Index: Makefile.inc1 =================================================================== --- Makefile.inc1 +++ Makefile.inc1 @@ -999,7 +999,9 @@ METALOG?= ${DESTDIR}/${DISTDIR}/METALOG METALOG:= ${METALOG:C,//+,/,g} IMAKE+= -DNO_ROOT METALOG=${METALOG} -INSTALLFLAGS+= -U -M ${METALOG} -D ${INSTALL_DDIR} +METALOG_INSTALLFLAGS= -U -M ${METALOG} -D ${INSTALL_DDIR} +INSTALLFLAGS+= ${METALOG_INSTALLFLAGS} +CERTCLTFLAGS= ${METALOG_INSTALLFLAGS} MTREEFLAGS+= -W .endif .if defined(BUILD_PKGS) @@ -1570,14 +1572,10 @@ .endfor .endif .elif make(installworld) && ${MK_CAROOT} != "no" - # We could make certctl a bootstrap tool, but it requires OpenSSL and - # friends, which we likely don't want. We'll rehash on a best-effort - # basis, otherwise we'll just mention that we're not doing it to raise - # awareness. - @if which certctl>/dev/null; then \ - certctl rehash; \ + @if which openssl>/dev/null; then \ + sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCLTFLAGS} rehash \ else \ - echo "No certctl on the host, not rehashing target -- /etc/ssl may not be populated."; \ + echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \ fi .endif Index: usr.sbin/certctl/certctl.sh =================================================================== --- usr.sbin/certctl/certctl.sh +++ usr.sbin/certctl/certctl.sh @@ -30,10 +30,6 @@ ############################################################ CONFIGURATION : ${DESTDIR:=} -: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} -: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} -: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} -: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} : ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} : ${VERBOSE:=0} @@ -42,6 +38,7 @@ SCRIPTNAME="${0##*/}" ERRORS=0 NOOP=0 +UNPRIV=0 ############################################################ FUNCTIONS @@ -69,7 +66,7 @@ return 1 fi [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" - [ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" + [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" } create_blacklisted() @@ -88,7 +85,7 @@ return fi [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" - [ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" + [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" } do_scan() @@ -106,7 +103,7 @@ echo "Scanning $CPATH for certificates..." cd "$CPATH" for CFILE in $EXTENSIONS; do - [ -e "$CFILE" ] || continue + [ -e "$CFILE" && $UNPRIV -eq 0 ] || continue [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" "$CFUNC" "$CPATH/$CFILE" done @@ -213,14 +210,25 @@ ############################################################ MAIN -while getopts nv flag; do +while getopts D:M:nUv flag; do case "$flag" in + D) DESTDIR=${OPTARG} ;; + M) METALOG=${OPTARG} ;; n) NOOP=1 ;; + U) UNPRIV=1 ;; v) VERBOSE=$(( $VERBOSE + 1 )) ;; esac done shift $(( $OPTIND - 1 )) +: ${METALOG:=${DESTDIR}/METALOG} +INSTALLFLAGS= +[ $UNPRIV -eq 1 ] && INSTALLFLAGS=-U -M ${METALOG} -D ${DESTDIR} +: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} +: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} +: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} +: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} + [ $# -gt 0 ] || usage case "$1" in list) cmd_list ;;