The NetBSD Project

CVS log for src/usr.sbin/certctl/certctl.sh

[BACK] Up to [cvs.NetBSD.org] / src / usr.sbin / certctl

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.4.2.5: download - view: text, markup, annotated - select for diffs
Mon Mar 11 17:50:04 2024 UTC (9 months ago) by martin
Branches: netbsd-10
CVS tags: netbsd-10-0-RELEASE, netbsd-10-0-RC6
Diff to: previous 1.4.2.4: preferred, colored; next MAIN 1.5: preferred, colored
Changes since revision 1.4.2.4: +2 -1 lines
Pull up following revision(s) (requested by riastradh in ticket #625):

	usr.sbin/certctl/certctl.sh: revision 1.7

certctl(8): Pacify formal POSIX sh syntax.

According to POSIX 2018, the syntax between `then' and `elif' and
`fi' must be a _non-empty_ list of commands:
compound_list    : linebreak term
                 | linebreak term separator
                 ;
...
if_clause        : If compound_list Then compound_list else_part Fi
                 | If compound_list Then compound_list           Fi
                 ;
else_part        : Elif compound_list Then compound_list
                 | Elif compound_list Then compound_list else_part
                 | Else compound_list
                 ;

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18
+_10_02

NetBSD's sh(1) currently doesn't enforce this and allows an empty
sequence of commands, but let's not rely on that nonstandard quirk.

Noted in PR 57997.

Revision 1.4.2.4: download - view: text, markup, annotated - select for diffs
Mon Mar 11 17:12:53 2024 UTC (9 months ago) by martin
Branches: netbsd-10
Diff to: previous 1.4.2.3: preferred, colored
Changes since revision 1.4.2.3: +7 -11 lines
Pull up following revision(s) (requested by riastradh in ticket #621):

	usr.sbin/certctl/certctl.sh: revision 1.6

certctl(8): Avoid basename(1).

Saves some time running subprocesses.  Since this is only used for
non-directories (i.e., there's never trailing / on the inputs), it
suffices to delete the longest prefix matching glob `*/' with shell
parameter expansion -- much cheaper than spawning a subprocess.

Shaves off about 1/3 of the time spent in `certctl list' on an
aarch64 VM in qemu.

PR bin/57993

Revision 1.7: download - view: text, markup, annotated - select for diffs
Mon Mar 4 20:37:31 2024 UTC (9 months, 1 week ago) by riastradh
Branches: MAIN
CVS tags: perseant-exfatfs-base-20240630, perseant-exfatfs-base, perseant-exfatfs, HEAD
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +2 -1 lines
certctl(8): Pacify formal POSIX sh syntax.

According to POSIX 2018, the syntax between `then' and `elif' and
`fi' must be a _non-empty_ list of commands:

compound_list    : linebreak term
                 | linebreak term separator
                 ;
...
if_clause        : If compound_list Then compound_list else_part Fi
                 | If compound_list Then compound_list           Fi
                 ;
else_part        : Elif compound_list Then compound_list
                 | Elif compound_list Then compound_list else_part
                 | Else compound_list
                 ;

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_10_02

NetBSD's sh(1) currently doesn't enforce this and allows an empty
sequence of commands, but let's not rely on that nonstandard quirk.

Noted in PR 57997.

Revision 1.6: download - view: text, markup, annotated - select for diffs
Sun Mar 3 15:53:55 2024 UTC (9 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +7 -11 lines
certctl(8): Avoid basename(1).

Saves some time running subprocesses.  Since this is only used for
non-directories (i.e., there's never trailing / on the inputs), it
suffices to delete the longest prefix matching glob `*/' with shell
parameter expansion -- much cheaper than spawning a subprocess.

Shaves off about 1/3 of the time spent in `certctl list' on an
aarch64 VM in qemu.

PR bin/57993

Revision 1.4.2.3: download - view: text, markup, annotated - select for diffs
Wed Sep 6 15:04:33 2023 UTC (15 months ago) by martin
Branches: netbsd-10
CVS tags: netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1
Diff to: previous 1.4.2.2: preferred, colored
Changes since revision 1.4.2.2: +3 -2 lines
Pull up following revision(s) (requested by riastradh in ticket #350):

	tests/usr.sbin/certctl/t_certctl.sh: revision 1.10
	usr.sbin/certctl/certctl.sh: revision 1.5
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.9

certctl(8): Test permissions of ca-certificates.crt.

Inadvertently created 0600 instead of 0644 due to copying file
created by mktemp(1) with cp(1).

certctl(8): Fix permissions on ca-certificates.crt bundle: 0644.

While here, write it atomically: write to .tmp first, then rename
when done; this way applications never see a partially-written bundle
at /etc/openssl/certs/ca-certificates.crt.

Revision 1.5: download - view: text, markup, annotated - select for diffs
Tue Sep 5 12:32:30 2023 UTC (15 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +3 -2 lines
certctl(8): Fix permissions on ca-certificates.crt bundle: 0644.

While here, write it atomically: write to .tmp first, then rename
when done; this way applications never see a partially-written bundle
at /etc/openssl/certs/ca-certificates.crt.

Revision 1.4.2.2: download - view: text, markup, annotated - select for diffs
Mon Sep 4 17:33:27 2023 UTC (15 months ago) by martin
Branches: netbsd-10
Diff to: previous 1.4.2.1: preferred, colored
Changes since revision 1.4.2.1: +689 -0 lines
Pull up following revision(s) (requested by riastradh in ticket #343):

	external/mpl/mozilla-certdata/dist/certdata.txt: revision 1.1.1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G3.pem: revision 1.1
	distrib/sets/lists/man/mi: revision 1.1764
	external/mpl/mozilla-certdata/share/certs/ACCVRAIZ1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem: revision 1.1
	tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_R46.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_E45.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_ECC.pem: revision 1.1
	tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1
	tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Izenpe.com.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_2.pem: revision 1.1
	tests/usr.sbin/certctl/certs4/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Global_Chambersign_Root_-_2008.pem: revision 1.1
	distrib/sets/lists/etc/mi: revision 1.272
	external/mpl/mozilla-certdata/share/certs/ISRG_Root_X1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TunTrust_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/D-TRUST_BR_Root_CA_1_2020.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_RSA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certum_EC-384_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/IdenTrust_Public_Sector_Root_CA_1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_EC1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SZAFIR_ROOT_CA2.pem: revision 1.1
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.1
	external/mpl/mozilla-certdata/share/certs/UCA_Global_G2_Root.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/HARICA_Client_ECC_Root_CA_2021.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/COMODO_ECC_Certification_Authority.pem: revision 1.1
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.2
	tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem: revision 1.1
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.3
	external/mpl/mozilla-certdata/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_RSA_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GTS_Root_R2.pem: revision 1.1
	usr.sbin/certctl/certctl.sh: revision 1.1
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.4
	external/mpl/mozilla-certdata/share/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SwissSign_Silver_CA_-_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Starfield_Class_2_CA.pem: revision 1.1
	usr.sbin/certctl/certctl.sh: revision 1.2
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.5
	usr.sbin/certctl/certctl.sh: revision 1.3
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.6
	usr.sbin/certctl/certctl.sh: revision 1.4
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.7
	external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem: revision 1.1
	tests/usr.sbin/certctl/t_certctl.sh: revision 1.8
	external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_E46.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Hongkong_Post_Root_CA_3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G4.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Security_Communication_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/ANF_Secure_Server_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Chambers_of_Commerce_Root_-_2008.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Go_Daddy_Class_2_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/USERTrust_RSA_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certdata.awk: revision 1.1
	external/mpl/mozilla-certdata/share/certs/HARICA_TLS_ECC_Root_CA_2021.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_G2_2020.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_R46.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TrustCor_ECA-1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R5.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_ECC_Root_CA_2022.pem: revision 1.1
	usr.sbin/Makefile: revision 1.292
	external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/CA_Disig_Root_R2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_C1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R6.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Trusted_Root_G4.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_G2_2020.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/vTrus_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_R46.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-2.pem: revision 1.1
	etc/mtree/special: revision 1.176
	external/mpl/mozilla-certdata/share/certs/USERTrust_ECC_Certification_Authority.pem: revision 1.1
	etc/mtree/special: revision 1.177
	etc/mtree/special: revision 1.178
	external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium_ECC.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/vTrus_ECC_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_ECC_P384_Root_G5.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/NAVER_Global_Root_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/server.trust: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SecureTrust_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/code.trust: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_RSA_Root_CA_2022.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_4.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_RSA4096_Root_G5.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G2.pem: revision 1.1
	tests/usr.sbin/certctl/certs1/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_E46.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TWCA_Global_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_RSA4096_Root_G5.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_Client_ECC_Root_CA_2022.pem: revision 1.1
	share/man/man7/hier.7: revision 1.141
	external/mpl/mozilla-certdata/share/certs/Certigna.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/certSIGN_Root_CA_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certigna_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GTS_Root_R4.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Telia_Root_CA_v2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TWCA_Root_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Buypass_Class_2_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_C3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GTS_Root_R1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_Client_RSA_Root_CA_2022.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/HiPKI_Root_CA_-_G1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Starfield_Root_Certificate_Authority_-_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SwissSign_Gold_CA_-_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GB_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/AffirmTrust_Networking.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1
	tests/usr.sbin/certctl/Makefile.inc: revision 1.1
	external/mpl/mozilla-certdata/share/certs/COMODO_RSA_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA_2.pem: revision 1.1
	tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GC_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/AffirmTrust_Commercial.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Buypass_Class_3_Root_CA.pem: revision 1.1
	distrib/sets/lists/tests/mi: revision 1.1292
	external/mpl/mozilla-certdata/share/certs/UCA_Extended_Validation_Root.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/email.trust: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_2011.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/D-TRUST_EV_Root_CA_1_2020.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/ePKI_Root_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_ECDSA_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R4.pem: revision 1.1
	tests/usr.sbin/certctl/certs2/Makefile: revision 1.1
	tests/usr.sbin/Makefile: revision 1.8
	external/mpl/mozilla-certdata/share/certs/Trustwave_Global_Certification_Authority.pem: revision 1.1
	tests/usr.sbin/certctl/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/IdenTrust_Commercial_Root_CA_1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_ECC_P384_Root_G5.pem: revision 1.1
	tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/Makefile: revision 1.2
	external/mpl/mozilla-certdata/share/certs/Microsec_e-Szigno_Root_CA_2009.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/HARICA_Client_RSA_Root_CA_2021.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GDCA_TrustAUTH_R5_ROOT.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_3.pem: revision 1.1
	tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/ISRG_Root_X2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_CA_3_2013.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem: revision 1.1
	etc/mtree/NetBSD.dist.base: revision 1.252
	external/mpl/mozilla-certdata/share/certs/CFCA_EV_ROOT.pem: revision 1.1
	etc/mtree/NetBSD.dist.base: revision 1.253
	external/mpl/mozilla-certdata/share/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_G1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1
	usr.sbin/certctl/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Security_Communication_ECC_RootCA1.pem: revision 1.1
	usr.sbin/certctl/Makefile: revision 1.2
	usr.sbin/certctl/Makefile: revision 1.3
	external/mpl/mozilla-certdata/share/certs/GTS_Root_R3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/e-Szigno_Root_CA_2017.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/certSIGN_ROOT_CA.pem: revision 1.1
	doc/3RDPARTY: revision 1.1949
	external/mpl/mozilla-certdata/share/certs/Certainly_Root_R1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/TeliaSonera_Root_CA_v1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/HARICA_TLS_RSA_Root_CA_2021.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/NetLock_Arany_Class_Gold.pem: revision 1.1
	usr.sbin/postinstall/postinstall.in: revision 1.53
	usr.sbin/postinstall/postinstall.in: revision 1.54
	tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1
	etc/Makefile: revision 1.467
	usr.sbin/postinstall/postinstall.in: revision 1.55
	tests/usr.sbin/certctl/certs3/Makefile: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GLOBALTRUST_2020.pem: revision 1.1
	etc/mtree/NetBSD.dist.tests: revision 1.200
	external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_1_G3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R3.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Actalis_Authentication_Root_CA.pem: revision 1.1
	distrib/sets/lists/base/mi: revision 1.1326
	distrib/sets/lists/base/mi: revision 1.1327
	external/mpl/mozilla-certdata/share/certs/SecureSign_RootCA11.pem: revision 1.1
	distrib/sets/lists/base/mi: revision 1.1328
	external/mpl/mozilla-certdata/share/certs/Comodo_AAA_Services_root.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G2.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2_G3.pem: revision 1.1
	distrib/sets/lists/base/mi: revision 1.1329
	external/mpl/mozilla-certdata/share/certs/COMODO_Certification_Authority.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certum_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/DigiCert_High_Assurance_EV_Root_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_R45.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Secure_Global_CA.pem: revision 1.1
	usr.sbin/certctl/certctl.8: revision 1.1
	external/mpl/mozilla-certdata/share/certs/XRamp_Global_CA_Root.pem: revision 1.1
	external/mpl/Makefile: revision 1.5
	usr.sbin/certctl/certctl.8: revision 1.2
	external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_2009.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Baltimore_CyberTrust_Root.pem: revision 1.1
	usr.sbin/certctl/certs.conf: revision 1.1
	external/mpl/mozilla-certdata/share/certs/LAWtrust_Root_CA2_4096.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GA_CA.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Certainly_Root_E1.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_E46.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem: revision 1.1
	external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem: revision 1.1

certctl(8): New tool for managing OpenSSL CA certificates.
Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.

mozilla-certdata: Record in doc/3RDPARTY.

mozilla-certdata: Makefile infrastructure.

mozilla-certdata: regen
(actually, just `gen', this first time)

mozilla-certdata: Connect it up to the build.

postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.

Works only with destdir /, since it relies on running openssl(1),
which is not available as a tool or required in the cross-build
environment.

certctl(8): Add xfail test for missing certs.conf.

Command should fail, i.e., exit with nonzero status, but it exits
with zero instead.
certctl(8): Exit nonzero on missing certs.conf.
certctl(8): Test prepopulated /etc/openssl/certs.

This is the scenario when you have previously populated
/etc/openssl/certs manually, or with a package like mozilla-rootcerts
or mozilla-rootcerts-openssl, and you update to a version of NetBSD
with certctl(8).  In this case, certctl(8) should avoid destroying
your work.

While here, also test some related but less likely edge cases:
- nonexistent
- symlink
- regular file

certctl(8): Avoid clobbering prepopulated /etc/openssl/certs.

Also avoid clobbering some other edge cases like symlinks or
non-directories there.

This way, we have the following transitions on system updates:
- If /etc/openssl/certs is empty (as in default NetBSD<10 installs):
  quietly populated on rehash.
- If /etc/openssl/certs is nonempty (you've added things to it,
  e.g. by hand or with mozilla-rootcerts) and has never been managed
  by certctl(8): left alone on rehash, with an error message to
  explain what you need to do.
- If /etc/openssl/certs has been managed by certctl(8): quietly
  updated on rehash.

Note: This means current installations made since certctl(8) was
added will be treated like /etc/openssl/certs is nonempty and has
never been managed by certctl(8).  To work around this, you can just
delete /etc/openssl/certs and rerun `certctl rehash'.
postinstall(8): Fail if `certctl rehash' fails.

Not using `set -e' here, evidently (maybe we should), so the separate
return 0 suppressed the error.
distrib/sets/lists: certs.conf belongs in etc, not in base.
Oops.

certctl(8): Set certs.conf 644 and add it to etc/mtree/special.
Now that we have /etc/openssl/certs.conf mentioned here, also
list /etc/openssl.

hier(7): Document /etc/openssl.

certctl(8): Minor man page clarifications.
- Specify exactly what /etc/openssl/certs gets populated with.
- Change HTTPS to TLS.
- Specify the permitted character class in certs.conf.
  (Maybe more conservative than strictly needed; but let's stay on
  the safe side.)

certctl(8): Fix some bugs with evil pathnames.

certctl(8): Fix quoting and whitespace style in evilpath test.

No functional change intended.

etc/mtree/special: Fix spaces/tabs.
No functional change intended.

mozilla-certdata: Install relative symlinks.
Slightly more compact this way, and you can examine them in a destdir
without chrooting.  Not terribly important, but a minor convenience.

certctl(8): Test more evil pathnames.

certctl(8): Install certs.conf in /usr/share/examples too.
This way postinstall(8) can refer to the default one when you've done
an upgrade without etcupdate or similar to pull in new config files
from etc.tgz.

Not great -- we should do this systematically for all config files in
/etc, but this one-off hack is less risky for 10.
postinstall(8): Handle various certs.conf scenarios gracefully.

Tested the following scenarios:
1. fresh install
   empty /etc/openssl/certs
   default /etc/openssl/certs.conf
   - opensslcertsconf
     [x] check: pass
     [x] fix: pass -- nothing
   - opensslcertsrehash
     [x] check: fail -- needs rehash
     [x] fix: pass -- quietly rehash successfully (go to 4)
2. fresh upgrade
   empty /etc/openssl/certs
   no /etc/openssl/certs.conf
   - opensslcertsconf
     [x] check: fail -- complain missing /etc/openssl/certs.conf
     [x] fix: pass -- install default /etc/openssl/certs.conf (go to 1)
   - opensslcertsrehash
     [x] check: fail -- complain missing /etc/openssl/certs.conf
     - [x] fix: fail -- complain missing /etc/openssl/certs.conf
3. upgrade from certctl, changes to certs
   certctl-managed /etc/openssl/certs
   default /etc/openssl/certs.conf
   - opensslcertsconf
     [x] check: pass
     [x] fix: pass -- nothing
   - opensslcertsrehash
     [x] check: fail -- needs rehash
     [x] fix: pass -- quietly rehash successfully (go to 4)
4. upgrade from certctl, no changes to certs
   certctl-managed /etc/openssl/certs
   default /etc/openssl/certs.conf
   - opensslcertsconf
     [x] check: pass
     [x] fix: pass -- nothing
   - opensslcertsrehash
     [x] check: pass
     [x] fix: pass -- quietly rehash successfully (go to 4)
5. upgrade from mozilla-rootcerts
   populated /etc/openssl/certs
   no /etc/openssl/certs.conf
   - opensslcertsconf:
     [x] check: fail -- complain missing /etc/openssl/certs.conf
     [x] fix: pass -- install manual /etc/openssl/certs.conf (go to 7)
   - opensslcertsrehash:
     [x] check: fail -- complain missing /etc/openssl/certs.conf
     [x] fix: fail -- complain missing /etc/openssl/certs.conf
6. upgrade from mozilla-rootcerts with etcupdate naively
   populated /etc/openssl/certs
   default /etc/openssl/certs.conf
   - opensslcertsconf:
     [x] check: pass
     [x] fix: pass -- nothing
   - opensslcertsrehash:
     [x] check: fail -- complain mismatched certs/ and certs.conf
     [x] fix: fail -- complain mismatched certs/ and certs.conf
7. upgrade from mozilla-rootcerts with etcupdate manually
   populated /etc/openssl/certs
   manual /etc/openssl/certs.conf
   - opensslcertsconf:
     [x] check: pass
     [x] fix: pass -- nothing
   - opensslcertsrehash:
     [x] check: pass
     [x] fix: pass -- skip rehash because manual (go to 7)

XXX Someone should draft automatic tests for postinstall.  It has a
very good track record, but it sure would be nice to automate this
testing rather than redo it each time I make a tiny change.

Revision 1.4.2.1
Sat Sep 2 17:41:43 2023 UTC (15 months, 1 week ago) by martin
Branches: netbsd-10
FILE REMOVED
Changes since revision 1.4: +0 -689 lines
file certctl.sh was added on branch netbsd-10 on 2023-09-04 17:33:27 +0000

Revision 1.4: download - view: text, markup, annotated - select for diffs
Sat Sep 2 17:41:43 2023 UTC (15 months, 1 week ago) by riastradh
Branches: MAIN
Branch point for: netbsd-10
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +5 -5 lines
certctl(8): Fix some bugs with evil pathnames.

Revision 1.3: download - view: text, markup, annotated - select for diffs
Mon Aug 28 22:25:50 2023 UTC (15 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +34 -3 lines
certctl(8): Avoid clobbering prepopulated /etc/openssl/certs.

Also avoid clobbering some other edge cases like symlinks or
non-directories there.

This way, we have the following transitions on system updates:

- If /etc/openssl/certs is empty (as in default NetBSD<10 installs):
  quietly populated on rehash.

- If /etc/openssl/certs is nonempty (you've added things to it,
  e.g. by hand or with mozilla-rootcerts) and has never been managed
  by certctl(8): left alone on rehash, with an error message to
  explain what you need to do.

- If /etc/openssl/certs has been managed by certctl(8): quietly
  updated on rehash.

Note: This means current installations made since certctl(8) was
added will be treated like /etc/openssl/certs is nonempty and has
never been managed by certctl(8).  To work around this, you can just
delete /etc/openssl/certs and rerun `certctl rehash'.

Revision 1.2: download - view: text, markup, annotated - select for diffs
Mon Aug 28 22:25:32 2023 UTC (15 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +2 -2 lines
certctl(8): Exit nonzero on missing certs.conf.

Revision 1.1: download - view: text, markup, annotated - select for diffs
Sat Aug 26 05:27:15 2023 UTC (15 months, 2 weeks ago) by riastradh
Branches: MAIN
certctl(8): New tool for managing OpenSSL CA certificates.

Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>