Differential D26167
certctl: fix hashed link generation with duplicate subjects Authored by kevans on Aug 24 2020, 1:39 AM. Tags None Referenced Files
Subscribers
Details Currently, certctl rehash will just keep clobbering .0 rather than incrementing the suffix upon encountering a duplicate. Do this, and do it for blacklisted certs as well. Future work needs to completely revamp the blacklist to align more with how it's described in PR 246614. PR: 246614
Diff Detail
Event TimelineComment Actions Minor nit: also fix the link formatted from certctl blacklist <hash>, chop off the suffix and generate the appropriate decimal for the .rD link. Comment Actions I also see: Files /etc/ssl/blacklisted/157753a5.0 and /usr/share/certs/trusted/AddTrust_External_Root.pem differ Files /etc/ssl/blacklisted/861a399d.0 and /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem differ Files /etc/ssl/blacklisted/def36a68.0 and /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem differ Files /etc/ssl/blacklisted/5c44d531.0 and /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem differ Files /etc/ssl/blacklisted/62744ee1.0 and /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem differ Files /etc/ssl/blacklisted/4d4ba017.0 and /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem differ Files /etc/ssl/blacklisted/c0ff1f52.0 and /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem differ Because of 626 # grep FreeBSD /etc/ssl/blacklisted/c0ff1f52.0 ## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ and 628 # grep FreeBSD /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem ## with $FreeBSD: stable/12/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ maybe also a fault on my end. I am want again to stress out that /etc/ssl/blacklisted is never read by OpenSSL and may/will lead to confusion. This defintively needs to go/be removed at some point. Another issue, I don't see how the blacklisting is supposed to work. I see: /etc/ssl ├── blacklisted │ ├── 157753a5.0 -> ../../../usr/share/certs/blacklisted/AddTrust_External_Root.pem │ ├── 4d4ba017.0 -> ../../../usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem │ ├── 5c44d531.0 -> ../../../usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem │ ├── 62744ee1.0 -> ../../../usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem │ ├── 861a399d.0 -> ../../../usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem │ ├── c0ff1f52.0 -> ../../../usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem │ └── def36a68.0 -> ../../../usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem but 631 # certctl list | grep 861a399d 861a399d.0 AddTrust Class 1 CA Root root@deblndw011x - /usr/src/secure/caroot 632 # certctl list | grep def36a68 def36a68.0 LuxTrust Global Root 2 they should not be there.
Comment Actions /etc/ssl/blacklisted will go away at the first chance I get to rewrite certctl in flua.
Comment Actions Comparing the fingerprint of the cert can be achived with OpenSSL using -fingerprint: openssl x509 -sha1 -in cert.crt -noout -fingerprint Comment Actions Rework, drop *.[0-9] from FILEPAT and use hopefully less-fragile fingerprint comparison. This fixes the previously reported issue: Files /etc/ssl/blacklisted/157753a5.0 and /usr/share/certs/trusted/AddTrust_External_Root.pem differ Files /etc/ssl/blacklisted/861a399d.0 and /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem differ Files /etc/ssl/blacklisted/def36a68.0 and /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem differ Files /etc/ssl/blacklisted/5c44d531.0 and /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem differ Files /etc/ssl/blacklisted/62744ee1.0 and /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem differ Files /etc/ssl/blacklisted/4d4ba017.0 and /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem differ Files /etc/ssl/blacklisted/c0ff1f52.0 and /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem differ in-fact theoretically caused the observations later, where the hashes still appeared in certctl list; they differed and thus the removal from /etc/ssl/certs failed. Comment Actions Looks good for me now: # certctl -v rehash Scanning /usr/share/certs/blacklisted for certificates... Reading AddTrust_External_Root.pem Adding 157753a5.0 to blacklist Reading AddTrust_Low-Value_Services_Root.pem Adding 861a399d.0 to blacklist Reading LuxTrust_Global_Root_2.pem Adding def36a68.0 to blacklist Reading Staat_der_Nederlanden_Root_CA_-_G2.pem Adding 5c44d531.0 to blacklist Reading Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem Adding 62744ee1.0 to blacklist Reading Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem Adding 4d4ba017.0 to blacklist Reading Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem Adding c0ff1f52.0 to blacklist Scanning /usr/share/certs/trusted for certificates... Reading ACCVRAIZ1.pem Adding a94d09e5.0 to trust store Reading AC_RAIZ_FNMT-RCM.pem Adding cd8c0d63.0 to trust store Reading Actalis_Authentication_Root_CA.pem Adding 930ac5d2.0 to trust store Reading AddTrust_External_Root.pem Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_External_Root.pem (/etc/ssl/blacklisted/157753a5.0) Reading AddTrust_Low-Value_Services_Root.pem Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem (/etc/ssl/blacklisted/861a399d.0) Reading AffirmTrust_Commercial.pem Adding 2b349938.0 to trust store Reading AffirmTrust_Networking.pem Adding 93bc0acc.0 to trust store Reading AffirmTrust_Premium.pem Adding b727005e.0 to trust store Reading AffirmTrust_Premium_ECC.pem Adding 9c8dfbd4.0 to trust store Reading Amazon_Root_CA_1.pem Adding ce5e74ef.0 to trust store Reading Amazon_Root_CA_2.pem Adding 6d41d539.0 to trust store Reading Amazon_Root_CA_3.pem Adding 8cb5ee0f.0 to trust store Reading Amazon_Root_CA_4.pem Adding de6d66f3.0 to trust store Reading Atos_TrustedRoot_2011.pem Adding e36a6752.0 to trust store Reading Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem Adding 3bde41ac.0 to trust store Reading Baltimore_CyberTrust_Root.pem Adding 653b494a.0 to trust store Reading Buypass_Class_2_Root_CA.pem Adding 54657681.0 to trust store Reading Buypass_Class_3_Root_CA.pem Adding e8de2f56.0 to trust store Reading CA_Disig_Root_R2.pem Adding 2ae6433e.0 to trust store Reading CFCA_EV_ROOT.pem Adding 0b1b94ef.0 to trust store Reading COMODO_Certification_Authority.pem Adding 40547a79.0 to trust store Reading COMODO_ECC_Certification_Authority.pem Adding eed8c118.0 to trust store Reading COMODO_RSA_Certification_Authority.pem Adding d6325660.0 to trust store Reading Camerfirma_Chambers_of_Commerce_Root.pem Adding f90208f7.0 to trust store Reading Camerfirma_Global_Chambersign_Root.pem Adding cb59f961.0 to trust store Reading Certigna.pem Adding e113c810.0 to trust store Reading Certigna_Root_CA.pem Adding f51bb24c.0 to trust store Reading Certum_Root_CA.pem Adding 442adcac.0 to trust store Reading Certum_Trusted_Network_CA.pem Adding 48bec511.0 to trust store Reading Certum_Trusted_Network_CA_2.pem Adding 40193066.0 to trust store Reading Chambers_of_Commerce_Root_-_2008.pem Adding c47d9980.0 to trust store Reading Comodo_AAA_Services_root.pem Adding ee64a828.0 to trust store Reading Cybertrust_Global_Root.pem Adding 76cb8f92.0 to trust store Reading D-TRUST_Root_CA_3_2013.pem Adding 0b7c536a.0 to trust store Reading D-TRUST_Root_Class_3_CA_2_2009.pem Adding c28a8a30.0 to trust store Reading D-TRUST_Root_Class_3_CA_2_EV_2009.pem Adding d4dae3dd.0 to trust store Reading DST_Root_CA_X3.pem Adding 2e5ac55d.0 to trust store Reading DigiCert_Assured_ID_Root_CA.pem Adding b1159c4c.0 to trust store Reading DigiCert_Assured_ID_Root_G2.pem Adding 9d04f354.0 to trust store Reading DigiCert_Assured_ID_Root_G3.pem Adding 7f3d5d1d.0 to trust store Reading DigiCert_Global_Root_CA.pem Adding 3513523f.0 to trust store Reading DigiCert_Global_Root_G2.pem Adding 607986c7.0 to trust store Reading DigiCert_Global_Root_G3.pem Adding dd8e9d41.0 to trust store Reading DigiCert_High_Assurance_EV_Root_CA.pem Adding 244b5494.0 to trust store Reading DigiCert_Trusted_Root_G4.pem Adding 75d1b2ed.0 to trust store Reading E-Tugra_Certification_Authority.pem Adding 5273a94c.0 to trust store Reading EC-ACC.pem Adding 349f2832.0 to trust store Reading EE_Certification_Centre_Root_CA.pem Adding 128805a3.0 to trust store Reading Entrust_Root_Certification_Authority.pem Adding 6b99d060.0 to trust store Reading Entrust_Root_Certification_Authority_-_EC1.pem Adding 106f3e4d.0 to trust store Reading Entrust_Root_Certification_Authority_-_G2.pem Adding 02265526.0 to trust store Reading Entrust_Root_Certification_Authority_-_G4.pem Adding 5e98733a.0 to trust store Reading Entrust_net_Premium_2048_Secure_Server_CA.pem Adding aee5f10d.0 to trust store Reading GDCA_TrustAUTH_R5_ROOT.pem Adding 0f6fa695.0 to trust store Reading GTS_Root_R1.pem Adding 1001acf7.0 to trust store Reading GTS_Root_R2.pem Adding 626dceaf.0 to trust store Reading GTS_Root_R3.pem Adding 0a775a30.0 to trust store Reading GTS_Root_R4.pem Adding a3418fda.0 to trust store Reading GeoTrust_Global_CA.pem Adding 2c543cd1.0 to trust store Reading GeoTrust_Primary_Certification_Authority.pem Adding 480720ec.0 to trust store Reading GeoTrust_Primary_Certification_Authority_-_G2.pem Adding 116bf586.0 to trust store Reading GeoTrust_Primary_Certification_Authority_-_G3.pem Adding e2799e36.0 to trust store Reading GeoTrust_Universal_CA.pem Adding ad088e1d.0 to trust store Reading GeoTrust_Universal_CA_2.pem Adding 8867006a.0 to trust store Reading GlobalSign_ECC_Root_CA_-_R4.pem Adding b0e59380.0 to trust store Reading GlobalSign_ECC_Root_CA_-_R5.pem Adding 1d3472b9.0 to trust store Reading GlobalSign_Root_CA.pem Adding 5ad8a5d6.0 to trust store Reading GlobalSign_Root_CA_-_R2.pem Adding 4a6481c9.0 to trust store Reading GlobalSign_Root_CA_-_R3.pem Adding 062cdee6.0 to trust store Reading GlobalSign_Root_CA_-_R6.pem Adding dc4d6a89.0 to trust store Reading Global_Chambersign_Root_-_2008.pem Adding 0c4c9b6c.0 to trust store Reading Go_Daddy_Class_2_CA.pem Adding f081611a.0 to trust store Reading Go_Daddy_Root_Certificate_Authority_-_G2.pem Adding cbf06781.0 to trust store Reading Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem Adding 7719f463.0 to trust store Reading Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem Adding 1636090b.0 to trust store Reading Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem Adding 32888f65.0 to trust store Reading Hongkong_Post_Root_CA_1.pem Adding 3e45d192.0 to trust store Reading Hongkong_Post_Root_CA_3.pem Adding 68dd7389.0 to trust store Reading ISRG_Root_X1.pem Adding 4042bcee.0 to trust store Reading IdenTrust_Commercial_Root_CA_1.pem Adding ef954a4e.0 to trust store Reading IdenTrust_Public_Sector_Root_CA_1.pem Adding 1e08bfd1.0 to trust store Reading Izenpe_com.pem Adding cc450945.0 to trust store Reading LuxTrust_Global_Root_2.pem Skipping blacklisted certificate /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem (/etc/ssl/blacklisted/def36a68.0) Reading Microsec_e-Szigno_Root_CA_2009.pem Adding 8160b96c.0 to trust store Reading Microsoft_ECC_Root_Certificate_Authority_2017.pem Adding 8d89cda1.0 to trust store Reading Microsoft_RSA_Root_Certificate_Authority_2017.pem Adding bf53fb88.0 to trust store Reading NetLock_Arany__Class_Gold__F__tan__s__tv__ny.pem Adding 988a38cb.0 to trust store Reading Network_Solutions_Certificate_Authority.pem Adding 4304c5e5.0 to trust store Reading OISTE_WISeKey_Global_Root_GA_CA.pem Adding b1b8a7f3.0 to trust store Reading OISTE_WISeKey_Global_Root_GB_CA.pem Adding e73d606e.0 to trust store Reading OISTE_WISeKey_Global_Root_GC_CA.pem Adding 773e07ad.0 to trust store Reading QuoVadis_Root_CA.pem Adding 080911ac.0 to trust store Reading QuoVadis_Root_CA_1_G3.pem Adding 749e9e03.0 to trust store Reading QuoVadis_Root_CA_2.pem Adding d7e8dc79.0 to trust store Reading QuoVadis_Root_CA_2_G3.pem Adding 064e0aa9.0 to trust store Reading QuoVadis_Root_CA_3.pem Adding 76faf6c0.0 to trust store Reading QuoVadis_Root_CA_3_G3.pem Adding e18bfb83.0 to trust store Reading SSL_com_EV_Root_Certification_Authority_ECC.pem Adding f0c70a8d.0 to trust store Reading SSL_com_EV_Root_Certification_Authority_RSA_R2.pem Adding 06dc52d5.0 to trust store Reading SSL_com_Root_Certification_Authority_ECC.pem Adding 0bf05006.0 to trust store Reading SSL_com_Root_Certification_Authority_RSA.pem Adding 6fa5da56.0 to trust store Reading SZAFIR_ROOT_CA2.pem Adding fe8a2cd8.0 to trust store Reading SecureSign_RootCA11.pem Adding 18856ac4.0 to trust store Reading SecureTrust_CA.pem Adding f39fc864.0 to trust store Reading Secure_Global_CA.pem Adding b66938e9.0 to trust store Reading Security_Communication_RootCA2.pem Adding cd58d51e.0 to trust store Reading Security_Communication_Root_CA.pem Adding f3377b1b.0 to trust store Reading Sonera_Class_2_Root_CA.pem Adding 9c2e7d30.0 to trust store Reading Staat_der_Nederlanden_EV_Root_CA.pem Adding 03179a64.0 to trust store Reading Staat_der_Nederlanden_Root_CA_-_G2.pem Skipping blacklisted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem (/etc/ssl/blacklisted/5c44d531.0) Reading Staat_der_Nederlanden_Root_CA_-_G3.pem Adding 5a4d6896.0 to trust store Reading Starfield_Class_2_CA.pem Adding f387163d.0 to trust store Reading Starfield_Root_Certificate_Authority_-_G2.pem Adding 4bfab552.0 to trust store Reading Starfield_Services_Root_Certificate_Authority_-_G2.pem Adding 09789157.0 to trust store Reading SwissSign_Gold_CA_-_G2.pem Adding 4f316efb.0 to trust store Reading SwissSign_Platinum_CA_-_G2.pem Adding a8dee976.0 to trust store Reading SwissSign_Silver_CA_-_G2.pem Adding 57bcb2da.0 to trust store Reading Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/62744ee1.0) Reading Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem Adding 26312675.0 to trust store Reading Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/4d4ba017.0) Reading Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem Adding 1320b215.0 to trust store Reading T-TeleSec_GlobalRoot_Class_2.pem Adding 1e09d511.0 to trust store Reading T-TeleSec_GlobalRoot_Class_3.pem Adding 5443e9e3.0 to trust store Reading TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem Adding ff34af3f.0 to trust store Reading TWCA_Global_Root_CA.pem Adding 5f15c80c.0 to trust store Reading TWCA_Root_Certification_Authority.pem Adding b7a5b843.0 to trust store Reading Taiwan_GRCA.pem Adding 6410666e.0 to trust store Reading TeliaSonera_Root_CA_v1.pem Adding 5cd81ad7.0 to trust store Reading TrustCor_ECA-1.pem Adding 7aaf71c0.0 to trust store Reading TrustCor_RootCert_CA-1.pem Adding 5d3033c5.0 to trust store Reading TrustCor_RootCert_CA-2.pem Adding 3e44d2f7.0 to trust store Reading Trustis_FPS_Root_CA.pem Adding d853d49e.0 to trust store Reading UCA_Extended_Validation_Root.pem Adding 0f5dc4f3.0 to trust store Reading UCA_Global_G2_Root.pem Adding c01eb047.0 to trust store Reading USERTrust_ECC_Certification_Authority.pem Adding f30dd6ad.0 to trust store Reading USERTrust_RSA_Certification_Authority.pem Adding fc5a8f99.0 to trust store Reading VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem Adding 7d0b38bd.0 to trust store Reading VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem Adding b204d74a.0 to trust store Reading VeriSign_Universal_Root_Certification_Authority.pem Adding c01cdfa2.0 to trust store Reading Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem Adding ee1365c0.0 to trust store Reading Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem Adding dc45b0bd.0 to trust store Reading Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem Skipping blacklisted certificate /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (/etc/ssl/blacklisted/c0ff1f52.0) Reading XRamp_Global_CA_Root.pem Adding 706f604c.0 to trust store Reading certSIGN_ROOT_CA.pem Adding 8d86cdd1.0 to trust store Reading certSIGN_Root_CA_G2.pem Adding 5f618aec.0 to trust store Reading e-Szigno_Root_CA_2017.pem Adding e868b802.0 to trust store Reading ePKI_Root_Certification_Authority.pem Adding ca6e4ad9.0 to trust store Reading emSign_ECC_Root_CA_-_C3.pem Adding 4b718d9b.0 to trust store Reading emSign_ECC_Root_CA_-_G3.pem Adding 14bc7599.0 to trust store Reading emSign_Root_CA_-_C1.pem Adding 406c9bb1.0 to trust store Reading emSign_Root_CA_-_G1.pem Adding 2923b3f9.0 to trust store Reading thawte_Primary_Root_CA.pem Adding 2e4eed3c.0 to trust store Reading thawte_Primary_Root_CA_-_G2.pem Adding c089bbbd.0 to trust store Reading thawte_Primary_Root_CA_-_G3.pem Adding ba89ed3b.0 to trust store Scanning /usr/local/share/certs for certificates... Reading ca-root-nss.crt Adding cd8c0d63.1 to trust store Scanning /usr/local/etc/ssl/certs for certificates... Reading quovadis-cert-01.crt Adding 780389f9.0 to trust store Reading quovadis-cert-02.crt Adding 4ca5f54b.0 to trust store Reading quovadis-cert-03.crt Adding b5d79467.0 to trust store Reading siemens-cert-01.crt Adding d4555404.0 to trust store Reading siemens-cert-02.crt Adding d7532a42.0 to trust store Reading siemens-cert-03.crt Adding d9d79a66.0 to trust store Reading siemens-cert-04.crt Adding a331fcb4.0 to trust store Reading siemens-cert-05.crt Adding 2b9d74f0.0 to trust store Reading siemens-cert-06.crt Adding b428065f.0 to trust store Reading siemens-cert-07.crt Adding e6a60b73.0 to trust store Reading siemens-cert-08.crt Adding 930b5fed.0 to trust store Reading siemens-cert-09.crt Adding f38f510d.0 to trust store Reading siemens-cert-10.crt Adding ddc2d14f.0 to trust store Reading siemens-cert-11.crt Adding 9ec27e42.0 to trust store Reading siemens-cert-12.crt Adding 1c7620aa.0 to trust store Reading siemens-cert-13.crt Adding 681ad634.0 to trust store Reading siemens-cert-14.crt Adding 8dc03e53.0 to trust store Reading siemens-cert-15.crt Adding 8dc03e53.1 to trust store Reading siemens-cert-16.crt Adding a382b08f.0 to trust store Reading siemens-cert-17.crt Adding 5ba4b7de.0 to trust store Comment Actions Excellent, thanks! Would you prefer to receive attribution for this review at your phab email address (@gmx) or bugzilla (@siemens)? | ||||||||||||||||||||||||||||||||||||||||||||||