Up to [cvs.NetBSD.org] / src / usr.sbin / certctl
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Pull up following revision(s) (requested by riastradh in ticket #625): usr.sbin/certctl/certctl.sh: revision 1.7 certctl(8): Pacify formal POSIX sh syntax. According to POSIX 2018, the syntax between `then' and `elif' and `fi' must be a _non-empty_ list of commands: compound_list : linebreak term | linebreak term separator ; ... if_clause : If compound_list Then compound_list else_part Fi | If compound_list Then compound_list Fi ; else_part : Elif compound_list Then compound_list | Elif compound_list Then compound_list else_part | Else compound_list ; https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18 +_10_02 NetBSD's sh(1) currently doesn't enforce this and allows an empty sequence of commands, but let's not rely on that nonstandard quirk. Noted in PR 57997.
Pull up following revision(s) (requested by riastradh in ticket #621): usr.sbin/certctl/certctl.sh: revision 1.6 certctl(8): Avoid basename(1). Saves some time running subprocesses. Since this is only used for non-directories (i.e., there's never trailing / on the inputs), it suffices to delete the longest prefix matching glob `*/' with shell parameter expansion -- much cheaper than spawning a subprocess. Shaves off about 1/3 of the time spent in `certctl list' on an aarch64 VM in qemu. PR bin/57993
certctl(8): Pacify formal POSIX sh syntax. According to POSIX 2018, the syntax between `then' and `elif' and `fi' must be a _non-empty_ list of commands: compound_list : linebreak term | linebreak term separator ; ... if_clause : If compound_list Then compound_list else_part Fi | If compound_list Then compound_list Fi ; else_part : Elif compound_list Then compound_list | Elif compound_list Then compound_list else_part | Else compound_list ; https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_10_02 NetBSD's sh(1) currently doesn't enforce this and allows an empty sequence of commands, but let's not rely on that nonstandard quirk. Noted in PR 57997.
certctl(8): Avoid basename(1). Saves some time running subprocesses. Since this is only used for non-directories (i.e., there's never trailing / on the inputs), it suffices to delete the longest prefix matching glob `*/' with shell parameter expansion -- much cheaper than spawning a subprocess. Shaves off about 1/3 of the time spent in `certctl list' on an aarch64 VM in qemu. PR bin/57993
Pull up following revision(s) (requested by riastradh in ticket #350): tests/usr.sbin/certctl/t_certctl.sh: revision 1.10 usr.sbin/certctl/certctl.sh: revision 1.5 tests/usr.sbin/certctl/t_certctl.sh: revision 1.9 certctl(8): Test permissions of ca-certificates.crt. Inadvertently created 0600 instead of 0644 due to copying file created by mktemp(1) with cp(1). certctl(8): Fix permissions on ca-certificates.crt bundle: 0644. While here, write it atomically: write to .tmp first, then rename when done; this way applications never see a partially-written bundle at /etc/openssl/certs/ca-certificates.crt.
certctl(8): Fix permissions on ca-certificates.crt bundle: 0644. While here, write it atomically: write to .tmp first, then rename when done; this way applications never see a partially-written bundle at /etc/openssl/certs/ca-certificates.crt.
Pull up following revision(s) (requested by riastradh in ticket #343): external/mpl/mozilla-certdata/dist/certdata.txt: revision 1.1.1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G3.pem: revision 1.1 distrib/sets/lists/man/mi: revision 1.1764 external/mpl/mozilla-certdata/share/certs/ACCVRAIZ1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem: revision 1.1 tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_E45.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_ECC.pem: revision 1.1 tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1 tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Izenpe.com.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_2.pem: revision 1.1 tests/usr.sbin/certctl/certs4/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Global_Chambersign_Root_-_2008.pem: revision 1.1 distrib/sets/lists/etc/mi: revision 1.272 external/mpl/mozilla-certdata/share/certs/ISRG_Root_X1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TunTrust_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_BR_Root_CA_1_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_RSA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_EC-384_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/IdenTrust_Public_Sector_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_EC1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SZAFIR_ROOT_CA2.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.1 external/mpl/mozilla-certdata/share/certs/UCA_Global_G2_Root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_Client_ECC_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/COMODO_ECC_Certification_Authority.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.2 tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.3 external/mpl/mozilla-certdata/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_RSA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R2.pem: revision 1.1 usr.sbin/certctl/certctl.sh: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.4 external/mpl/mozilla-certdata/share/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SwissSign_Silver_CA_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Starfield_Class_2_CA.pem: revision 1.1 usr.sbin/certctl/certctl.sh: revision 1.2 tests/usr.sbin/certctl/t_certctl.sh: revision 1.5 usr.sbin/certctl/certctl.sh: revision 1.3 tests/usr.sbin/certctl/t_certctl.sh: revision 1.6 usr.sbin/certctl/certctl.sh: revision 1.4 tests/usr.sbin/certctl/t_certctl.sh: revision 1.7 external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.8 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Hongkong_Post_Root_CA_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ANF_Secure_Server_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Chambers_of_Commerce_Root_-_2008.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Go_Daddy_Class_2_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/USERTrust_RSA_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certdata.awk: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_TLS_ECC_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_G2_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_ECA-1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_ECC_Root_CA_2022.pem: revision 1.1 usr.sbin/Makefile: revision 1.292 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/CA_Disig_Root_R2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_C1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Trusted_Root_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_G2_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/vTrus_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-2.pem: revision 1.1 etc/mtree/special: revision 1.176 external/mpl/mozilla-certdata/share/certs/USERTrust_ECC_Certification_Authority.pem: revision 1.1 etc/mtree/special: revision 1.177 etc/mtree/special: revision 1.178 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium_ECC.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/vTrus_ECC_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_ECC_P384_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/NAVER_Global_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/server.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/SecureTrust_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/code.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_RSA_Root_CA_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_RSA4096_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G2.pem: revision 1.1 tests/usr.sbin/certctl/certs1/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_RSA4096_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Client_ECC_Root_CA_2022.pem: revision 1.1 share/man/man7/hier.7: revision 1.141 external/mpl/mozilla-certdata/share/certs/Certigna.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/certSIGN_Root_CA_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certigna_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Telia_Root_CA_v2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Buypass_Class_2_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_C3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Client_RSA_Root_CA_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HiPKI_Root_CA_-_G1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Starfield_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SwissSign_Gold_CA_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GB_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Networking.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1 tests/usr.sbin/certctl/Makefile.inc: revision 1.1 external/mpl/mozilla-certdata/share/certs/COMODO_RSA_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA_2.pem: revision 1.1 tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GC_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Commercial.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Buypass_Class_3_Root_CA.pem: revision 1.1 distrib/sets/lists/tests/mi: revision 1.1292 external/mpl/mozilla-certdata/share/certs/UCA_Extended_Validation_Root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2.pem: revision 1.1 external/mpl/mozilla-certdata/share/email.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_2011.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_EV_Root_CA_1_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ePKI_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_ECDSA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R4.pem: revision 1.1 tests/usr.sbin/certctl/certs2/Makefile: revision 1.1 tests/usr.sbin/Makefile: revision 1.8 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_Certification_Authority.pem: revision 1.1 tests/usr.sbin/certctl/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/IdenTrust_Commercial_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_ECC_P384_Root_G5.pem: revision 1.1 tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.2 external/mpl/mozilla-certdata/share/certs/Microsec_e-Szigno_Root_CA_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_Client_RSA_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GDCA_TrustAUTH_R5_ROOT.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_3.pem: revision 1.1 tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ISRG_Root_X2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_CA_3_2013.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem: revision 1.1 etc/mtree/NetBSD.dist.base: revision 1.252 external/mpl/mozilla-certdata/share/certs/CFCA_EV_ROOT.pem: revision 1.1 etc/mtree/NetBSD.dist.base: revision 1.253 external/mpl/mozilla-certdata/share/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_G1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1 usr.sbin/certctl/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_ECC_RootCA1.pem: revision 1.1 usr.sbin/certctl/Makefile: revision 1.2 usr.sbin/certctl/Makefile: revision 1.3 external/mpl/mozilla-certdata/share/certs/GTS_Root_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/e-Szigno_Root_CA_2017.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/certSIGN_ROOT_CA.pem: revision 1.1 doc/3RDPARTY: revision 1.1949 external/mpl/mozilla-certdata/share/certs/Certainly_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TeliaSonera_Root_CA_v1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_TLS_RSA_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/NetLock_Arany_Class_Gold.pem: revision 1.1 usr.sbin/postinstall/postinstall.in: revision 1.53 usr.sbin/postinstall/postinstall.in: revision 1.54 tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1 etc/Makefile: revision 1.467 usr.sbin/postinstall/postinstall.in: revision 1.55 tests/usr.sbin/certctl/certs3/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/GLOBALTRUST_2020.pem: revision 1.1 etc/mtree/NetBSD.dist.tests: revision 1.200 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_1_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Actalis_Authentication_Root_CA.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1326 distrib/sets/lists/base/mi: revision 1.1327 external/mpl/mozilla-certdata/share/certs/SecureSign_RootCA11.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1328 external/mpl/mozilla-certdata/share/certs/Comodo_AAA_Services_root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2_G3.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1329 external/mpl/mozilla-certdata/share/certs/COMODO_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_High_Assurance_EV_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_R45.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Secure_Global_CA.pem: revision 1.1 usr.sbin/certctl/certctl.8: revision 1.1 external/mpl/mozilla-certdata/share/certs/XRamp_Global_CA_Root.pem: revision 1.1 external/mpl/Makefile: revision 1.5 usr.sbin/certctl/certctl.8: revision 1.2 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Baltimore_CyberTrust_Root.pem: revision 1.1 usr.sbin/certctl/certs.conf: revision 1.1 external/mpl/mozilla-certdata/share/certs/LAWtrust_Root_CA2_4096.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certainly_Root_E1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem: revision 1.1 certctl(8): New tool for managing OpenSSL CA certificates. Same command-line syntax as FreeBSD, clearer semantics about which parts are config and which parts are cache. mozilla-certdata: Record in doc/3RDPARTY. mozilla-certdata: Makefile infrastructure. mozilla-certdata: regen (actually, just `gen', this first time) mozilla-certdata: Connect it up to the build. postinstall(8): Add opensslcerts item to regen /etc/openssl/certs. Works only with destdir /, since it relies on running openssl(1), which is not available as a tool or required in the cross-build environment. certctl(8): Add xfail test for missing certs.conf. Command should fail, i.e., exit with nonzero status, but it exits with zero instead. certctl(8): Exit nonzero on missing certs.conf. certctl(8): Test prepopulated /etc/openssl/certs. This is the scenario when you have previously populated /etc/openssl/certs manually, or with a package like mozilla-rootcerts or mozilla-rootcerts-openssl, and you update to a version of NetBSD with certctl(8). In this case, certctl(8) should avoid destroying your work. While here, also test some related but less likely edge cases: - nonexistent - symlink - regular file certctl(8): Avoid clobbering prepopulated /etc/openssl/certs. Also avoid clobbering some other edge cases like symlinks or non-directories there. This way, we have the following transitions on system updates: - If /etc/openssl/certs is empty (as in default NetBSD<10 installs): quietly populated on rehash. - If /etc/openssl/certs is nonempty (you've added things to it, e.g. by hand or with mozilla-rootcerts) and has never been managed by certctl(8): left alone on rehash, with an error message to explain what you need to do. - If /etc/openssl/certs has been managed by certctl(8): quietly updated on rehash. Note: This means current installations made since certctl(8) was added will be treated like /etc/openssl/certs is nonempty and has never been managed by certctl(8). To work around this, you can just delete /etc/openssl/certs and rerun `certctl rehash'. postinstall(8): Fail if `certctl rehash' fails. Not using `set -e' here, evidently (maybe we should), so the separate return 0 suppressed the error. distrib/sets/lists: certs.conf belongs in etc, not in base. Oops. certctl(8): Set certs.conf 644 and add it to etc/mtree/special. Now that we have /etc/openssl/certs.conf mentioned here, also list /etc/openssl. hier(7): Document /etc/openssl. certctl(8): Minor man page clarifications. - Specify exactly what /etc/openssl/certs gets populated with. - Change HTTPS to TLS. - Specify the permitted character class in certs.conf. (Maybe more conservative than strictly needed; but let's stay on the safe side.) certctl(8): Fix some bugs with evil pathnames. certctl(8): Fix quoting and whitespace style in evilpath test. No functional change intended. etc/mtree/special: Fix spaces/tabs. No functional change intended. mozilla-certdata: Install relative symlinks. Slightly more compact this way, and you can examine them in a destdir without chrooting. Not terribly important, but a minor convenience. certctl(8): Test more evil pathnames. certctl(8): Install certs.conf in /usr/share/examples too. This way postinstall(8) can refer to the default one when you've done an upgrade without etcupdate or similar to pull in new config files from etc.tgz. Not great -- we should do this systematically for all config files in /etc, but this one-off hack is less risky for 10. postinstall(8): Handle various certs.conf scenarios gracefully. Tested the following scenarios: 1. fresh install empty /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: fail -- needs rehash [x] fix: pass -- quietly rehash successfully (go to 4) 2. fresh upgrade empty /etc/openssl/certs no /etc/openssl/certs.conf - opensslcertsconf [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: pass -- install default /etc/openssl/certs.conf (go to 1) - opensslcertsrehash [x] check: fail -- complain missing /etc/openssl/certs.conf - [x] fix: fail -- complain missing /etc/openssl/certs.conf 3. upgrade from certctl, changes to certs certctl-managed /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: fail -- needs rehash [x] fix: pass -- quietly rehash successfully (go to 4) 4. upgrade from certctl, no changes to certs certctl-managed /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: pass [x] fix: pass -- quietly rehash successfully (go to 4) 5. upgrade from mozilla-rootcerts populated /etc/openssl/certs no /etc/openssl/certs.conf - opensslcertsconf: [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: pass -- install manual /etc/openssl/certs.conf (go to 7) - opensslcertsrehash: [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: fail -- complain missing /etc/openssl/certs.conf 6. upgrade from mozilla-rootcerts with etcupdate naively populated /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf: [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash: [x] check: fail -- complain mismatched certs/ and certs.conf [x] fix: fail -- complain mismatched certs/ and certs.conf 7. upgrade from mozilla-rootcerts with etcupdate manually populated /etc/openssl/certs manual /etc/openssl/certs.conf - opensslcertsconf: [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash: [x] check: pass [x] fix: pass -- skip rehash because manual (go to 7) XXX Someone should draft automatic tests for postinstall. It has a very good track record, but it sure would be nice to automate this testing rather than redo it each time I make a tiny change.
file certctl.sh was added on branch netbsd-10 on 2023-09-04 17:33:27 +0000
certctl(8): Fix some bugs with evil pathnames.
certctl(8): Avoid clobbering prepopulated /etc/openssl/certs. Also avoid clobbering some other edge cases like symlinks or non-directories there. This way, we have the following transitions on system updates: - If /etc/openssl/certs is empty (as in default NetBSD<10 installs): quietly populated on rehash. - If /etc/openssl/certs is nonempty (you've added things to it, e.g. by hand or with mozilla-rootcerts) and has never been managed by certctl(8): left alone on rehash, with an error message to explain what you need to do. - If /etc/openssl/certs has been managed by certctl(8): quietly updated on rehash. Note: This means current installations made since certctl(8) was added will be treated like /etc/openssl/certs is nonempty and has never been managed by certctl(8). To work around this, you can just delete /etc/openssl/certs and rerun `certctl rehash'.
certctl(8): Exit nonzero on missing certs.conf.
certctl(8): New tool for managing OpenSSL CA certificates. Same command-line syntax as FreeBSD, clearer semantics about which parts are config and which parts are cache.