aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKyle Evans <kevans@FreeBSD.org>2020-05-21 18:50:05 +0000
committerKyle Evans <kevans@FreeBSD.org>2020-05-21 18:50:05 +0000
commitdc6b9f696a814a573258101795c0bb72349b03df (patch)
tree59a8e516af1d4a3a796c717196b00f0ea5999f11
parent34b7fe9128ec021afdb9bdc16fc3af796b7ce080 (diff)
downloadsrc-dc6b9f696a814a573258101795c0bb72349b03df.tar.gz
src-dc6b9f696a814a573258101795c0bb72349b03df.zip
MFS r361310: MFC r361022-361023, 361148: certctl(8) fixes
r361022: certctl(8): don't completely nuke $CERTDESTDIR It's been reported/noted that a well-timed `certctl rehash` will completely obliterate $CERTDESTDIR, which may get used by ports or system administrators. While we can't guarantee the certctl semantics when other non-certctl-controlled bits live here, we should make some amount of effort to play nice. Pruning all existing links, which we'll subsequently rebuild as needed, is sufficient for our needs. This can still be destructive, but it's perhaps less likely to cause issues. I also note that we should probably be pruning /etc/ssl/blacklisted upon rehash as well. r361023: certctl: follow-up to r361022, prune blacklist as well Otherwise, removals from the blacklist may not get processed as they should. While we're here, restructure these to not bother with mkdir(1) if we've already tested them to exist. r361148: certctl: don't fall over flat with relative DESTDIR Up until now, all of our DESTDIR use has been with absolute paths. It turned out that the cd in/out dance we do here breaks us down later on, as the relative path no longer resolves. Convert EXTENSIONS to an ERE that we'll use to grep ls -1 of the dir we're inspecting, rather than cd'ing into it and globbing it up. Approved by: re (kib)
Notes
Notes: svn path=/releng/11.4/; revision=361339
-rwxr-xr-xusr.sbin/certctl/certctl.sh23
1 files changed, 15 insertions, 8 deletions
diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index b46d3371db16..41d2cecf4645 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -34,7 +34,7 @@
: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
-: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"}
+: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"}
: ${VERBOSE:=0}
############################################################ GLOBALS
@@ -104,13 +104,11 @@ do_scan()
for CPATH in "$@"; do
[ -d "$CPATH" ] || continue
echo "Scanning $CPATH for certificates..."
- cd "$CPATH"
- for CFILE in $EXTENSIONS; do
- [ -e "$CFILE" ] || continue
+ for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do
+ [ -e "$CPATH/$CFILE" ] || continue
[ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
"$CFUNC" "$CPATH/$CFILE"
done
- cd -
done
}
@@ -142,9 +140,18 @@ do_list()
cmd_rehash()
{
- [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR"
- [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR"
- [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
+ if [ $NOOP -eq 0 ]; then
+ if [ -e "$CERTDESTDIR" ]; then
+ find "$CERTDESTDIR" -type link -delete
+ else
+ mkdir -p "$CERTDESTDIR"
+ fi
+ if [ -e "$BLACKLISTDESTDIR" ]; then
+ find "$BLACKLISTDESTDIR" -type link -delete
+ else
+ mkdir -p "$BLACKLISTDESTDIR"
+ fi
+ fi
do_scan create_blacklisted "$BLACKLISTPATH"
do_scan create_trusted_link "$TRUSTPATH"