D30807.diff
No OneTemporary
Actions

Size

25 KB

Referenced Files

None

Subscribers

None

D30807.diff
View Options

	diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
	--- a/ObsoleteFiles.inc
	+++ b/ObsoleteFiles.inc
	@@ -44,6 +44,44 @@
	OLD_FILES+=usr/share/man/man9/crypto_cursor_segbase.9.gz
	OLD_FILES+=usr/share/man/man9/crypto_cursor_seglen.9.gz

	+# 20210618: rename of usr/share/certs/blacklisted
	+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem
	+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Certum_Root_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
	+OLD_FILES+=usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem
	+OLD_FILES+=usr/share/certs/blacklisted/EC-ACC.pem
	+OLD_FILES+=usr/share/certs/blacklisted/EE_Certification_Centre_Root_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
	+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
	+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
	+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
	+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem
	+OLD_FILES+=usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem
	+OLD_FILES+=usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
	+OLD_FILES+=usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Taiwan_GRCA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
	+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
	+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
	+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
	+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
	+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
	+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
	+OLD_DIRS+=usr/share/certs/blacklisted
	# 20210613: new clang import which bumps version from 11.0.1 to 12.0.0.
	OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/algorithm
	OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/complex
	diff --git a/UPDATING b/UPDATING
	--- a/UPDATING
	+++ b/UPDATING
	@@ -27,6 +27,10 @@
	world, or to merely disable the most expensive debugging functionality
	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)

	+202106xx:
	+ The directory "blacklisted" under /usr/share/certs/ has been
	+ renamed to "untrusted".
	+
	20210611:
	svnlite has been removed from base. Should you need svn for any reason
	please install the svn package or port.
	diff --git a/etc/mtree/BSD.usr.dist b/etc/mtree/BSD.usr.dist
	--- a/etc/mtree/BSD.usr.dist
	+++ b/etc/mtree/BSD.usr.dist
	@@ -205,10 +205,10 @@
	..
	..
	certs
	- blacklisted tags=package=caroot
	- ..
	trusted tags=package=caroot
	..
	+ untrusted tags=package=caroot
	+ ..
	..
	dict
	..
	diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile
	--- a/secure/caroot/Makefile
	+++ b/secure/caroot/Makefile
	@@ -3,7 +3,7 @@
	CLEANFILES+= certdata.txt

	SUBDIR+= trusted
	-SUBDIR+= blacklisted
	+SUBDIR+= untrusted

	.include <bsd.obj.mk>

	diff --git a/secure/caroot/README b/secure/caroot/README
	--- a/secure/caroot/README
	+++ b/secure/caroot/README
	@@ -14,8 +14,8 @@

	Then the results should manually be inspected (svn status)
	1) Any no-longer-trusted certificates should be moved to the
	- blacklisted directory (svn mv)
	- 2) any newly added certificates will need to be added (svn add)
	+ untrusted directory (git mv)
	+ 2) any newly added certificates will need to be added (git add)


	The following make targets exist:
	diff --git a/secure/caroot/blacklisted/Makefile b/secure/caroot/blacklisted/Makefile
	deleted file mode 100644
	--- a/secure/caroot/blacklisted/Makefile
	+++ /dev/null
	@@ -1,9 +0,0 @@
	-# $FreeBSD$
	-
	-BINDIR= /usr/share/certs/blacklisted
	-
	-BLACKLISTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null \|\| true
	-
	-FILES+= ${BLACKLISTED_CERTS}
	-
	-.include <bsd.prog.mk>
	diff --git a/secure/caroot/blacklisted/AddTrust_External_Root.pem b/secure/caroot/untrusted/AddTrust_External_Root.pem
	rename from secure/caroot/blacklisted/AddTrust_External_Root.pem
	rename to secure/caroot/untrusted/AddTrust_External_Root.pem
	diff --git a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem
	rename from secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
	rename to secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem
	diff --git a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
	rename from secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
	rename to secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
	diff --git a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem
	rename from secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
	rename to secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem
	diff --git a/secure/caroot/blacklisted/Certum_Root_CA.pem b/secure/caroot/untrusted/Certum_Root_CA.pem
	rename from secure/caroot/blacklisted/Certum_Root_CA.pem
	rename to secure/caroot/untrusted/Certum_Root_CA.pem
	diff --git a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem
	rename from secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
	rename to secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem
	diff --git a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem
	rename from secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
	rename to secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem
	diff --git a/secure/caroot/blacklisted/EC-ACC.pem b/secure/caroot/untrusted/EC-ACC.pem
	rename from secure/caroot/blacklisted/EC-ACC.pem
	rename to secure/caroot/untrusted/EC-ACC.pem
	diff --git a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem
	rename from secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem
	rename to secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem
	diff --git a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem b/secure/caroot/untrusted/GeoTrust_Global_CA.pem
	rename from secure/caroot/blacklisted/GeoTrust_Global_CA.pem
	rename to secure/caroot/untrusted/GeoTrust_Global_CA.pem
	diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem
	rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem
	rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem
	diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
	rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
	rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
	diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
	rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
	rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
	diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem
	rename from secure/caroot/blacklisted/GeoTrust_Universal_CA.pem
	rename to secure/caroot/untrusted/GeoTrust_Universal_CA.pem
	diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem
	rename from secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem
	rename to secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem
	diff --git a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem
	rename from secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
	rename to secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem
	diff --git a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem
	rename from secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
	rename to secure/caroot/untrusted/LuxTrust_Global_Root_2.pem
	diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile
	new file mode 100644
	--- /dev/null
	+++ b/secure/caroot/untrusted/Makefile
	@@ -0,0 +1,9 @@
	+# $FreeBSD$
	+
	+BINDIR= /usr/share/certs/untrusted
	+
	+UNTRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null \|\| true
	+
	+FILES+= ${UNTRUSTED_CERTS}
	+
	+.include <bsd.prog.mk>
	diff --git a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
	rename from secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
	rename to secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
	diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
	rename from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
	rename to secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
	diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
	rename from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
	rename to secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
	diff --git a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem
	rename from secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
	rename to secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem
	diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
	rename from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
	rename to secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
	diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
	rename from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
	rename to secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
	diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
	rename from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
	rename to secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
	diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
	rename from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
	rename to secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
	diff --git a/secure/caroot/blacklisted/Taiwan_GRCA.pem b/secure/caroot/untrusted/Taiwan_GRCA.pem
	rename from secure/caroot/blacklisted/Taiwan_GRCA.pem
	rename to secure/caroot/untrusted/Taiwan_GRCA.pem
	diff --git a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem
	rename from secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
	rename to secure/caroot/untrusted/Trustis_FPS_Root_CA.pem
	diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
	rename from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
	rename to secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
	diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
	rename from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
	rename to secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
	diff --git a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
	rename from secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
	rename to secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
	diff --git a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
	rename from secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
	rename to secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
	diff --git a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
	rename from secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
	rename to secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
	diff --git a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
	rename from secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
	rename to secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
	diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem
	rename from secure/caroot/blacklisted/thawte_Primary_Root_CA.pem
	rename to secure/caroot/untrusted/thawte_Primary_Root_CA.pem
	diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem
	rename from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem
	rename to secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem
	diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem
	rename from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem
	rename to secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem
	diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8
	--- a/usr.sbin/certctl/certctl.8
	+++ b/usr.sbin/certctl/certctl.8
	@@ -26,19 +26,19 @@
	.\"
	.\" $FreeBSD$
	.\"
	-.Dd January 7, 2021
	+.Dd June 18, 2021
	.Dt CERTCTL 8
	.Os
	.Sh NAME
	.Nm certctl
	-.Nd "tool for managing trusted and blacklist TLS certificates"
	+.Nd "tool for managing trusted and untrusted TLS certificates"
	.Sh SYNOPSIS
	.Nm
	.Op Fl v
	.Ic list
	.Nm
	.Op Fl v
	-.Ic blacklisted
	+.Ic untrusted
	.Nm
	.Op Fl nUv
	.Op Fl D Ar destdir
	@@ -46,10 +46,10 @@
	.Ic rehash
	.Nm
	.Op Fl nv
	-.Ic blacklist Ar file
	+.Ic untrust Ar file
	.Nm
	.Op Fl nv
	-.Ic unblacklist Ar file
	+.Ic trust Ar file
	.Sh DESCRIPTION
	The
	.Nm
	@@ -72,28 +72,28 @@
	.El
	.Pp
	Primary command functions:
	-.Bl -tag -width blacklisted
	+.Bl -tag -width untrusted
	.It Ic list
	List all currently trusted certificate authorities.
	-.It Ic blacklisted
	-List all currently blacklisted certificates.
	+.It Ic untrusted
	+List all currently untrusted certificates.
	.It Ic rehash
	Rebuild the list of trusted certificate authorities by scanning all directories
	in
	.Ev TRUSTPATH
	-and all blacklisted certificates in
	-.Ev BLACKLISTPATH .
	+and all untrusted certificates in
	+.Ev UNTRUSTPATH .
	A symbolic link to each trusted certificate is placed in
	.Ev CERTDESTDIR
	-and each blacklisted certificate in
	-.Ev BLACKLISTDESTDIR .
	-.It Ic blacklist
	-Add the specified file to the blacklist.
	-.It Ic unblacklist
	-Remove the specified file from the blacklist.
	+and each untrusted certificate in
	+.Ev UNTRUSTDESTDIR .
	+.It Ic untrust
	+Add the specified file to the untrusted list.
	+.It Ic trust
	+Remove the specified file from the untrusted list.
	.El
	.Sh ENVIRONMENT
	-.Bl -tag -width BLACKLISTDESTDIR
	+.Bl -tag -width UNTRUSTDESTDIR
	.It Ev DESTDIR
	Alternate destination directory to operate on.
	.It Ev TRUSTPATH
	@@ -101,19 +101,20 @@
	Default:
	.Pa <DESTDIR>/usr/share/certs/trusted
	.Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs
	-.It Ev BLACKLISTPATH
	-List of paths to search for blacklisted certificates.
	+.It Ev UNTRUSTPATH
	+List of paths to search for untrusted certificates.
	Default:
	-.Pa <DESTDIR>/usr/share/certs/blacklisted
	+.Pa <DESTDIR>/usr/share/certs/untrusted
	+.Pa <DESTDIR>/usr/local/etc/ssl/untrusted
	.Pa <DESTDIR>/usr/local/etc/ssl/blacklisted
	.It Ev CERTDESTDIR
	Destination directory for symbolic links to trusted certificates.
	Default:
	.Pa <DESTDIR>/etc/ssl/certs
	-.It Ev BLACKLISTDESTDIR
	-Destination directory for symbolic links to blacklisted certificates.
	+.It Ev UNTRUSTDESTDIR
	+Destination directory for symbolic links to untrusted certificates.
	Default:
	-.Pa <DESTDIR>/etc/ssl/blacklisted
	+.Pa <DESTDIR>/etc/ssl/untrusted
	.It Ev EXTENSIONS
	List of file extensions to read as certificate files.
	Default: .pem .crt .cer .crl *.0
	diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
	--- a/usr.sbin/certctl/certctl.sh
	+++ b/usr.sbin/certctl/certctl.sh
	@@ -79,10 +79,10 @@

	hash=$( do_hash "$1" ) \|\| return
	certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint )
	- for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
	+ for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
	blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint )
	if [ "$certhash" = "$blisthash" ]; then
	- echo "Skipping blacklisted certificate $1 ($blistfile)"
	+ echo "Skipping untrusted certificate $1 ($blistfile)"
	return 1
	fi
	done
	@@ -102,19 +102,19 @@
	if [ -e "$1" ]; then
	hash=$( do_hash "$1" ) \|\| return
	srcfile=$(realpath "$1")
	- suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
	+ suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
	filename="$hash.$suffix"
	echo "$srcfile" "$hash.$suffix"
	elif [ -e "${CERTDESTDIR}/$1" ]; then
	srcfile=$(realpath "${CERTDESTDIR}/$1")
	hash=$(echo "$1" \| sed -Ee 's/\.([0-9])+$//')
	- suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
	+ suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
	filename="$hash.$suffix"
	echo "$srcfile" "$hash.$suffix"
	fi
	}

	-create_blacklisted()
	+create_untrusted()
	{
	local srcfile filename

	@@ -126,8 +126,8 @@
	return
	fi

	- [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
	- [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
	+ [ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list"
	+ [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
	}

	do_scan()
	@@ -185,14 +185,14 @@
	else
	mkdir -p "$CERTDESTDIR"
	fi
	- if [ -e "$BLACKLISTDESTDIR" ]; then
	- find "$BLACKLISTDESTDIR" -type link -delete
	+ if [ -e "$UNTRUSTDESTDIR" ]; then
	+ find "$UNTRUSTDESTDIR" -type link -delete
	else
	- mkdir -p "$BLACKLISTDESTDIR"
	+ mkdir -p "$UNTRUSTDESTDIR"
	fi
	fi

	- do_scan create_blacklisted "$BLACKLISTPATH"
	+ do_scan create_untrusted "$UNTRUSTPATH"
	do_scan create_trusted_link "$TRUSTPATH"
	}

	@@ -202,19 +202,19 @@
	do_list "$CERTDESTDIR"
	}

	-cmd_blacklist()
	+cmd_untrust()
	{
	local BPATH

	shift # verb
	- [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
	+ [ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR"
	for BFILE in "$@"; do
	- echo "Adding $BFILE to blacklist"
	- create_blacklisted "$BFILE"
	+ echo "Adding $BFILE to untrusted list"
	+ create_untrusted "$BFILE"
	done
	}

	-cmd_unblacklist()
	+cmd_trust()
	{
	local BFILE blisthash certhash hash

	@@ -223,16 +223,16 @@
	if [ -s "$BFILE" ]; then
	hash=$( do_hash "$BFILE" )
	certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint )
	- for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
	+ for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
	blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint )
	if [ "$certhash" = "$blisthash" ]; then
	- echo "Removing $(basename "$BLISTEDFILE") from blacklist"
	+ echo "Removing $(basename "$BLISTEDFILE") from untrusted list"
	[ $NOOP -eq 0 ] && rm -f $BLISTEDFILE
	fi
	done
	- elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
	- echo "Removing $BFILE from blacklist"
	- [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
	+ elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then
	+ echo "Removing $BFILE from untrusted list"
	+ [ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE"
	else
	echo "Cannot find $BFILE" >&2
	ERRORS=$(( $ERRORS + 1 ))
	@@ -240,10 +240,10 @@
	done
	}

	-cmd_blacklisted()
	+cmd_untrusted()
	{
	- echo "Listing Blacklisted Certificates:"
	- do_list "$BLACKLISTDESTDIR"
	+ echo "Listing Untrusted Certificates:"
	+ do_list "$UNTRUSTDESTDIR"
	}

	usage()
	@@ -252,14 +252,14 @@
	echo "Manage the TLS trusted certificates on the system"
	echo " $SCRIPTNAME [-v] list"
	echo " List trusted certificates"
	- echo " $SCRIPTNAME [-v] blacklisted"
	- echo " List blacklisted certificates"
	+ echo " $SCRIPTNAME [-v] untrusted"
	+ echo " List untrusted certificates"
	echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
	echo " Generate hash links for all certificates"
	- echo " $SCRIPTNAME [-nv] blacklist <file>"
	- echo " Add <file> to the list of blacklisted certificates"
	- echo " $SCRIPTNAME [-nv] unblacklist <file>"
	- echo " Remove <file> from the list of blacklisted certificates"
	+ echo " $SCRIPTNAME [-nv] untrust <file>"
	+ echo " Add <file> to the list of untrusted certificates"
	+ echo " $SCRIPTNAME [-nv] trust <file>"
	+ echo " Remove <file> from the list of untrusted certificates"
	exit 64
	}

	@@ -281,17 +281,20 @@
	[ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
	: ${LOCALBASE:=$(sysctl -n user.localbase)}
	: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}
	-: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
	+: ${UNTRUSTPATH:=${DESTDIR}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
	: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
	-: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
	+: ${UNTRUSTDESTDIR:=${DESTDIR}/etc/ssl/untrusted}

	[ $# -gt 0 ] \|\| usage
	case "$1" in
	list) cmd_list ;;
	rehash) cmd_rehash ;;
	-blacklist) cmd_blacklist "$@" ;;
	-unblacklist) cmd_unblacklist "$@" ;;
	-blacklisted) cmd_blacklisted ;;
	+blacklist) cmd_untrust "$@" ;;
	+untrust) cmd_untrust "$@" ;;
	+trust) cmd_trust "$@" ;;
	+unblacklist) cmd_trust "$@" ;;
	+untrusted) cmd_untrusted ;;
	+blacklisted) cmd_untrusted ;;
	*) usage # NOTREACHED
	esac

	diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh
	--- a/usr.sbin/etcupdate/etcupdate.sh
	+++ b/usr.sbin/etcupdate/etcupdate.sh
	@@ -600,7 +600,7 @@
	NEWALIAS_WARN=yes
	fi
	;;
	- /usr/share/certs/trusted/* \| /usr/share/certs/blacklisted/*)
	+ /usr/share/certs/trusted/* \| /usr/share/certs/untrusted/*)
	log "certctl rehash"
	if [ -z "$dryrun" ]; then
	env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
	diff --git a/usr.sbin/mergemaster/mergemaster.sh b/usr.sbin/mergemaster/mergemaster.sh
	--- a/usr.sbin/mergemaster/mergemaster.sh
	+++ b/usr.sbin/mergemaster/mergemaster.sh
	@@ -884,7 +884,7 @@
	/etc/mail/aliases)
	NEED_NEWALIASES=yes
	;;
	- /usr/share/certs/trusted/* \| /usr/share/certs/blacklisted/*)
	+ /usr/share/certs/trusted/* \| /usr/share/certs/untrusted/*)
	NEED_CERTCTL=yes
	;;
	/etc/login.conf)

File Metadata

Mime Type: text/plain
Expires: Sun, Dec 29, 3:58 PM (9 h, 16 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 15631484
Default Alt Text: D30807.diff (25 KB)

D30807.diffNo OneTemporaryActions

D30807.diffView Options

File Metadata

Event Timeline

D30807.diff
No OneTemporary
Actions

D30807.diff
View Options