From nobody Thu May 07 20:19:19 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gBNrR6gf2z6d7vb for ; Thu, 07 May 2026 20:19:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gBNrR2H6xz3HnS for ; Thu, 07 May 2026 20:19:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778185159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZWHGlf8mAHOKP+IB1wh0f2f50aVVG5TSpMrusV7zTbU=; b=xVippHBTyKJZutErXaRVHKIRjBTMBWwp4JFF/a/DTE6Zx9ETFhvi6309S7Z00Jr/kTBwYb HNGnY/4/tGupUQGOWxVVJwCLukdGH/HJsgW3+6YiHAOT4+/XMRwZPl2m5cfis+GJQIq2OA oeKxMok+fVVxXeKtMN1nznGwiyda5Ux48qLe7ceEUFtPvmGI1wRkrKuyi7+M2zLUTmggwn VnnuyWul4lUHb6ayZA0Q5i4CnHEFEbd3T681ixB7NlM311kB3sIi0mD016p0azzAzZ9sDY 1mZP3OTL77Noi5Wtur8r8BRN4lY34yNppH/1uQN/TxMPvR6luWBLFEPxke4OUA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778185159; a=rsa-sha256; cv=none; b=CXe5aevUSCkBXfeTc/rm3o9ZEdR2z/mGbfy7EMuHyYhalH3O6nWl2eQ3lNa1dsuvBvilsY tEPxU3NBRfjcDKo8CSyLjCyQ7Oyi5TjyhsUIfDxY4qju9oAdwxqIISSFAshiOW2eTmeQO3 1U5snPuiz3BAujLeKCLJafql2zAVP1gLowDR5NdQYIj4FHREfGzGXuSwkdr93HdufVABT7 U71XDAXIdDTmO5uMRoEJcDHPIdd/39VrTjmV9hKX//3UNxYyweH6AUb494MZyeGV9U2N4x vZBk0MwTxeWrqcnLLhReWHAFQ5697Y/wIO7AWFoWRe0FHMbvgHxYgl57W3dCIg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778185159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZWHGlf8mAHOKP+IB1wh0f2f50aVVG5TSpMrusV7zTbU=; b=MoXdXv2VCd9PRjydju86nIN0KVdGVdZupySArnVf3w6/1J7l8ES8T9mJMQ2sAjSCxvUxPG LYMdbdr+jFBEwzlxIQZYSi2q5D2S18254Tp2mlcfzq2/S8y3fOHB+eBFqNrWyQFWixAimx s8aPzuQHhpl75gwuIHruo1lgLUUeutM6GiDuTSIoIZ1pDzacylLME6PbdL/cGz1nsYQRDV yQIgtJCUbKV7A3c29bez/mguoVG/M2fwyDyRjfUJFwjn05WM+GjGOWnrhTK1SBej/w0dc8 CXSPaKG3U19FV1R/0r4pQOhC3geGo38lqVMgxfhRpH+os6Z+2K9Ih+ysD5Us5g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gBNrR1fT3zhZy for ; Thu, 07 May 2026 20:19:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1ed9b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 07 May 2026 20:19:19 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav From: Colin Percival Subject: git: cef90b438635 - releng/15.1 - certctl: Unstickify (un)trusted certificates List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.1 X-Git-Reftype: branch X-Git-Commit: cef90b4386354618126925716cbadff6b1961a2e Auto-Submitted: auto-generated Date: Thu, 07 May 2026 20:19:19 +0000 Message-Id: <69fcf3c7.1ed9b.f9965d2@gitrepo.freebsd.org> The branch releng/15.1 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=cef90b4386354618126925716cbadff6b1961a2e commit cef90b4386354618126925716cbadff6b1961a2e Author: Dag-Erling Smørgrav AuthorDate: 2026-05-05 22:30:52 +0000 Commit: Colin Percival CommitDate: 2026-05-07 20:18:58 +0000 certctl: Unstickify (un)trusted certificates Ever since certctl was rewritten in C, the rehash command has reingested TRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH. This seemed like a good idea at the time but was, in retrospect, a mistake, as it means a (un)trusted certificate remains (un)trusted forever (or at least until it expires) even if it is removed from (UN)TRUSTPATH. Among other issues, it causes ports QA to fail for any port that either installs certificates or depends on a port that does. Although this behavior was undocumented, the change may surprise users who have added certificates manually, so update the manual page to point it out and add prominent warnings to the trust and untrust commands. Approved by: re (cperciva) PR: 290078 MFC after: 1 week Reviewed by: kevans, bcr Differential Revision: https://reviews.freebsd.org/D56617 (cherry picked from commit 2fef18ff594328a771b6aa659e8ffa5a7e076540) (cherry picked from commit c65e233a52c61bf24fb935d1971e38fbde10791d) --- usr.sbin/certctl/certctl.8 | 15 ++++++- usr.sbin/certctl/certctl.c | 81 ++++++++++++++++++++++------------ usr.sbin/certctl/tests/certctl_test.sh | 3 +- 3 files changed, 67 insertions(+), 32 deletions(-) diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 index 2d38ce020c04..7df89e4d35d0 100644 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -24,7 +24,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 3, 2025 +.Dd April 24, 2026 .Dt CERTCTL 8 .Os .Sh NAME @@ -113,8 +113,19 @@ In addition, a bundle containing the trusted certificates is placed in .Ev BUNDLE . .It Ic untrust Add the specified file to the untrusted list. +Note that the next +.Ic rehash +will remove it unless a copy of it is also placed somewhere in a +directory included in +.Ev UNTRUSTPATH . .It Ic trust -Remove the specified file from the untrusted list. +Add the specified file to the trusted list, unless it is already +untrusted. +Note that the next +.Ic rehash +will remove it unless a copy of it is also placed somewhere in a +directory included in +.Ev TRUSTPATH . .El .Sh ENVIRONMENT .Bl -tag -width UNTRUSTDESTDIR diff --git a/usr.sbin/certctl/certctl.c b/usr.sbin/certctl/certctl.c index 7fdc644bc09f..cf737565ca9e 100644 --- a/usr.sbin/certctl/certctl.c +++ b/usr.sbin/certctl/certctl.c @@ -636,23 +636,18 @@ write_bundle(const char *dir, const char *file, struct cert_tree *tree) * Returns the number of certificates loaded. */ static unsigned int -load_trusted(bool all, struct cert_tree *exclude) +load_trusted(void) { unsigned int i, n; int ret; /* load external trusted certs */ - for (i = n = 0; all && trusted_paths[i] != NULL; i++) { - ret = read_certs(trusted_paths[i], &trusted, exclude); + for (i = n = 0; trusted_paths[i] != NULL; i++) { + ret = read_certs(trusted_paths[i], &trusted, &untrusted); if (ret > 0) n += ret; } - /* load installed trusted certs */ - ret = read_certs(trusted_dest, &trusted, exclude); - if (ret > 0) - n += ret; - info("%d trusted certificates found", n); return (n); } @@ -663,24 +658,19 @@ load_trusted(bool all, struct cert_tree *exclude) * Returns the number of certificates loaded. */ static unsigned int -load_untrusted(bool all) +load_untrusted(void) { char *path; unsigned int i, n; int ret; /* load external untrusted certs */ - for (i = n = 0; all && untrusted_paths[i] != NULL; i++) { + for (i = n = 0; untrusted_paths[i] != NULL; i++) { ret = read_certs(untrusted_paths[i], &untrusted, NULL); if (ret > 0) n += ret; } - /* load installed untrusted certs */ - ret = read_certs(untrusted_dest, &untrusted, NULL); - if (ret > 0) - n += ret; - /* load legacy untrusted certs */ path = expand_path(LEGACY_PATH); ret = read_certs(path, &untrusted, NULL); @@ -796,8 +786,8 @@ certctl_list(int argc, char **argv __unused) { if (argc > 1) usage(); - /* load trusted certificates */ - load_trusted(false, NULL); + /* load installed trusted certificates */ + read_certs(trusted_dest, &trusted, NULL); /* list them */ list_certs(&trusted); free_certs(&trusted); @@ -814,8 +804,8 @@ certctl_untrusted(int argc, char **argv __unused) { if (argc > 1) usage(); - /* load untrusted certificates */ - load_untrusted(false); + /* load installed untrusted certificates */ + read_certs(untrusted_dest, &untrusted, NULL); /* list them */ list_certs(&untrusted); free_certs(&untrusted); @@ -842,10 +832,10 @@ certctl_rehash(int argc, char **argv __unused) } /* load untrusted certs first */ - load_untrusted(true); + load_untrusted(); /* load trusted certs, excluding any that are already untrusted */ - load_trusted(true, &untrusted); + load_trusted(); /* save everything */ ret = save_all(); @@ -859,7 +849,8 @@ certctl_rehash(int argc, char **argv __unused) } /* - * Manually add one or more certificates to the list of trusted certificates. + * Manually add one or more certificates to the list of trusted + * certificates. * * Returns 0 on success and -1 on failure. */ @@ -875,10 +866,10 @@ certctl_trust(int argc, char **argv) usage(); /* load untrusted certs first */ - load_untrusted(true); + load_untrusted(); /* load trusted certs, excluding any that are already untrusted */ - load_trusted(true, &untrusted); + load_trusted(); /* now load the additional trusted certificates */ n = 0; @@ -891,9 +882,9 @@ certctl_trust(int argc, char **argv) warnx("no new trusted certificates found"); free_certs(&untrusted); free_certs(&trusted); - free_certs(&extra); return (0); } + warnx("%u new trusted certificate%s found", n, n > 1 ? "s" : ""); /* * For each new trusted cert, move it from the extra list to the @@ -906,10 +897,16 @@ certctl_trust(int argc, char **argv) RB_INSERT(cert_tree, &trusted, cert); if ((other = RB_FIND(cert_tree, &untrusted, cert)) != NULL) { warnx("%s was previously untrusted", cert->name); + warnx("source of untrust: %s", other->path); RB_REMOVE(cert_tree, &untrusted, other); free_cert(other); } } + warnx("This operation is not persistent. To persistently add"); + warnx("trusted certificates to the system store, copy them to"); + warnx("one of these directories, then run `certctl rehash`:"); + for (i = 0; trusted_paths[i] != NULL; i++) + warnx(" %s", trusted_paths[i]); /* save everything */ ret = save_all(); @@ -929,6 +926,8 @@ certctl_trust(int argc, char **argv) static int certctl_untrust(int argc, char **argv) { + struct cert_tree extra = RB_INITIALIZER(&extra); + struct cert *cert, *other, *tmp; unsigned int n; int i, ret; @@ -936,23 +935,47 @@ certctl_untrust(int argc, char **argv) usage(); /* load untrusted certs first */ - load_untrusted(true); + load_untrusted(); + + /* load trusted certs, excluding any that are already untrusted */ + load_trusted(); /* now load the additional untrusted certificates */ n = 0; for (i = 1; i < argc; i++) { - ret = read_cert(argv[i], &untrusted, NULL); + ret = read_cert(argv[i], &extra, NULL); if (ret > 0) n += ret; } if (n == 0) { warnx("no new untrusted certificates found"); free_certs(&untrusted); + free_certs(&trusted); return (0); } + warnx("%u new untrusted certificate%s found", n, n > 1 ? "s" : ""); - /* load trusted certs, excluding any that are already untrusted */ - load_trusted(true, &untrusted); + /* + * For each new untrusted cert, move it from the extra list to the + * untrusted list, then check if a matching certificate exists on + * the trusted list. If that is the case, warn the user, then + * remove the matching certificate from the trusted list. + */ + RB_FOREACH_SAFE(cert, cert_tree, &extra, tmp) { + RB_REMOVE(cert_tree, &extra, cert); + RB_INSERT(cert_tree, &untrusted, cert); + if ((other = RB_FIND(cert_tree, &trusted, cert)) != NULL) { + warnx("%s was previously trusted", cert->name); + warnx("source of trust: %s", other->path); + RB_REMOVE(cert_tree, &trusted, other); + free_cert(other); + } + } + warnx("This operation is not persistent. To persistently add"); + warnx("untrusted certificates to the system store, copy them to"); + warnx("one of these directories, then run `certctl rehash`:"); + for (i = 0; untrusted_paths[i] != NULL; i++) + warnx(" %s", untrusted_paths[i]); /* save everything */ ret = save_all(); diff --git a/usr.sbin/certctl/tests/certctl_test.sh b/usr.sbin/certctl/tests/certctl_test.sh index 74749db0b3f5..133d65854c42 100644 --- a/usr.sbin/certctl/tests/certctl_test.sh +++ b/usr.sbin/certctl/tests/certctl_test.sh @@ -271,7 +271,8 @@ untrust_body() crtfile=usr/share/certs/trusted/${crtname}.crt check_trusted "${crtname}" check_in_bundle ${crtfile} - atf_check certctl untrust "${crtfile}" + atf_check -e match:"1 new untrusted" \ + certctl untrust "${crtfile}" check_untrusted "${crtname}" check_not_in_bundle ${crtfile} }