Page MenuHomeFreeBSD
Differential D56617

certctl: Unstickify (un)trusted certificates
Needs ReviewPublic
Actions

Authored by des on Fri, Apr 24, 12:21 PM.
Tags
None
Referenced Files
F154257107: D56617.id176334.diff
Mon, Apr 27, 10:51 AM
F154256669: D56617.id176325.diff
Mon, Apr 27, 10:48 AM
F154233366: D56617.id176336.diff
Mon, Apr 27, 7:41 AM
Unknown Object (File)
Sun, Apr 26, 7:57 AM
Unknown Object (File)
Fri, Apr 24, 1:06 PM
Subscribers
bcr
imp
ziaee

Details

Reviewers
kevans
bcr
Group Reviewers
security
Summary

Ever since certctl was rewritten in C, the rehash command has reingested
TRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.
This seemed like a good idea at the time but was, in retrospect, a
mistake, as it means a (un)trusted certificate remains (un)trusted
forever (or at least until it expires) even if it is removed from
(UN)TRUSTPATH. Among other issues, it causes ports QA to fail for any
port that either installs certificates or depends on a port that does.

Although this behavior was undocumented, the change may surprise users
who have added certificates manually, so update the manual page to point
it out.

PR: 290078
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 72516
Build 69399: arc lint + arc unit

Event Timeline

des created this revision.Fri, Apr 24, 12:21 PM
Herald added a subscriber: imp. · View Herald TranscriptFri, Apr 24, 12:21 PM
des requested review of this revision.Fri, Apr 24, 12:21 PM
Harbormaster completed remote builds in B72516: Diff 176325.Fri, Apr 24, 12:21 PM
des updated this revision to Diff 176334.Fri, Apr 24, 1:59 PM

untrusted as well

Harbormaster completed remote builds in B72519: Diff 176334.Fri, Apr 24, 1:59 PM
des retitled this revision from certctl: Unstickify trusted certificates to certctl: Unstickify (un)trusted certificates.Fri, Apr 24, 2:02 PM
des edited the summary of this revision. (Show Details)
des updated this revision to Diff 176336.Fri, Apr 24, 2:08 PM

documentation

Herald added a subscriber: ziaee. · View Herald TranscriptFri, Apr 24, 2:08 PM
Harbormaster completed remote builds in B72521: Diff 176336.Fri, Apr 24, 2:08 PM
des edited the summary of this revision. (Show Details)Fri, Apr 24, 2:09 PM
bcr accepted this revision.Sat, Apr 25, 8:24 AM
bcr added a subscriber: bcr.

OK for the changes to the manpage.

This revision is now accepted and ready to land.Sat, Apr 25, 8:24 AM
des updated this revision to Diff 176581.Sun, Apr 26, 5:48 PM

unbreak list command

This revision now requires review to proceed.Sun, Apr 26, 5:48 PM
Harbormaster completed remote builds in B72556: Diff 176581.Sun, Apr 26, 5:48 PM
kevans added inline comments.Mon, Apr 27, 3:31 AM
usr.sbin/certctl/certctl.8
116 ↗(On Diff #176581)

Reading the caveat here, I guess I'm wondering why untrust doesn't act as a slightly nicer shorthand for copying the cert into one of the default_untrusted_paths (probably the localbase one?) rather than accidentally presenting a footgun, since we do some implicit rehashes (e.g. when the trust store changes) that they may not be considering that will drop it.

des added inline comments.Mon, Apr 27, 9:19 AM
usr.sbin/certctl/certctl.8
116 ↗(On Diff #176581)

I'm torn between a) changing certctl untrust to doing just that and b) leaving the code as-is but documenting that as the preferred alternative.

Revision Contents
Changeset List

PathSize
usr.sbin/
certctl/
5 lines

Diff 176325

View Options

usr.sbin/certctl/certctl.c

Loading...