diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -44,6 +44,44 @@ OLD_FILES+=usr/share/man/man9/crypto_cursor_segbase.9.gz OLD_FILES+=usr/share/man/man9/crypto_cursor_seglen.9.gz +# 20210618: rename of usr/share/certs/blacklisted +OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem +OLD_FILES+=usr/share/certs/blacklisted/Certum_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem +OLD_FILES+=usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem +OLD_FILES+=usr/share/certs/blacklisted/EC-ACC.pem +OLD_FILES+=usr/share/certs/blacklisted/EE_Certification_Centre_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem +OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem +OLD_FILES+=usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem +OLD_FILES+=usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem +OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem +OLD_FILES+=usr/share/certs/blacklisted/Taiwan_GRCA.pem +OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem +OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem +OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem +OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem +OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem +OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem +OLD_DIRS+=usr/share/certs/blacklisted # 20210613: new clang import which bumps version from 11.0.1 to 12.0.0. OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/algorithm OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/complex diff --git a/UPDATING b/UPDATING --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,10 @@ world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +202106xx: + The directory "blacklisted" under /usr/share/certs/ has been + renamed to "untrusted". + 20210611: svnlite has been removed from base. Should you need svn for any reason please install the svn package or port. diff --git a/etc/mtree/BSD.usr.dist b/etc/mtree/BSD.usr.dist --- a/etc/mtree/BSD.usr.dist +++ b/etc/mtree/BSD.usr.dist @@ -205,10 +205,10 @@ .. .. certs - blacklisted tags=package=caroot - .. trusted tags=package=caroot .. + untrusted tags=package=caroot + .. .. dict .. diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile --- a/secure/caroot/Makefile +++ b/secure/caroot/Makefile @@ -3,7 +3,7 @@ CLEANFILES+= certdata.txt SUBDIR+= trusted -SUBDIR+= blacklisted +SUBDIR+= untrusted .include diff --git a/secure/caroot/README b/secure/caroot/README --- a/secure/caroot/README +++ b/secure/caroot/README @@ -14,8 +14,8 @@ Then the results should manually be inspected (svn status) 1) Any no-longer-trusted certificates should be moved to the - blacklisted directory (svn mv) - 2) any newly added certificates will need to be added (svn add) + untrusted directory (git mv) + 2) any newly added certificates will need to be added (git add) The following make targets exist: diff --git a/secure/caroot/blacklisted/Makefile b/secure/caroot/blacklisted/Makefile deleted file mode 100644 --- a/secure/caroot/blacklisted/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $FreeBSD$ - -BINDIR= /usr/share/certs/blacklisted - -BLACKLISTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true - -FILES+= ${BLACKLISTED_CERTS} - -.include diff --git a/secure/caroot/blacklisted/AddTrust_External_Root.pem b/secure/caroot/untrusted/AddTrust_External_Root.pem rename from secure/caroot/blacklisted/AddTrust_External_Root.pem rename to secure/caroot/untrusted/AddTrust_External_Root.pem diff --git a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem rename from secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem rename to secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem diff --git a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem rename from secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem rename to secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem diff --git a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem rename from secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem rename to secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem diff --git a/secure/caroot/blacklisted/Certum_Root_CA.pem b/secure/caroot/untrusted/Certum_Root_CA.pem rename from secure/caroot/blacklisted/Certum_Root_CA.pem rename to secure/caroot/untrusted/Certum_Root_CA.pem diff --git a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem rename from secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem rename to secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem diff --git a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem rename from secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem rename to secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem diff --git a/secure/caroot/blacklisted/EC-ACC.pem b/secure/caroot/untrusted/EC-ACC.pem rename from secure/caroot/blacklisted/EC-ACC.pem rename to secure/caroot/untrusted/EC-ACC.pem diff --git a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem rename from secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem rename to secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem b/secure/caroot/untrusted/GeoTrust_Global_CA.pem rename from secure/caroot/blacklisted/GeoTrust_Global_CA.pem rename to secure/caroot/untrusted/GeoTrust_Global_CA.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem rename from secure/caroot/blacklisted/GeoTrust_Universal_CA.pem rename to secure/caroot/untrusted/GeoTrust_Universal_CA.pem diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem rename from secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem rename to secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem diff --git a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem rename from secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem rename to secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem diff --git a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem rename from secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem rename to secure/caroot/untrusted/LuxTrust_Global_Root_2.pem diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile new file mode 100644 --- /dev/null +++ b/secure/caroot/untrusted/Makefile @@ -0,0 +1,9 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/untrusted + +UNTRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true + +FILES+= ${UNTRUSTED_CERTS} + +.include diff --git a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem rename from secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem rename to secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem rename from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem rename to secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem rename from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem rename to secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem diff --git a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem rename from secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem rename to secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem rename from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem rename to secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem rename from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem rename to secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem rename from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem rename to secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem rename from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem rename to secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem diff --git a/secure/caroot/blacklisted/Taiwan_GRCA.pem b/secure/caroot/untrusted/Taiwan_GRCA.pem rename from secure/caroot/blacklisted/Taiwan_GRCA.pem rename to secure/caroot/untrusted/Taiwan_GRCA.pem diff --git a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem rename from secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem rename to secure/caroot/untrusted/Trustis_FPS_Root_CA.pem diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem rename from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem rename to secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem rename from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem rename to secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem diff --git a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem rename from secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem rename to secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem diff --git a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem rename from secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem rename to secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem rename from secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem rename to secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem rename from secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem rename to secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem rename from secure/caroot/blacklisted/thawte_Primary_Root_CA.pem rename to secure/caroot/untrusted/thawte_Primary_Root_CA.pem diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem rename from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem rename to secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem rename from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem rename to secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -26,19 +26,19 @@ .\" .\" $FreeBSD$ .\" -.Dd January 7, 2021 +.Dd June 18, 2021 .Dt CERTCTL 8 .Os .Sh NAME .Nm certctl -.Nd "tool for managing trusted and blacklist TLS certificates" +.Nd "tool for managing trusted and untrusted TLS certificates" .Sh SYNOPSIS .Nm .Op Fl v .Ic list .Nm .Op Fl v -.Ic blacklisted +.Ic untrusted .Nm .Op Fl nUv .Op Fl D Ar destdir @@ -46,10 +46,10 @@ .Ic rehash .Nm .Op Fl nv -.Ic blacklist Ar file +.Ic untrust Ar file .Nm .Op Fl nv -.Ic unblacklist Ar file +.Ic trust Ar file .Sh DESCRIPTION The .Nm @@ -72,28 +72,28 @@ .El .Pp Primary command functions: -.Bl -tag -width blacklisted +.Bl -tag -width untrusted .It Ic list List all currently trusted certificate authorities. -.It Ic blacklisted -List all currently blacklisted certificates. +.It Ic untrusted +List all currently untrusted certificates. .It Ic rehash Rebuild the list of trusted certificate authorities by scanning all directories in .Ev TRUSTPATH -and all blacklisted certificates in -.Ev BLACKLISTPATH . +and all untrusted certificates in +.Ev UNTRUSTPATH . A symbolic link to each trusted certificate is placed in .Ev CERTDESTDIR -and each blacklisted certificate in -.Ev BLACKLISTDESTDIR . -.It Ic blacklist -Add the specified file to the blacklist. -.It Ic unblacklist -Remove the specified file from the blacklist. +and each untrusted certificate in +.Ev UNTRUSTDESTDIR . +.It Ic untrust +Add the specified file to the untrusted list. +.It Ic trust +Remove the specified file from the untrusted list. .El .Sh ENVIRONMENT -.Bl -tag -width BLACKLISTDESTDIR +.Bl -tag -width UNTRUSTDESTDIR .It Ev DESTDIR Alternate destination directory to operate on. .It Ev TRUSTPATH @@ -101,19 +101,20 @@ Default: .Pa /usr/share/certs/trusted .Pa /usr/local/share/certs /usr/local/etc/ssl/certs -.It Ev BLACKLISTPATH -List of paths to search for blacklisted certificates. +.It Ev UNTRUSTPATH +List of paths to search for untrusted certificates. Default: -.Pa /usr/share/certs/blacklisted +.Pa /usr/share/certs/untrusted +.Pa /usr/local/etc/ssl/untrusted .Pa /usr/local/etc/ssl/blacklisted .It Ev CERTDESTDIR Destination directory for symbolic links to trusted certificates. Default: .Pa /etc/ssl/certs -.It Ev BLACKLISTDESTDIR -Destination directory for symbolic links to blacklisted certificates. +.It Ev UNTRUSTDESTDIR +Destination directory for symbolic links to untrusted certificates. Default: -.Pa /etc/ssl/blacklisted +.Pa /etc/ssl/untrusted .It Ev EXTENSIONS List of file extensions to read as certificate files. Default: *.pem *.crt *.cer *.crl *.0 diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -79,10 +79,10 @@ hash=$( do_hash "$1" ) || return certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint ) - for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do + for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint ) if [ "$certhash" = "$blisthash" ]; then - echo "Skipping blacklisted certificate $1 ($blistfile)" + echo "Skipping untrusted certificate $1 ($blistfile)" return 1 fi done @@ -102,19 +102,19 @@ if [ -e "$1" ]; then hash=$( do_hash "$1" ) || return srcfile=$(realpath "$1") - suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") + suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash") filename="$hash.$suffix" echo "$srcfile" "$hash.$suffix" elif [ -e "${CERTDESTDIR}/$1" ]; then srcfile=$(realpath "${CERTDESTDIR}/$1") hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//') - suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") + suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash") filename="$hash.$suffix" echo "$srcfile" "$hash.$suffix" fi } -create_blacklisted() +create_untrusted() { local srcfile filename @@ -126,8 +126,8 @@ return fi - [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" - [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" + [ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list" + [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename" } do_scan() @@ -185,14 +185,14 @@ else mkdir -p "$CERTDESTDIR" fi - if [ -e "$BLACKLISTDESTDIR" ]; then - find "$BLACKLISTDESTDIR" -type link -delete + if [ -e "$UNTRUSTDESTDIR" ]; then + find "$UNTRUSTDESTDIR" -type link -delete else - mkdir -p "$BLACKLISTDESTDIR" + mkdir -p "$UNTRUSTDESTDIR" fi fi - do_scan create_blacklisted "$BLACKLISTPATH" + do_scan create_untrusted "$UNTRUSTPATH" do_scan create_trusted_link "$TRUSTPATH" } @@ -202,19 +202,19 @@ do_list "$CERTDESTDIR" } -cmd_blacklist() +cmd_untrust() { local BPATH shift # verb - [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + [ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR" for BFILE in "$@"; do - echo "Adding $BFILE to blacklist" - create_blacklisted "$BFILE" + echo "Adding $BFILE to untrusted list" + create_untrusted "$BFILE" done } -cmd_unblacklist() +cmd_trust() { local BFILE blisthash certhash hash @@ -223,16 +223,16 @@ if [ -s "$BFILE" ]; then hash=$( do_hash "$BFILE" ) certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint ) - for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do + for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint ) if [ "$certhash" = "$blisthash" ]; then - echo "Removing $(basename "$BLISTEDFILE") from blacklist" + echo "Removing $(basename "$BLISTEDFILE") from untrusted list" [ $NOOP -eq 0 ] && rm -f $BLISTEDFILE fi done - elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then - echo "Removing $BFILE from blacklist" - [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" + elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then + echo "Removing $BFILE from untrusted list" + [ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE" else echo "Cannot find $BFILE" >&2 ERRORS=$(( $ERRORS + 1 )) @@ -240,10 +240,10 @@ done } -cmd_blacklisted() +cmd_untrusted() { - echo "Listing Blacklisted Certificates:" - do_list "$BLACKLISTDESTDIR" + echo "Listing Untrusted Certificates:" + do_list "$UNTRUSTDESTDIR" } usage() @@ -252,14 +252,14 @@ echo "Manage the TLS trusted certificates on the system" echo " $SCRIPTNAME [-v] list" echo " List trusted certificates" - echo " $SCRIPTNAME [-v] blacklisted" - echo " List blacklisted certificates" + echo " $SCRIPTNAME [-v] untrusted" + echo " List untrusted certificates" echo " $SCRIPTNAME [-nUv] [-D ] [-M ] rehash" echo " Generate hash links for all certificates" - echo " $SCRIPTNAME [-nv] blacklist " - echo " Add to the list of blacklisted certificates" - echo " $SCRIPTNAME [-nv] unblacklist " - echo " Remove from the list of blacklisted certificates" + echo " $SCRIPTNAME [-nv] untrust " + echo " Add to the list of untrusted certificates" + echo " $SCRIPTNAME [-nv] trust " + echo " Remove from the list of untrusted certificates" exit 64 } @@ -281,17 +281,20 @@ [ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}" : ${LOCALBASE:=$(sysctl -n user.localbase)} : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs} -: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted} +: ${UNTRUSTPATH:=${DESTDIR}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted} : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} -: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} +: ${UNTRUSTDESTDIR:=${DESTDIR}/etc/ssl/untrusted} [ $# -gt 0 ] || usage case "$1" in list) cmd_list ;; rehash) cmd_rehash ;; -blacklist) cmd_blacklist "$@" ;; -unblacklist) cmd_unblacklist "$@" ;; -blacklisted) cmd_blacklisted ;; +blacklist) cmd_untrust "$@" ;; +untrust) cmd_untrust "$@" ;; +trust) cmd_trust "$@" ;; +unblacklist) cmd_trust "$@" ;; +untrusted) cmd_untrusted ;; +blacklisted) cmd_untrusted ;; *) usage # NOTREACHED esac diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh --- a/usr.sbin/etcupdate/etcupdate.sh +++ b/usr.sbin/etcupdate/etcupdate.sh @@ -600,7 +600,7 @@ NEWALIAS_WARN=yes fi ;; - /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*) log "certctl rehash" if [ -z "$dryrun" ]; then env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1 diff --git a/usr.sbin/mergemaster/mergemaster.sh b/usr.sbin/mergemaster/mergemaster.sh --- a/usr.sbin/mergemaster/mergemaster.sh +++ b/usr.sbin/mergemaster/mergemaster.sh @@ -884,7 +884,7 @@ /etc/mail/aliases) NEED_NEWALIASES=yes ;; - /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*) NEED_CERTCTL=yes ;; /etc/login.conf)