git: 64e6e1e46363 - main - secure/caroot, certctl: Rename secure/caroot/blacklisted
Ceri Davies
ceri at FreeBSD.org
Fri Jun 18 14:30:30 UTC 2021
The branch main has been updated by ceri (doc committer):
URL: https://cgit.FreeBSD.org/src/commit/?id=64e6e1e46363de5d4843cf0fc79406060ec44c03
commit 64e6e1e46363de5d4843cf0fc79406060ec44c03
Author: Ceri Davies <ceri at FreeBSD.org>
AuthorDate: 2021-06-18 12:29:15 +0000
Commit: Ceri Davies <ceri at FreeBSD.org>
CommitDate: 2021-06-18 12:38:07 +0000
secure/caroot, certctl: Rename secure/caroot/blacklisted
Old certctl commands still work for compatability, but are deprecated.
Approved by: secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807
---
ObsoleteFiles.inc | 38 +++++++++++
UPDATING | 4 ++
etc/mtree/BSD.usr.dist | 4 +-
secure/caroot/Makefile | 2 +-
secure/caroot/README | 4 +-
secure/caroot/blacklisted/Makefile | 9 ---
.../AddTrust_External_Root.pem | 0
.../AddTrust_Low-Value_Services_Root.pem | 0
.../Camerfirma_Chambers_of_Commerce_Root.pem | 0
.../Camerfirma_Global_Chambersign_Root.pem | 0
.../{blacklisted => untrusted}/Certum_Root_CA.pem | 0
.../Chambers_of_Commerce_Root_-_2008.pem | 0
.../D-TRUST_Root_CA_3_2013.pem | 0
.../caroot/{blacklisted => untrusted}/EC-ACC.pem | 0
.../EE_Certification_Centre_Root_CA.pem | 0
.../GeoTrust_Global_CA.pem | 0
.../GeoTrust_Primary_Certification_Authority.pem | 0
...oTrust_Primary_Certification_Authority_-_G2.pem | 0
...oTrust_Primary_Certification_Authority_-_G3.pem | 0
.../GeoTrust_Universal_CA.pem | 0
.../GeoTrust_Universal_CA_2.pem | 0
.../Global_Chambersign_Root_-_2008.pem | 0
.../LuxTrust_Global_Root_2.pem | 0
secure/caroot/untrusted/Makefile | 9 +++
.../OISTE_WISeKey_Global_Root_GA_CA.pem | 0
.../Staat_der_Nederlanden_Root_CA_-_G2.pem | 0
.../Staat_der_Nederlanden_Root_CA_-_G3.pem | 0
.../SwissSign_Platinum_CA_-_G2.pem | 0
...Public_Primary_Certification_Authority_-_G4.pem | 0
...Public_Primary_Certification_Authority_-_G6.pem | 0
...Public_Primary_Certification_Authority_-_G4.pem | 0
...Public_Primary_Certification_Authority_-_G6.pem | 0
.../{blacklisted => untrusted}/Taiwan_GRCA.pem | 0
.../Trustis_FPS_Root_CA.pem | 0
...Public_Primary_Certification_Authority_-_G4.pem | 0
...Public_Primary_Certification_Authority_-_G5.pem | 0
...Sign_Universal_Root_Certification_Authority.pem | 0
...Public_Primary_Certification_Authority_-_G3.pem | 0
...Public_Primary_Certification_Authority_-_G3.pem | 0
...Public_Primary_Certification_Authority_-_G3.pem | 0
.../thawte_Primary_Root_CA.pem | 0
.../thawte_Primary_Root_CA_-_G2.pem | 0
.../thawte_Primary_Root_CA_-_G3.pem | 0
usr.sbin/certctl/certctl.8 | 47 +++++++-------
usr.sbin/certctl/certctl.sh | 73 +++++++++++-----------
usr.sbin/etcupdate/etcupdate.sh | 2 +-
usr.sbin/mergemaster/mergemaster.sh | 2 +-
47 files changed, 120 insertions(+), 74 deletions(-)
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 3802307d7761..468d967efdcc 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -44,6 +44,44 @@
OLD_FILES+=usr/share/man/man9/crypto_cursor_segbase.9.gz
OLD_FILES+=usr/share/man/man9/crypto_cursor_seglen.9.gz
+# 20210618: rename of usr/share/certs/blacklisted
+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Certum_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
+OLD_FILES+=usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem
+OLD_FILES+=usr/share/certs/blacklisted/EC-ACC.pem
+OLD_FILES+=usr/share/certs/blacklisted/EE_Certification_Centre_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem
+OLD_FILES+=usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem
+OLD_FILES+=usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
+OLD_FILES+=usr/share/certs/blacklisted/Taiwan_GRCA.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
+OLD_DIRS+=usr/share/certs/blacklisted
# 20210613: new clang import which bumps version from 11.0.1 to 12.0.0.
OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/algorithm
OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/complex
diff --git a/UPDATING b/UPDATING
index 8b4d4a4820f6..61c428bf1af0 100644
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+202106xx:
+ The directory "blacklisted" under /usr/share/certs/ has been
+ renamed to "untrusted".
+
20210611:
svnlite has been removed from base. Should you need svn for any reason
please install the svn package or port.
diff --git a/etc/mtree/BSD.usr.dist b/etc/mtree/BSD.usr.dist
index a4a247b7eefd..2bdb65f7b2ab 100644
--- a/etc/mtree/BSD.usr.dist
+++ b/etc/mtree/BSD.usr.dist
@@ -205,10 +205,10 @@
..
..
certs
- blacklisted tags=package=caroot
- ..
trusted tags=package=caroot
..
+ untrusted tags=package=caroot
+ ..
..
dict
..
diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile
index 50f92ecc6542..c685c5f6cc7a 100644
--- a/secure/caroot/Makefile
+++ b/secure/caroot/Makefile
@@ -3,7 +3,7 @@
CLEANFILES+= certdata.txt
SUBDIR+= trusted
-SUBDIR+= blacklisted
+SUBDIR+= untrusted
.include <bsd.obj.mk>
diff --git a/secure/caroot/README b/secure/caroot/README
index 9a4fc0320e2a..1e123080559e 100644
--- a/secure/caroot/README
+++ b/secure/caroot/README
@@ -14,8 +14,8 @@ It will:
Then the results should manually be inspected (svn status)
1) Any no-longer-trusted certificates should be moved to the
- blacklisted directory (svn mv)
- 2) any newly added certificates will need to be added (svn add)
+ untrusted directory (git mv)
+ 2) any newly added certificates will need to be added (git add)
The following make targets exist:
diff --git a/secure/caroot/blacklisted/Makefile b/secure/caroot/blacklisted/Makefile
deleted file mode 100644
index b7ccfbe88c03..000000000000
--- a/secure/caroot/blacklisted/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-# $FreeBSD$
-
-BINDIR= /usr/share/certs/blacklisted
-
-BLACKLISTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true
-
-FILES+= ${BLACKLISTED_CERTS}
-
-.include <bsd.prog.mk>
diff --git a/secure/caroot/blacklisted/AddTrust_External_Root.pem b/secure/caroot/untrusted/AddTrust_External_Root.pem
similarity index 100%
rename from secure/caroot/blacklisted/AddTrust_External_Root.pem
rename to secure/caroot/untrusted/AddTrust_External_Root.pem
diff --git a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem
similarity index 100%
rename from secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
rename to secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem
diff --git a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
similarity index 100%
rename from secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
rename to secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
diff --git a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem
similarity index 100%
rename from secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
rename to secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem
diff --git a/secure/caroot/blacklisted/Certum_Root_CA.pem b/secure/caroot/untrusted/Certum_Root_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/Certum_Root_CA.pem
rename to secure/caroot/untrusted/Certum_Root_CA.pem
diff --git a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem
similarity index 100%
rename from secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
rename to secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem
diff --git a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem
similarity index 100%
rename from secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
rename to secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem
diff --git a/secure/caroot/blacklisted/EC-ACC.pem b/secure/caroot/untrusted/EC-ACC.pem
similarity index 100%
rename from secure/caroot/blacklisted/EC-ACC.pem
rename to secure/caroot/untrusted/EC-ACC.pem
diff --git a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem
rename to secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem b/secure/caroot/untrusted/GeoTrust_Global_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/GeoTrust_Global_CA.pem
rename to secure/caroot/untrusted/GeoTrust_Global_CA.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem
similarity index 100%
rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem
rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
similarity index 100%
rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/GeoTrust_Universal_CA.pem
rename to secure/caroot/untrusted/GeoTrust_Universal_CA.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem
similarity index 100%
rename from secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem
rename to secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem
diff --git a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem
similarity index 100%
rename from secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
rename to secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem
diff --git a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem
similarity index 100%
rename from secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
rename to secure/caroot/untrusted/LuxTrust_Global_Root_2.pem
diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile
new file mode 100644
index 000000000000..e988841071d2
--- /dev/null
+++ b/secure/caroot/untrusted/Makefile
@@ -0,0 +1,9 @@
+# $FreeBSD$
+
+BINDIR= /usr/share/certs/untrusted
+
+UNTRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true
+
+FILES+= ${UNTRUSTED_CERTS}
+
+.include <bsd.prog.mk>
diff --git a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
rename to secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
similarity index 100%
rename from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
rename to secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
similarity index 100%
rename from secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
rename to secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
diff --git a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem
similarity index 100%
rename from secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
rename to secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
similarity index 100%
rename from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
rename to secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
similarity index 100%
rename from secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
similarity index 100%
rename from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
rename to secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
similarity index 100%
rename from secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
rename to secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/blacklisted/Taiwan_GRCA.pem b/secure/caroot/untrusted/Taiwan_GRCA.pem
similarity index 100%
rename from secure/caroot/blacklisted/Taiwan_GRCA.pem
rename to secure/caroot/untrusted/Taiwan_GRCA.pem
diff --git a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
rename to secure/caroot/untrusted/Trustis_FPS_Root_CA.pem
diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
similarity index 100%
rename from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
rename to secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
similarity index 100%
rename from secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
rename to secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
diff --git a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
similarity index 100%
rename from secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
rename to secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
diff --git a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
similarity index 100%
rename from secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
rename to secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem
similarity index 100%
rename from secure/caroot/blacklisted/thawte_Primary_Root_CA.pem
rename to secure/caroot/untrusted/thawte_Primary_Root_CA.pem
diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem
similarity index 100%
rename from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem
rename to secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem
diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem
similarity index 100%
rename from secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem
rename to secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem
diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8
index 8ca2cd37dee5..9af2adaba757 100644
--- a/usr.sbin/certctl/certctl.8
+++ b/usr.sbin/certctl/certctl.8
@@ -26,19 +26,19 @@
.\"
.\" $FreeBSD$
.\"
-.Dd January 7, 2021
+.Dd June 18, 2021
.Dt CERTCTL 8
.Os
.Sh NAME
.Nm certctl
-.Nd "tool for managing trusted and blacklist TLS certificates"
+.Nd "tool for managing trusted and untrusted TLS certificates"
.Sh SYNOPSIS
.Nm
.Op Fl v
.Ic list
.Nm
.Op Fl v
-.Ic blacklisted
+.Ic untrusted
.Nm
.Op Fl nUv
.Op Fl D Ar destdir
@@ -46,10 +46,10 @@
.Ic rehash
.Nm
.Op Fl nv
-.Ic blacklist Ar file
+.Ic untrust Ar file
.Nm
.Op Fl nv
-.Ic unblacklist Ar file
+.Ic trust Ar file
.Sh DESCRIPTION
The
.Nm
@@ -72,28 +72,28 @@ Do record the ownership in the METALOG file.
.El
.Pp
Primary command functions:
-.Bl -tag -width blacklisted
+.Bl -tag -width untrusted
.It Ic list
List all currently trusted certificate authorities.
-.It Ic blacklisted
-List all currently blacklisted certificates.
+.It Ic untrusted
+List all currently untrusted certificates.
.It Ic rehash
Rebuild the list of trusted certificate authorities by scanning all directories
in
.Ev TRUSTPATH
-and all blacklisted certificates in
-.Ev BLACKLISTPATH .
+and all untrusted certificates in
+.Ev UNTRUSTPATH .
A symbolic link to each trusted certificate is placed in
.Ev CERTDESTDIR
-and each blacklisted certificate in
-.Ev BLACKLISTDESTDIR .
-.It Ic blacklist
-Add the specified file to the blacklist.
-.It Ic unblacklist
-Remove the specified file from the blacklist.
+and each untrusted certificate in
+.Ev UNTRUSTDESTDIR .
+.It Ic untrust
+Add the specified file to the untrusted list.
+.It Ic trust
+Remove the specified file from the untrusted list.
.El
.Sh ENVIRONMENT
-.Bl -tag -width BLACKLISTDESTDIR
+.Bl -tag -width UNTRUSTDESTDIR
.It Ev DESTDIR
Alternate destination directory to operate on.
.It Ev TRUSTPATH
@@ -101,19 +101,20 @@ List of paths to search for trusted certificates.
Default:
.Pa <DESTDIR>/usr/share/certs/trusted
.Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs
-.It Ev BLACKLISTPATH
-List of paths to search for blacklisted certificates.
+.It Ev UNTRUSTPATH
+List of paths to search for untrusted certificates.
Default:
-.Pa <DESTDIR>/usr/share/certs/blacklisted
+.Pa <DESTDIR>/usr/share/certs/untrusted
+.Pa <DESTDIR>/usr/local/etc/ssl/untrusted
.Pa <DESTDIR>/usr/local/etc/ssl/blacklisted
.It Ev CERTDESTDIR
Destination directory for symbolic links to trusted certificates.
Default:
.Pa <DESTDIR>/etc/ssl/certs
-.It Ev BLACKLISTDESTDIR
-Destination directory for symbolic links to blacklisted certificates.
+.It Ev UNTRUSTDESTDIR
+Destination directory for symbolic links to untrusted certificates.
Default:
-.Pa <DESTDIR>/etc/ssl/blacklisted
+.Pa <DESTDIR>/etc/ssl/untrusted
.It Ev EXTENSIONS
List of file extensions to read as certificate files.
Default: *.pem *.crt *.cer *.crl *.0
diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index 1a491cf3a047..327eaa6381a6 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -79,10 +79,10 @@ create_trusted_link()
hash=$( do_hash "$1" ) || return
certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint )
- for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
+ for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint )
if [ "$certhash" = "$blisthash" ]; then
- echo "Skipping blacklisted certificate $1 ($blistfile)"
+ echo "Skipping untrusted certificate $1 ($blistfile)"
return 1
fi
done
@@ -102,19 +102,19 @@ resolve_certname()
if [ -e "$1" ]; then
hash=$( do_hash "$1" ) || return
srcfile=$(realpath "$1")
- suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
+ suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
filename="$hash.$suffix"
echo "$srcfile" "$hash.$suffix"
elif [ -e "${CERTDESTDIR}/$1" ]; then
srcfile=$(realpath "${CERTDESTDIR}/$1")
hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//')
- suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
+ suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
filename="$hash.$suffix"
echo "$srcfile" "$hash.$suffix"
fi
}
-create_blacklisted()
+create_untrusted()
{
local srcfile filename
@@ -126,8 +126,8 @@ create_blacklisted()
return
fi
- [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
- [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
+ [ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list"
+ [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
}
do_scan()
@@ -185,14 +185,14 @@ cmd_rehash()
else
mkdir -p "$CERTDESTDIR"
fi
- if [ -e "$BLACKLISTDESTDIR" ]; then
- find "$BLACKLISTDESTDIR" -type link -delete
+ if [ -e "$UNTRUSTDESTDIR" ]; then
+ find "$UNTRUSTDESTDIR" -type link -delete
else
- mkdir -p "$BLACKLISTDESTDIR"
+ mkdir -p "$UNTRUSTDESTDIR"
fi
fi
- do_scan create_blacklisted "$BLACKLISTPATH"
+ do_scan create_untrusted "$UNTRUSTPATH"
do_scan create_trusted_link "$TRUSTPATH"
}
@@ -202,19 +202,19 @@ cmd_list()
do_list "$CERTDESTDIR"
}
-cmd_blacklist()
+cmd_untrust()
{
local BPATH
shift # verb
- [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
+ [ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR"
for BFILE in "$@"; do
- echo "Adding $BFILE to blacklist"
- create_blacklisted "$BFILE"
+ echo "Adding $BFILE to untrusted list"
+ create_untrusted "$BFILE"
done
}
-cmd_unblacklist()
+cmd_trust()
{
local BFILE blisthash certhash hash
@@ -223,16 +223,16 @@ cmd_unblacklist()
if [ -s "$BFILE" ]; then
hash=$( do_hash "$BFILE" )
certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint )
- for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
+ for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint )
if [ "$certhash" = "$blisthash" ]; then
- echo "Removing $(basename "$BLISTEDFILE") from blacklist"
+ echo "Removing $(basename "$BLISTEDFILE") from untrusted list"
[ $NOOP -eq 0 ] && rm -f $BLISTEDFILE
fi
done
- elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
- echo "Removing $BFILE from blacklist"
- [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
+ elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then
+ echo "Removing $BFILE from untrusted list"
+ [ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE"
else
echo "Cannot find $BFILE" >&2
ERRORS=$(( $ERRORS + 1 ))
@@ -240,10 +240,10 @@ cmd_unblacklist()
done
}
-cmd_blacklisted()
+cmd_untrusted()
{
- echo "Listing Blacklisted Certificates:"
- do_list "$BLACKLISTDESTDIR"
+ echo "Listing Untrusted Certificates:"
+ do_list "$UNTRUSTDESTDIR"
}
usage()
@@ -252,14 +252,14 @@ usage()
echo "Manage the TLS trusted certificates on the system"
echo " $SCRIPTNAME [-v] list"
echo " List trusted certificates"
- echo " $SCRIPTNAME [-v] blacklisted"
- echo " List blacklisted certificates"
+ echo " $SCRIPTNAME [-v] untrusted"
+ echo " List untrusted certificates"
echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
echo " Generate hash links for all certificates"
- echo " $SCRIPTNAME [-nv] blacklist <file>"
- echo " Add <file> to the list of blacklisted certificates"
- echo " $SCRIPTNAME [-nv] unblacklist <file>"
- echo " Remove <file> from the list of blacklisted certificates"
+ echo " $SCRIPTNAME [-nv] untrust <file>"
+ echo " Add <file> to the list of untrusted certificates"
+ echo " $SCRIPTNAME [-nv] trust <file>"
+ echo " Remove <file> from the list of untrusted certificates"
exit 64
}
@@ -281,17 +281,20 @@ INSTALLFLAGS=
[ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
: ${LOCALBASE:=$(sysctl -n user.localbase)}
: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}
-: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
+: ${UNTRUSTPATH:=${DESTDIR}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
-: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
+: ${UNTRUSTDESTDIR:=${DESTDIR}/etc/ssl/untrusted}
[ $# -gt 0 ] || usage
case "$1" in
list) cmd_list ;;
rehash) cmd_rehash ;;
-blacklist) cmd_blacklist "$@" ;;
-unblacklist) cmd_unblacklist "$@" ;;
-blacklisted) cmd_blacklisted ;;
+blacklist) cmd_untrust "$@" ;;
+untrust) cmd_untrust "$@" ;;
+trust) cmd_trust "$@" ;;
+unblacklist) cmd_trust "$@" ;;
+untrusted) cmd_untrusted ;;
+blacklisted) cmd_untrusted ;;
*) usage # NOTREACHED
esac
diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh
index acfc601b93af..162a44059e3e 100755
--- a/usr.sbin/etcupdate/etcupdate.sh
+++ b/usr.sbin/etcupdate/etcupdate.sh
@@ -600,7 +600,7 @@ post_install_file()
NEWALIAS_WARN=yes
fi
;;
- /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+ /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*)
log "certctl rehash"
if [ -z "$dryrun" ]; then
env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
diff --git a/usr.sbin/mergemaster/mergemaster.sh b/usr.sbin/mergemaster/mergemaster.sh
index 7703e2856111..5b7a656c1cd9 100755
--- a/usr.sbin/mergemaster/mergemaster.sh
+++ b/usr.sbin/mergemaster/mergemaster.sh
@@ -884,7 +884,7 @@ mm_install () {
/etc/mail/aliases)
NEED_NEWALIASES=yes
;;
- /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+ /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*)
NEED_CERTCTL=yes
;;
/etc/login.conf)
More information about the dev-commits-src-all
mailing list