab0commit | diff
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure

Infrastructure only -- no plans in place currently to commit any certs to
these branches.

r352948:
[1/3] Initial infrastructure for SSL root bundle in base

This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

r352949:
[2/3] Add certctl(8)

This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primarily by allanjude@, with minor contributions by
myself.

r352950:
[3/3] etcupdate and mergemaster support for certctl

This commit add support for certctl in mergemaster and etcupdate. Both will
either rehash or prompt for rehash as new certificates are
trusted/blacklisted.

This work was done primarily by allanjude@, with minor contributions by
myself.

r352951:
caroot: add @generated tags to extracted .pem

As is the current trend; while these files are manually curated, they are
still generated.  If they end up in a review, it would be helpful to also
take the hint and hide them.

r353002:
Unbreak etcupdate(8) and mergemaster(8) after r352950

r352950 introduced improper case fall-through for shell scripts. Fix it with
a pipe.

r353066:
certctl(8): realpath the file before creating the symlink

Otherwise we end up creating broken relative symlinks in
/etc/ssl/blacklisted.

r353070:
certctl(8): let one blacklist based on hashed filenames

It seems reasonable to allow, for instance:

$ certctl list
# reviews output -- ah, yeah, I don't trust that one
$ certctl blacklist ce5e74ef.0
$ certctl rehash

We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
described it to them in `certctl list` output -- I see little sense in
forcing another level of filesystem inspection to determien what cert file
this physically corresponds to.

Relnotes: yes
14 files changed:
etc/mtree/BSD.usr.dist diff | blob | history
secure/Makefile diff | blob | history
secure/caroot/MAca-bundle.pl [new file with mode: 0755] blob
secure/caroot/Makefile [new file with mode: 0644] blob
secure/caroot/README [new file with mode: 0644] blob
secure/caroot/blacklisted/Makefile [new file with mode: 0644] blob
secure/caroot/trusted/Makefile [new file with mode: 0644] blob
share/mk/src.opts.mk diff | blob | history
usr.sbin/Makefile diff | blob | history
usr.sbin/certctl/Makefile [new file with mode: 0644] blob
usr.sbin/certctl/certctl.8 [new file with mode: 0644] blob
usr.sbin/certctl/certctl.sh [new file with mode: 0755] blob
usr.sbin/etcupdate/etcupdate.sh diff | blob | history
usr.sbin/mergemaster/mergemaster.sh diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.