git: 87945a082980 - main - certctl: Fix recent regressions.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 20 Oct 2023 10:29:42 UTC
The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=87945a082980260b52507ad5bfb3a0ce773a80da commit 87945a082980260b52507ad5bfb3a0ce773a80da Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2023-10-20 10:29:06 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-10-20 10:29:40 +0000 certctl: Fix recent regressions. - If an untrusted certificate is also found in the list of trusted certificate, issue a warning and skip it, but don't fail. - Split on -+BEGIN CERTIFICATE-+ instead of "Certificate:" since that's what we're really looking for. Also fix a long-standing bug: .crl files are not certificates, so we should not include them when searching for certificates. Reported by: madpilot, netchild, tijl Reviewed by: netchild, allanjude Differential Revision: https://reviews.freebsd.org/D42276 --- usr.sbin/certctl/certctl.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh index b7d3a95bc7d7..2ffa94bc7db7 100755 --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -67,8 +67,7 @@ cert_files_in() find -L "$@" -type f \( \ -name '*.pem' -or \ -name '*.crt' -or \ - -name '*.cer' -or \ - -name '*.crl' \ + -name '*.cer' \ \) 2>/dev/null } @@ -114,7 +113,7 @@ create_trusted() otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout -fingerprint) if [ "$certhash" = "$otherhash" ] ; then info "Skipping untrusted certificate $hash ($otherfile)" - return 1 + return 0 fi done for otherfile in $(find $CERTDESTDIR -name "$hash.*") ; do @@ -182,7 +181,7 @@ do_scan() IFS="$oldIFS" for CFILE in $(cert_files_in "$@") ; do verbose "Reading $CFILE" - case $(grep -c '^Certificate:$' "$CFILE") in + case $(egrep -c '^-+BEGIN CERTIFICATE-+$' "$CFILE") in 0) ;; 1) @@ -191,8 +190,8 @@ do_scan() *) verbose "Multiple certificates found, splitting..." SPLITDIR=$(mktemp -d) - egrep '^[^#]' "$CFILE" | \ - split -p '^Certificate:$' - "$SPLITDIR/x" + egrep '^(---|[0-9A-Za-z/+=]+$)' "$CFILE" | \ + split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x" for CERT in $(find "$SPLITDIR" -type f) ; do "$CFUNC" "$CERT" done