From nobody Wed Aug 13 22:39:42 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c2Nbf3KTNz64d5T; Wed, 13 Aug 2025 22:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c2Nbf2kwgz3fCF; Wed, 13 Aug 2025 22:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755124782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6yo5hMlasTmvHK3ol2s7rHzEMbFTVm0RtuEy9t/x61o=; b=tZfurx6NC+GbJAo01cgn3Hh9MofRxpMI8lq9j18FE6dJg9MzaiIHTEd6Ol7SsVfDHKbJDF XZrC5NQzp1x3QO93zE2TQOsaLehax5xRILX6k2sZ9XfGpD6WCnieBqHmrrFK9vEcM3bf1H nPSgKeXIJmBc6codJTSzxqZSRzEVn+0BUYgdHYBmyaspQ/13ml7nChOp4lxT4QcyIB2fz5 xEYG8kqbo6XqnrNXpFICqLaxSmvDvUTtXhpMc8qGZp9eKWTyHIVLAv8d2Rax8MRZL+pGKA C7W5OjnvVQOCai2u5UFk8SWoyCRY91KqwHpzfWBu8fiNxM6AIyZREGfryg+mbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755124782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6yo5hMlasTmvHK3ol2s7rHzEMbFTVm0RtuEy9t/x61o=; b=XImIGdO1qSxnH9nQQgMCV4Rk5FnboD/b2KC4KcqgmhQEJE741Elmo3PoqHYHjVxIK4eVcP 62pehKe89J/7rHrZz5kh9++fPzU72BpipGZK9QyA/pLnP0LotCQ35xmczYKewsydNUoqGi wdaVntlJ5tgSwHjxJKTIQCoaD31QlC0OkB6LWxlp/YQVsLmrxCYU+nrq5ULhg4dYhZpKwE lcEaW8RMIV/z5fKFVU9c8UrKV32pHi1Tu9np7sQPgTDifolAi8xXi2wiy9Zr73pDTb8AkQ 6ouMjx5Hx+8arZKAQgKjh6GaldvaD2kHBO+y6yd3BSiuazxls1X23GXp/J4iAQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1755124782; a=rsa-sha256; cv=none; b=YozUZzjSaYeeXM6E67Ixp4xhBu+BlKwiiurDMOe8PUTULNrBzqs19v7yrxUUAw1F4vS6Eh PqAWMboYhinWej+8LMjTT2Ira1VM8Cquyx2HPqLqkUDNKS6OCUALCHNJ2MOSgHqTCKgSjw AJ2nPNq/AftU8cQBTsE6LUarXRdE4PCgms4HX0Q/ZtpodgOVNz8k8hNU8MfXHmEECOUua1 +c/SJzQrx6ANDd6YdJcRBNPhKS9LhDEBPB+9qarIoiQGcsWnM1fHrOHhfp4s5I4NuUVfJT x8keQfHjz/QHUJgZ/bC9BdGQyoJ83cl+2eimGTkzVQvBEM5t5mQrlvNCvJbC2A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c2Nbf2KfXzBWY; Wed, 13 Aug 2025 22:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57DMdgOY003379; Wed, 13 Aug 2025 22:39:42 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57DMdgSA003376; Wed, 13 Aug 2025 22:39:42 GMT (envelope-from git) Date: Wed, 13 Aug 2025 22:39:42 GMT Message-Id: <202508132239.57DMdgSA003376@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 2f8bbfe5873b - main - Revert "certctl: Fix bootstrap build" List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2f8bbfe5873bf652619e7e433cff17ac18c9d4fa Auto-Submitted: auto-generated The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=2f8bbfe5873bf652619e7e433cff17ac18c9d4fa commit 2f8bbfe5873bf652619e7e433cff17ac18c9d4fa Author: Dag-Erling Smørgrav AuthorDate: 2025-08-13 22:37:52 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-08-13 22:37:52 +0000 Revert "certctl: Fix bootstrap build" This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e. --- usr.sbin/certctl/Makefile | 6 +-- usr.sbin/certctl/certctl.8 | 7 +--- usr.sbin/certctl/certctl.c | 94 ++++++++++++++-------------------------------- 3 files changed, 30 insertions(+), 77 deletions(-) diff --git a/usr.sbin/certctl/Makefile b/usr.sbin/certctl/Makefile index 8f19bde8aaf6..5430dbf24853 100644 --- a/usr.sbin/certctl/Makefile +++ b/usr.sbin/certctl/Makefile @@ -3,12 +3,8 @@ PACKAGE= certctl PROG= certctl MAN= certctl.8 -LIBADD= crypto util +LIBADD= crypto HAS_TESTS= SUBDIR.${MK_TESTS}= tests -.ifdef BOOTSTRAPPING -CFLAGS+=-DBOOTSTRAPPING -.endif - .include diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 index c53ad9765544..97bdc840c359 100644 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -38,7 +38,7 @@ .Op Fl lv .Ic untrusted .Nm -.Op Fl BNnUv +.Op Fl BnUv .Op Fl D Ar destdir .Op Fl M Ar metalog .Ic rehash @@ -75,11 +75,6 @@ default: This option is only valid in conjunction with the .Ic rehash command. -.It Fl N -Base the file name on the certificate's name instead of its hash. -This option is only valid in conjunction with the -.Ic rehash -command. .It Fl n Dry-run mode. Do not actually perform any actions except write the metalog. diff --git a/usr.sbin/certctl/certctl.c b/usr.sbin/certctl/certctl.c index f5876736d604..6687e56f23b4 100644 --- a/usr.sbin/certctl/certctl.c +++ b/usr.sbin/certctl/certctl.c @@ -4,6 +4,7 @@ * SPDX-License-Identifier: BSD-2-Clause */ +#include #include #include @@ -12,8 +13,6 @@ #include #include #include -#include -#include #include #include #include @@ -21,7 +20,6 @@ #include #include -#include #include #define info(fmt, ...) \ @@ -60,7 +58,6 @@ static void usage(void); static bool dryrun; static bool longnames; static bool nobundle; -static bool nohash; static bool unprivileged; static bool verbose; @@ -384,58 +381,14 @@ write_certs(const char *dir, struct cert_tree *tree) if (file->c == INT_MAX) errx(1, "unable to disambiguate %08lx", cert->hash); free(cert->path); - if (nohash) { - X509_NAME *xn; - X509_NAME_ENTRY *xe; - ASN1_STRING *as; - unsigned char *us = NULL; - int xi, usl; - - xn = X509_get_subject_name(cert->x509); - xi = X509_NAME_get_index_by_NID(xn, NID_commonName, -1); - if (xi < 0) { - warnx("%08lx.%d: certificate has no CN", - cert->hash, file->c); - xi = X509_NAME_get_index_by_NID(xn, - NID_organizationalUnitName, -1); - } - if (xi < 0) { - warnx("%08lx.%d: certificate has no OU", - cert->hash, file->c); - xi = X509_NAME_get_index_by_NID(xn, - NID_organizationName, -1); - } - if (xi < 0) { - warnx("%08lx.%d: certificate has no O", - cert->hash, file->c); - cert->path = xasprintf("%08lx.%d", cert->hash, - file->c); - } - xe = X509_NAME_get_entry(xn, xi); - as = X509_NAME_ENTRY_get_data(xe); - usl = ASN1_STRING_to_UTF8(&us, as); - if (usl < 0) { - errx(1, "%08lx.%d: %s", cert->hash, file->c, - ERR_error_string(ERR_get_error(), NULL)); - } - cert->path = xasprintf("%s.pem", (char *)us); - OPENSSL_free(us); - } else { - cert->path = xasprintf("%08lx.%d", cert->hash, file->c); - } + cert->path = xasprintf("%08lx.%d", cert->hash, file->c); } /* * Open and scan the directory. */ if ((d = open(dir, O_DIRECTORY | O_RDONLY)) < 0 || -#ifdef BOOTSTRAPPING - (ndents = scandir(dir, &dents, NULL, lexisort)) -#else - (ndents = fdscandir(d, &dents, NULL, lexisort)) -#endif - < 0) + (ndents = fdscandir(d, &dents, NULL, lexisort)) < 0) err(1, "%s", dir); - /* * Iterate over the directory listing and the certificate listing * in parallel. If the directory listing gets ahead of the @@ -645,7 +598,7 @@ load_trusted(bool all, struct cert_tree *exclude) * Returns the number of certificates loaded. */ static unsigned int -load_untrusted(bool all, struct cert_tree *exclude) +load_untrusted(bool all) { char *path; unsigned int i, n; @@ -653,19 +606,19 @@ load_untrusted(bool all, struct cert_tree *exclude) /* load external untrusted certs */ for (i = n = 0; all && untrusted_paths[i] != NULL; i++) { - ret = read_certs(untrusted_paths[i], &untrusted, exclude); + ret = read_certs(untrusted_paths[i], &untrusted, NULL); if (ret > 0) n += ret; } /* load installed untrusted certs */ - ret = read_certs(untrusted_dest, &untrusted, exclude); + ret = read_certs(untrusted_dest, &untrusted, NULL); if (ret > 0) n += ret; /* load legacy untrusted certs */ path = expand_path(LEGACY_PATH); - ret = read_certs(path, &untrusted, exclude); + ret = read_certs(path, &untrusted, NULL); if (ret > 0) { warnx("certificates found in legacy directory %s", path); @@ -795,7 +748,7 @@ certctl_untrusted(int argc, char **argv __unused) if (argc > 1) usage(); /* load untrusted certificates */ - load_untrusted(false, NULL); + load_untrusted(false); /* list them */ list_certs(&untrusted); free_certs(&untrusted); @@ -822,7 +775,7 @@ certctl_rehash(int argc, char **argv __unused) } /* load untrusted certs first */ - load_untrusted(true, NULL); + load_untrusted(true); /* load trusted certs, excluding any that are already untrusted */ load_trusted(true, &untrusted); @@ -855,7 +808,7 @@ certctl_trust(int argc, char **argv) usage(); /* load untrusted certs first */ - load_untrusted(true, NULL); + load_untrusted(true); /* load trusted certs, excluding any that are already untrusted */ load_trusted(true, &untrusted); @@ -916,7 +869,7 @@ certctl_untrust(int argc, char **argv) usage(); /* load untrusted certs first */ - load_untrusted(true, NULL); + load_untrusted(true); /* now load the additional untrusted certificates */ n = 0; @@ -947,10 +900,22 @@ static void set_defaults(void) { const char *value; + char *str; + size_t len; if (localbase == NULL && - (localbase = getenv("LOCALBASE")) == NULL) - localbase = getlocalbase(); + (localbase = getenv("LOCALBASE")) == NULL) { + if ((str = malloc((len = PATH_MAX) + 1)) == NULL) + err(1, NULL); + while (sysctlbyname("user.localbase", str, &len, NULL, 0) < 0) { + if (errno != ENOMEM) + err(1, "sysctl(user.localbase)"); + if ((str = realloc(str, len + 1)) == NULL) + err(1, NULL); + } + str[len] = '\0'; + localbase = str; + } if (destdir == NULL && (destdir = getenv("DESTDIR")) == NULL) @@ -1019,7 +984,7 @@ usage(void) { fprintf(stderr, "usage: certctl [-lv] [-D destdir] list\n" " certctl [-lv] [-D destdir] untrusted\n" - " certctl [-BNnUv] [-D destdir] [-M metalog] rehash\n" + " certctl [-BnUv] [-D destdir] [-M metalog] rehash\n" " certctl [-nv] [-D destdir] untrust \n" " certctl [-nv] [-D destdir] trust \n"); exit(1); @@ -1031,7 +996,7 @@ main(int argc, char *argv[]) const char *command; int opt; - while ((opt = getopt(argc, argv, "BcD:g:lL:M:Nno:Uv")) != -1) + while ((opt = getopt(argc, argv, "BcD:g:lL:M:no:Uv")) != -1) switch (opt) { case 'B': nobundle = true; @@ -1054,9 +1019,6 @@ main(int argc, char *argv[]) case 'M': metalog = optarg; break; - case 'N': - nohash = true; - break; case 'n': dryrun = true; break; @@ -1081,7 +1043,7 @@ main(int argc, char *argv[]) command = *argv; - if ((nobundle || nohash || unprivileged || metalog != NULL) && + if ((nobundle || unprivileged || metalog != NULL) && strcmp(command, "rehash") != 0) usage(); if (!unprivileged && metalog != NULL) {