diff --git a/distrib/sets/lists/base/mi b/distrib/sets/lists/base/mi index 26ad52a6d74a..409e8ac5f17f 100644 --- a/distrib/sets/lists/base/mi +++ b/distrib/sets/lists/base/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1325 2023/08/01 06:35:55 mrg Exp $ +# $NetBSD: mi,v 1.1326 2023/08/26 05:27:13 riastradh Exp $ # # Note: Don't delete entries from here - mark them as "obsolete" instead, # unless otherwise stated below. @@ -114,6 +114,7 @@ ./etc/openldap base-ldap-root ./etc/openssl base-crypto-root ./etc/openssl/certs base-crypto-root +./etc/openssl/certs.conf base-sysutil-bin ./etc/openssl/misc base-crypto-root ./etc/openssl/private base-crypto-root ./etc/pam.d base-sys-root @@ -1457,6 +1458,7 @@ ./usr/sbin/btpand base-sysutil-bin ./usr/sbin/btuartd base-obsolete obsolete ./usr/sbin/catman base-man-bin +./usr/sbin/certctl base-sysutil-bin ./usr/sbin/chat base-ppp-bin ./usr/sbin/chown base-sysutil-bin ./usr/sbin/chroot base-sysutil-bin diff --git a/distrib/sets/lists/man/mi b/distrib/sets/lists/man/mi index 2c59427ffb31..5caf88e0a4a7 100644 --- a/distrib/sets/lists/man/mi +++ b/distrib/sets/lists/man/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1763 2023/08/11 23:04:29 christos Exp $ +# $NetBSD: mi,v 1.1764 2023/08/26 05:27:13 riastradh Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -2648,6 +2648,7 @@ ./usr/share/man/cat8/ccdconfig.0 man-sysutil-catman .cat ./usr/share/man/cat8/cesfic/MAKEDEV.0 man-obsolete obsolete ./usr/share/man/cat8/cesfic/makedev.0 man-obsolete obsolete +./usr/share/man/cat8/certctl.0 man-sysutil-catman .cat ./usr/share/man/cat8/cgdconfig.0 man-sysutil-catman .cat ./usr/share/man/cat8/chat.0 man-ppp-catman .cat ./usr/share/man/cat8/chown.0 man-sysutil-catman .cat @@ -5902,6 +5903,7 @@ ./usr/share/man/html8/canconfig.html man-netutil-htmlman html ./usr/share/man/html8/catman.html man-man-htmlman html ./usr/share/man/html8/ccdconfig.html man-sysutil-htmlman html +./usr/share/man/html8/certctl.html man-sysutil-htmlman html ./usr/share/man/html8/cgdconfig.html man-sysutil-htmlman html ./usr/share/man/html8/chat.html man-ppp-htmlman html ./usr/share/man/html8/chown.html man-sysutil-htmlman html @@ -9203,6 +9205,7 @@ ./usr/share/man/man8/ccdconfig.8 man-sysutil-man .man ./usr/share/man/man8/cesfic/MAKEDEV.8 man-obsolete obsolete ./usr/share/man/man8/cesfic/makedev.8 man-obsolete obsolete +./usr/share/man/man8/certctl.8 man-sysutil-man .man ./usr/share/man/man8/cgdconfig.8 man-sysutil-man .man ./usr/share/man/man8/chat.8 man-ppp-man .man ./usr/share/man/man8/chown.8 man-sysutil-man .man diff --git a/distrib/sets/lists/tests/mi b/distrib/sets/lists/tests/mi index 4d36f0ebdf06..323e287a6f2c 100644 --- a/distrib/sets/lists/tests/mi +++ b/distrib/sets/lists/tests/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1291 2023/08/20 19:36:56 riastradh Exp $ +# $NetBSD: mi,v 1.1292 2023/08/26 05:27:14 riastradh Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -7564,6 +7564,22 @@ ./usr/tests/usr.sbin tests-usr.sbin-tests compattestfile,atf ./usr/tests/usr.sbin/Atffile tests-usr.sbin-tests compattestfile,atf ./usr/tests/usr.sbin/Kyuafile tests-usr.sbin-tests compattestfile,atf,kyua +./usr/tests/usr.sbin/certctl tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/Atffile tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/Kyuafile tests-usr.sbin-tests compattestfile,atf,kyua +./usr/tests/usr.sbin/certctl/certs1 tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs2 tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs3 tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs4 tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem tests-usr.sbin-tests compattestfile,atf +./usr/tests/usr.sbin/certctl/t_certctl tests-usr.sbin-tests compattestfile,atf ./usr/tests/usr.sbin/cpuctl tests-usr.sbin-tests compattestfile,atf ./usr/tests/usr.sbin/cpuctl/Atffile tests-usr.sbin-tests compattestfile,atf ./usr/tests/usr.sbin/cpuctl/Kyuafile tests-usr.sbin-tests compattestfile,atf,kyua diff --git a/etc/Makefile b/etc/Makefile index b7fdcbcea66b..12b8766a4aa4 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.466 2022/08/21 07:10:03 lukem Exp $ +# $NetBSD: Makefile,v 1.467 2023/08/26 05:27:14 riastradh Exp $ # from: @(#)Makefile 8.7 (Berkeley) 5/25/95 # Environment variables without default values: @@ -348,6 +348,7 @@ install-etc-files: .PHONY .MAKE check_DESTDIR MAKEDEV .endfor ${MAKEDIRTARGET} ${NETBSDSRCDIR}/external/bsd/dhcpcd/sbin/dhcpcd configinstall ${MAKEDIRTARGET} ${NETBSDSRCDIR}/usr.bin/mail configinstall + ${MAKEDIRTARGET} ${NETBSDSRCDIR}/usr.sbin/certctl configinstall .if (${MKPF} != "no") ${MAKEDIRTARGET} ${NETBSDSRCDIR}/usr.sbin/pf configinstall .endif diff --git a/etc/mtree/NetBSD.dist.tests b/etc/mtree/NetBSD.dist.tests index 1259a32be8ae..ce71e558b403 100644 --- a/etc/mtree/NetBSD.dist.tests +++ b/etc/mtree/NetBSD.dist.tests @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.dist.tests,v 1.199 2023/08/20 10:27:11 riastradh Exp $ +# $NetBSD: NetBSD.dist.tests,v 1.200 2023/08/26 05:27:14 riastradh Exp $ ./usr/libdata/debug/usr/tests ./usr/libdata/debug/usr/tests/atf @@ -486,6 +486,11 @@ ./usr/tests/usr.bin/xlint/xlint ./usr/tests/usr.bin/ztest ./usr/tests/usr.sbin +./usr/tests/usr.sbin/certctl +./usr/tests/usr.sbin/certctl/certs1 +./usr/tests/usr.sbin/certctl/certs2 +./usr/tests/usr.sbin/certctl/certs3 +./usr/tests/usr.sbin/certctl/certs4 ./usr/tests/usr.sbin/cpuctl ./usr/tests/usr.sbin/execsnoop ./usr/tests/usr.sbin/inetd diff --git a/tests/usr.sbin/Makefile b/tests/usr.sbin/Makefile index 9b4e7af3d9e3..289c5252bba8 100644 --- a/tests/usr.sbin/Makefile +++ b/tests/usr.sbin/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.7 2021/08/29 09:54:18 christos Exp $ +# $NetBSD: Makefile,v 1.8 2023/08/26 05:27:14 riastradh Exp $ .include TESTSDIR= ${TESTSBASE}/usr.sbin +TESTS_SUBDIRS+= certctl TESTS_SUBDIRS+= cpuctl TESTS_SUBDIRS+= execsnoop TESTS_SUBDIRS+= inetd diff --git a/tests/usr.sbin/certctl/Makefile b/tests/usr.sbin/certctl/Makefile new file mode 100644 index 000000000000..962a472cb281 --- /dev/null +++ b/tests/usr.sbin/certctl/Makefile @@ -0,0 +1,10 @@ +# $NetBSD: Makefile,v 1.1 2023/08/26 05:27:14 riastradh Exp $ +# + +.include "Makefile.inc" # TESTSDIR + +SUBDIR= certs1 certs2 certs3 certs4 + +TESTS_SH= t_certctl + +.include diff --git a/tests/usr.sbin/certctl/Makefile.inc b/tests/usr.sbin/certctl/Makefile.inc new file mode 100644 index 000000000000..b3c142bf5aba --- /dev/null +++ b/tests/usr.sbin/certctl/Makefile.inc @@ -0,0 +1,6 @@ +# $NetBSD: Makefile.inc,v 1.1 2023/08/26 05:27:14 riastradh Exp $ +# + +TESTSDIR= ${TESTSBASE}/usr.sbin/certctl + +.include diff --git a/tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem b/tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem new file mode 100644 index 000000000000..fd4341df2663 --- /dev/null +++ b/tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB +CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 +nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt +43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P +T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 +gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR +TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw +DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr +hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg +06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF +PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls +YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem b/tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem new file mode 100644 index 000000000000..ab60ad25fe99 --- /dev/null +++ b/tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFijCCA3KgAwIBAgIQD////////////////////zANBgkqhkiG9w0BAQUFADBf +MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp +Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww +HhcNMDcwNzI3MTcxOTM3WhcNMjUwMzMxMTgxOTIyWjBfMQswCQYDVQQGEwJOTDES +MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg +MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B +8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY +tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl +HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj +zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU +JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM +ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv +a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p +K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi +puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT +yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO +owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV +HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC +jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy +fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo +Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo +M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM +Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed +2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH +/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl +nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE +O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU +9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9 +j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs1/Makefile b/tests/usr.sbin/certctl/certs1/Makefile new file mode 100644 index 000000000000..b75066c9a7b9 --- /dev/null +++ b/tests/usr.sbin/certctl/certs1/Makefile @@ -0,0 +1,10 @@ +# $NetBSD: Makefile,v 1.1 2023/08/26 05:27:14 riastradh Exp $ +# + +FILESDIR= ${TESTSDIR}/certs1 + +FILES+= DigiCert_Global_Root_CA.pem +FILES+= Explicitly_Distrust_DigiNotar_Root_CA.pem + +.include +.include diff --git a/tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem b/tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem new file mode 100644 index 000000000000..a13aa0564117 --- /dev/null +++ b/tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw +CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU +MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw +MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp +Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo +27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w +Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw +TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl +qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH +szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8 +Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk +MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92 +wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p +aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN +VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID +AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E +FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb +C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe +QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy +h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4 +7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J +ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef +MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/ +Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT +6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ +0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm +2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb +bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem b/tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem new file mode 100644 index 000000000000..8afb219058fb --- /dev/null +++ b/tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 +MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 +RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT +gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm +KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd +QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ +XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw +DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o +LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU +RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp +jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK +6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX +mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs +Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH +WD9f +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs2/Makefile b/tests/usr.sbin/certctl/certs2/Makefile new file mode 100644 index 000000000000..8b046afd6ad5 --- /dev/null +++ b/tests/usr.sbin/certctl/certs2/Makefile @@ -0,0 +1,10 @@ +# $NetBSD: Makefile,v 1.1 2023/08/26 05:27:14 riastradh Exp $ +# + +FILESDIR= ${TESTSDIR}/certs2 + +FILES+= GTS_Root_R1.pem +FILES+= GlobalSign_Root_CA_-_R3.pem + +.include +.include diff --git a/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem b/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem new file mode 100644 index 000000000000..842652306722 --- /dev/null +++ b/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGFDCCA/ygAwIBAgIIG3Dp0v+ubHEwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UE +BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h +cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0xNDA5MjMxNTIyMDdaFw0zNjA1 +MDUxNTIyMDdaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg +Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9 +thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM +cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG +L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i +NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h +X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b +m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy +Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja +EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T +KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF +6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh +OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMB0GA1UdDgQWBBRlzeurNR4APn7VdMAc +tHNHDhpkLzASBgNVHRMBAf8ECDAGAQH/AgEBMIGmBgNVHSAEgZ4wgZswgZgGBFUd +IAAwgY8wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuZmlybWFwcm9mZXNpb25hbC5j +b20vY3BzMFwGCCsGAQUFBwICMFAeTgBQAGEAcwBlAG8AIABkAGUAIABsAGEAIABC +AG8AbgBhAG4AbwB2AGEAIAA0ADcAIABCAGEAcgBjAGUAbABvAG4AYQAgADAAOAAw +ADEANzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAHSHKAIrdx9m +iWTtj3QuRhy7qPj4Cx2Dtjqn6EWKB7fgPiDL4QjbEwj4KKE1soCzC1HA01aajTNF +Sa9J8OA9B3pFE1r/yJfY0xgsfZb43aJlQ3CTkBW6kN/oGbDbLIpgD7dvlAceHabJ +hfa9NPhAeGIQcDq+fUs5gakQ1JZBu/hfHAsdCPKxsIl68veg4MSPi3i1O1ilI45P +Vf42O+AMt8oqMEEgtIDNrvx2ZnOorm7hfNoD6JQg5iKj0B+QXSBTFCZX2lSX3xZE +EAEeiGaPcjiT3SC3NL7X8e5jjkd5KAb881lFJWAiMxujX6i6KtoaPc1A6ozuBRWV +1aUsIC+nmCjuRfzxuIgALI9C2lHVnOUTaHFFQ4ueCyE8S1wF3BqfmI7avSKecs2t +CsvMo2ebKHTEm9caPARYpoKdrcd7b/+Alun4jWq9GJAd/0kakFI3ky88Al2CdgtR +5xbHV/g4+afNmyJU72OwFW1TZQNKXkqgsqeOSQBZONXH9IBk9W6VULgRfhVwOEqw +f9DEMnDAGf/JOC0ULGb0QkTmVXYbgBVX/8Cnp6o5qtjTcNAuuuuUavpfNIbnYrX9 +ivAwhZTJryQCL2/W3Wf+47BVTwSYT6RBVuKT0Gro1vP7ZeDOdcQxWQzugsgMYDNK +GbqEZycPvEJdvSRUDewdcAZfpLz6IHxV +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem b/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem new file mode 100644 index 000000000000..de97f841cbfa --- /dev/null +++ b/tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE +BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h +cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy +MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg +Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9 +thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM +cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG +L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i +NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h +X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b +m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy +Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja +EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T +KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF +6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh +OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD +VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD +VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp +cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv +ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl +AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF +661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9 +am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1 +ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481 +PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS +3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k +SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF +3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM +ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g +StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz +Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB +jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs3/Makefile b/tests/usr.sbin/certctl/certs3/Makefile new file mode 100644 index 000000000000..c9721ef7aa2a --- /dev/null +++ b/tests/usr.sbin/certctl/certs3/Makefile @@ -0,0 +1,10 @@ +# $NetBSD: Makefile,v 1.1 2023/08/26 05:27:14 riastradh Exp $ +# + +FILESDIR= ${TESTSDIR}/certs3 + +FILES+= Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem +FILES+= Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem + +.include +.include diff --git a/tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem b/tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem new file mode 100644 index 000000000000..666cf67c32be --- /dev/null +++ b/tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsx +CzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJ +WiBGTk1ULVJDTTAeFw0wODEwMjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJ +BgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJWiBG +Tk1ULVJDTTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALpxgHpMhm5/ +yBNtwMZ9HACXjywMI7sQmkCpGreHiPibVmr75nuOi5KOpyVdWRHbNi63URcfqQgf +BBckWKo3Shjf5TnUV/3XwSyRAZHiItQDwFj8d0fsjz50Q7qsNI1NOHZnjrDIbzAz +WHFctPVrbtQBULgTfmxKo0nRIBnuvMApGGWn3v7v3QqQIecaZ5JCEJhfTzC8PhxF +tBDXaEAUwED653cXeuYLj2VbPNmaUtu1vZ5Gzz3rkQUCwJaydkxNEJY7kvqcfw+Z +374jNUUeAlz+taibmSXaXvMiwzn15Cou08YfxGyqxRxqAQVKL9LFwag0Jl1mpdIC +IfkYtwb1TplvqKtMUejPUBjFd8g5CSxJkjKZqLsXF3mwWsXmo8RZZUc1g16p6DUL +mbvkzSDGm0oGObVo/CK67lWMK07q87Hj/LaZmtVC+nFNCM+HHmpxffnTtOmlcYF7 +wk5HlqX2doWjKI/pgG6BU6VtX7hI+cL5NqYuSf+4lsKMB7ObiFj86xsc3i1w4peS +MKGJ47xVqCfWS+2QrYv6YyVZLag13cqXM7zlzced0ezvXg5KkAYmY6252TUtB7p2 +ZSysV4999AeU14ECll2jB0nVetBX+RvnU0Z1qrB5QstocQjpYL05ac70r8NWQMet +UqIJ5G+GR4of6ygnXYMgrwTJbFaai0b1AgMBAAGjgYMwgYAwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPd9xf3E6Jobd2Sn9R2gzL+H +YJptMD4GA1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1odHRwOi8vd3d3 +LmNlcnQuZm5tdC5lcy9kcGNzLzANBgkqhkiG9w0BAQsFAAOCAgEAB5BK3/MjTvDD +nFFlm5wioooMhfNzKWtN/gHiqQxjAb8EZ6WdmF/9ARP67Jpi6Yb+tmLSbkyU+8B1 +RXxlDPiyN8+sD8+Nb/kZ94/sHvJwnvDKuO+3/3Y3dlv2bojzr2IyIpMNOmqOFGYM +LVN0V2Ue1bLdI4E7pWYjJ2cJj+F3qkPNZVEI7VFY/uY5+ctHhKQV8Xa7pO6kO8Rf +77IzlhEYt8llvhjho6Tc+hj507wTmzl6NLrTQfv6MooqtyuGC2mDOL7Nii4LcK2N +JpLuHvUBKwrZ1pebbuCoGRw6IYsMHkCtA+fdZn71uSANA+iW+YJF1DngoABd15jm +fZ5nc8OaKveri6E6FO80vFIOiZiaBECEHX5FaZNXzuvO+FB8TxxuBEOb+dY7Ixjp +6o7RTUaN8Tvkasq6+yO3m/qZASlaWFot4/nUbQ4mrcFuNLwy+AwF+mWj2zs3gyLp +1txyM/1d8iC9djwj2ij3+RvrWWTV3F9yfiD8zYm1kGdNYno/Tq0dwzn+evQoFt9B +9kiABdcPUXmsEKvU7ANm5mqwujGSQkBqvjrTcuFqN1W8rB2Vt2lh8kORdOag0wok +RqEIr9baRRmW1FMdW4R58MD3R++Lj8UGrp1MYp3/RgT408m2ECVAdf4WqslKYIYv +uu8wd+RU4riEmViAqhOLUTpPSPaLtrM= +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem b/tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem new file mode 100644 index 000000000000..fd4341df2663 --- /dev/null +++ b/tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB +CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 +nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt +43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P +T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 +gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR +TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw +DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr +hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg +06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF +PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls +YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= +-----END CERTIFICATE----- diff --git a/tests/usr.sbin/certctl/certs4/Makefile b/tests/usr.sbin/certctl/certs4/Makefile new file mode 100644 index 000000000000..6fe3a4d5f118 --- /dev/null +++ b/tests/usr.sbin/certctl/certs4/Makefile @@ -0,0 +1,10 @@ +# $NetBSD: Makefile,v 1.1 2023/08/26 05:27:15 riastradh Exp $ +# + +FILESDIR= ${TESTSDIR}/certs4 + +FILES+= AC_RAIZ_FNMT-RCM.pem +FILES+= DigiCert_Global_Root_CA.pem + +.include +.include diff --git a/tests/usr.sbin/certctl/t_certctl.sh b/tests/usr.sbin/certctl/t_certctl.sh new file mode 100644 index 000000000000..33a1e19c2cfe --- /dev/null +++ b/tests/usr.sbin/certctl/t_certctl.sh @@ -0,0 +1,333 @@ +#!/bin/sh + +# $NetBSD: t_certctl.sh,v 1.1 2023/08/26 05:27:14 riastradh Exp $ +# +# Copyright (c) 2023 The NetBSD Foundation, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +CERTCTL="certctl -C certs.conf -c certs -u untrusted" + +# setupconf ... +# +# Create certs/ and set up certs.conf to search the specified +# subdirectories of the source directory. +# +setupconf() +{ + local sep subdir dir + + mkdir certs + cat <certs.conf +netbsd-certctl 20230816 + +# comment at line start + # comment not at line start, plus some intentional whitespace + +# THE WHITESPACE ABOVE IS INTENTIONAL, DO NOT DELETE +EOF + # Start with a continuation line separator; then switch to + # non-continuation lines. + sep=$(printf ' \\\n\t') + for subdir; do + dir=$(atf_get_srcdir)/$subdir + cat <>certs.conf +path$sep$(printf '%s' "$dir" | vis -M) +EOF + sep=' ' + done +} + +# check_empty +# +# Verify the certs directory is empty after dry runs or after +# clearing the directory. +# +check_empty() +{ + local why + + why=${1:-dry run} + for x in certs/*; do + if [ -e "$x" -o -h "$x" ]; then + atf_fail "certs/ should be empty after $why" + fi + done +} + +# check_nonempty +# +# Verify the certs directory is nonempty. +# +check_nonempty() +{ + for x in certs/*.0; do + test -e "$x" && test -h "$x" && return + done + atf_fail "certs/ should be nonempty" +} + +# checks ... +# +# Run various checks with certctl. +# +checks() +{ + local certs1 diginotar_base diginotar diginotar_hash subdir srcdir + + certs1=$(atf_get_srcdir)/certs1 + diginotar_base=Explicitly_Distrust_DigiNotar_Root_CA.pem + diginotar=$certs1/$diginotar_base + diginotar_hash=$(openssl x509 -hash -noout <$diginotar) + + # Do a dry run of rehash and make sure the directory is still + # empty. + atf_check -s exit:0 $CERTCTL -n rehash + check_empty + + # Distrust and trust one CA, as a dry run. The trust should + # fail because it's not currently distrusted. + atf_check -s exit:0 $CERTCTL -n untrust "$diginotar" + check_empty + atf_check -s not-exit:0 -e match:currently \ + $CERTCTL -n trust "$diginotar" + check_empty + + # Do a real rehash, not a dry run. + atf_check -s exit:0 $CERTCTL rehash + + # Make sure all the certificates are trusted. + for subdir; do + case $subdir in + /*) srcdir=$subdir;; + *) srcdir=$(atf_get_srcdir)/$subdir;; + esac + for cert in "$srcdir"/*.pem; do + # Verify the certificate is linked by its base name. + certbase=$(basename "$cert") + atf_check -s exit:0 -o inline:"$cert" \ + readlink -n "certs/$certbase" + + # Verify the certificate is linked by a hash. + hash=$(openssl x509 -hash -noout <$cert) + counter=0 + found=false + while [ $counter -lt 10 ]; do + if cmp -s "certs/$hash.$counter" "$cert"; then + found=true + break + fi + counter=$((counter + 1)) + done + if ! $found; then + atf_fail "missing $cert" + fi + + # Delete both links. + rm "certs/$certbase" + rm "certs/$hash.$counter" + done + done + + # Verify the certificate bundle is there and delete it. + # + # XXX Verify its content. + atf_check -s exit:0 test -f certs/ca-certificates.crt + atf_check -s exit:0 test ! -h certs/ca-certificates.crt + rm certs/ca-certificates.crt + + # Make sure after deleting everything there's nothing left. + check_empty "removing all expected certificates" + + # Distrust, trust, and re-distrust one CA, and verify that it + # ceases to appear, reappears, and again ceases to appear. + # (This one has no subject hash collisions to worry about, so + # we hard-code the `.0' suffix.) + atf_check -s exit:0 $CERTCTL untrust "$diginotar" + atf_check -s exit:0 test -e "untrusted/$diginotar_base" + atf_check -s exit:0 test -h "untrusted/$diginotar_base" + atf_check -s exit:0 test ! -e "certs/$diginotar_base" + atf_check -s exit:0 test ! -h "certs/$diginotar_base" + atf_check -s exit:0 test ! -e "certs/$diginotar_hash.0" + atf_check -s exit:0 test ! -h "certs/$diginotar_hash.0" + check_nonempty + + atf_check -s exit:0 $CERTCTL trust "$diginotar" + atf_check -s exit:0 test ! -e "untrusted/$diginotar_base" + atf_check -s exit:0 test ! -h "untrusted/$diginotar_base" + atf_check -s exit:0 test -e "certs/$diginotar_base" + atf_check -s exit:0 test -h "certs/$diginotar_base" + atf_check -s exit:0 test -e "certs/$diginotar_hash.0" + atf_check -s exit:0 test -h "certs/$diginotar_hash.0" + rm "certs/$diginotar_base" + rm "certs/$diginotar_hash.0" + check_nonempty + + atf_check -s exit:0 $CERTCTL untrust "$diginotar" + atf_check -s exit:0 test -e "untrusted/$diginotar_base" + atf_check -s exit:0 test -h "untrusted/$diginotar_base" + atf_check -s exit:0 test ! -e "certs/$diginotar_base" + atf_check -s exit:0 test ! -h "certs/$diginotar_base" + atf_check -s exit:0 test ! -e "certs/$diginotar_hash.0" + atf_check -s exit:0 test ! -h "certs/$diginotar_hash.0" + check_nonempty +} + +atf_test_case empty +empty_head() +{ + atf_set "descr" "Test empty certificates store" +} +empty_body() +{ + setupconf # no directories + check_empty "empty cert path" + atf_check -s exit:0 $CERTCTL -n rehash + check_empty + atf_check -s exit:0 $CERTCTL rehash + atf_check -s exit:0 test -f certs/ca-certificates.crt + atf_check -s exit:0 test \! -h certs/ca-certificates.crt + atf_check -s exit:0 test \! -s certs/ca-certificates.crt + atf_check -s exit:0 rm certs/ca-certificates.crt + check_empty "empty cert path" +} + +atf_test_case onedir +onedir_head() +{ + atf_set "descr" "Test one certificates directory" +} +onedir_body() +{ + setupconf certs1 + checks certs1 +} + +atf_test_case twodir +twodir_head() +{ + atf_set "descr" "Test two certificates directories" +} +twodir_body() +{ + setupconf certs1 certs2 + checks certs1 certs2 +} + +atf_test_case collidehash +collidehash_head() +{ + atf_set "descr" "Test colliding hashes" +} +collidehash_body() +{ + # certs3 has two certificates with the same subject hash + setupconf certs1 certs3 + checks certs1 certs3 +} + +atf_test_case collidebase +collidebase_head() +{ + atf_set "descr" "Test colliding base names" +} +collidebase_body() +{ + # certs1 and certs4 both have DigiCert_Global_Root_CA.pem, + # which should cause list and rehash to fail and mention + # duplicates. + setupconf certs1 certs4 + atf_check -s not-exit:0 -o ignore -e match:duplicate $CERTCTL list + atf_check -s not-exit:0 -o ignore -e match:duplicate $CERTCTL rehash +} + +atf_test_case manual +manual_head() +{ + atf_set "descr" "Test manual operation" +} +manual_body() +{ + local certs1 diginotar_base diginotar diginotar_hash + + certs1=$(atf_get_srcdir)/certs1 + diginotar_base=Explicitly_Distrust_DigiNotar_Root_CA.pem + diginotar=$certs1/$diginotar_base + diginotar_hash=$(openssl x509 -hash -noout <$diginotar) + + setupconf certs1 certs2 + cat <>certs.conf +manual +EOF + touch certs/bogus.pem + ln -s bogus.pem certs/0123abcd.0 + + # Listing shouldn't mention anything in the certs/ cache. + atf_check -s exit:0 -o not-match:bogus $CERTCTL list + atf_check -s exit:0 -o not-match:bogus $CERTCTL untrusted + + # Rehashing and changing the configuration should succeed, but + # mention `manual' in a warning message and should not touch + # the cache. + atf_check -s exit:0 -e match:manual $CERTCTL rehash + atf_check -s exit:0 -e match:manual $CERTCTL untrust "$diginotar" + atf_check -s exit:0 -e match:manual $CERTCTL trust "$diginotar" + + # The files we created should still be there. + atf_check -s exit:0 test -f certs/bogus.pem + atf_check -s exit:0 test -h certs/0123abcd.0 +} + +atf_test_case evilpath +evilpath_head() +{ + atf_set "descr" "Test certificate paths with evil characters" +} +evilpath_body() +{ + local evildir + + evildir="$(printf 'evil\n.')" + evildir=${evildir%.} + mkdir "$evildir" + + cp -p "$(atf_get_srcdir)/certs2"/*.pem "$evildir"/ + + setupconf certs1 + cat <>certs.conf +path $(printf '%s' "$(pwd)/$evildir" | vis -M) +EOF + checks certs1 "$(pwd)/$evildir" +} + +atf_init_test_cases() +{ + atf_add_test_case collidebase + atf_add_test_case collidehash + atf_add_test_case empty + atf_add_test_case evilpath + atf_add_test_case manual + atf_add_test_case onedir + atf_add_test_case twodir +} diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index 0a7f31659de3..2afc8201fb7e 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.291 2022/06/06 10:56:29 nia Exp $ +# $NetBSD: Makefile,v 1.292 2023/08/26 05:27:15 riastradh Exp $ # from: @(#)Makefile 5.20 (Berkeley) 6/12/93 .include SUBDIR= ac accton acpitools altq apm apmd arp autofs \ bad144 bootp bta2dpd btattach btconfig btdevctl bthcid btpand catman \ - chroot cnwctl cpuctl crash \ + certctl chroot cnwctl cpuctl crash \ dev_mkdb diskpart dumpfs dumplfs \ edquota eeprom envstat etcupdate extattrctl \ flashctl fssconfig fstyp fusermount fwctl \ diff --git a/usr.sbin/certctl/Makefile b/usr.sbin/certctl/Makefile new file mode 100644 index 000000000000..dd0bb3c7de05 --- /dev/null +++ b/usr.sbin/certctl/Makefile @@ -0,0 +1,10 @@ +# $NetBSD: Makefile,v 1.1 2023/08/26 05:27:15 riastradh Exp $ +# + +MAN= certctl.8 +SCRIPTS= certctl.sh + +FILESDIR= /etc/openssl +CONFIGFILES= certs.conf + +.include diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 new file mode 100644 index 000000000000..b2509f5f9884 --- /dev/null +++ b/usr.sbin/certctl/certctl.8 @@ -0,0 +1,337 @@ +.\" $NetBSD: certctl.8,v 1.1 2023/08/26 05:27:15 riastradh Exp $ +.\" +.\" Copyright (c) 2023 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd August 16, 2023 +.Dt CERTCTL 8 +.Os +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh NAME +.Nm certctl +.Nd configure OpenSSL certificate trust anchors +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh SYNOPSIS +.Nm +.Op Fl nv +.Op Fl C Ar config +.Op Fl c Ar certsdir +.Op Fl u Ar distrustdir +.Ar cmd +.Op Ar args... +.\"""""""""""""""""" +.Nm +.Oo Ar options Oc Cm list +.Nm +.Oo Ar options Oc Cm rehash +.Nm +.Oo Ar options Oc Cm trust Ar cert +.Nm +.Oo Ar options Oc Cm untrust Ar cert +.Nm +.Oo Ar options Oc Cm untrusted +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh DESCRIPTION +The +.Nm +utility manages certificates used by OpenSSL-based applications as +trust anchors for certificate validation in HTTPS or other purposes. +.Nm +allows configuring the set of certificates and persistently excluding +individual certificates. +.Pp +For HTTPS certificate validation, OpenSSL applications typically +use either a directory at +.Pa /etc/openssl/certs +of hashed certificates in PEM format, with names like +.Pa "3513523f.0" +used for lookup +.Pq see Xr openssl_rehash 1 , +or a single-file bundle at +.Pa /etc/openssl/certs/ca-certificates.crt +concatenating all the certificates in PEM format. +.Pp +.Nm +scans all directories in the certificate search path specified by the +configuration file +.Ar config +.Pq default: Pa /etc/openssl/certs.conf +for files called +.Pa *.cer , +.Pa *.crt , +or +.Pa *.pem +in PEM format, except for those that have been excluded by +.Nm Cm untrust , +and keeps +.Ar certsdir +.Pq default: Pa /etc/openssl/certs +populated with symlinks to them. +.Pp +.Nm +treats +.Ar config +and +.Ar distrustdir +as configuration, and +.Ar certsdir +strictly as a cache that can be safely deleted and rebuilt with +.Nm Cm rehash . +.Nm +can also be instructed not to touch +.Ar certsdir +at all by putting +.Cm manual +in +.Ar config . +. +.\"""""""""""""""""""""""""""""""""""""" +.Ss Commands +.Bl -tag -width Cm +.\"""""""""""""""""" +.It Cm list +List absolute paths to trusted certificates, one per line, in +.Xr vis 1 +format to encode any shell metacharacters, that +.Nm Cm rehash +would use to populate the +.Ar certsdir +cache. +.\"""""""""""""""""" +.It Cm rehash +Populate +.Ar certsdir +with all trusted certificates, excluding any from +.Nm Cm untrust . +.\"""""""""""""""""" +.It Cm trust Ar cert +Allow +.Ar cert +to be included in the certificate cache if it is in the certificate +search path, and rehash the certificate cache. +In other words, reverse the persistent effect of +.Nm Cm untrust Ar cert . +.Pp +.Ar cert +must be the full absolute path to a certificate that has been excluded +by +.Nm Cm untrust Ar cert . +.Pp +This does not add a new certificate which is not in the search path. +To do that, you can create a directory to hold it and put that +directory in the search path. +.\"""""""""""""""""" +.It Cm untrust Ar cert +Persistently prevent +.Ar +from being included in the certificate cache, and rehash the +certificate cache. +.Pp +.Ar cert +must be the full absolute path to a certificate that is in the +certificate search path. +.\"""""""""""""""""" +.It Cm untrusted +List absolute paths to untrusted certificates, one per line, in +.Xr vis 1 +format to encode any shell metacharacters, that have been excluded by +.Nm Cm untrust +so that +.Nm Cm rehash +will not put them in +.Ar certsdir . +.\"""""""""""""""""" +.El +.\"""""""""""""""""""""""""""""""""""""" +.Ss Configuration file +The configuration file is a plain text file of lines separated by +.Tn US-ASCII +line feeds. +.Pp +.Pp +The first line must be: +.Dl netbsd-certctl 20230816 +.Pp +Lines with only whitespace, or whitespace followed by the comment +character +.Ql # +are ignored. +Each line has a directive and arguments separated by whitespace, and +may be extended by +.Ql \e +to continuation lines. +.Bl -tag -width Cm +.\"""""""""""""""""" +.It Cm path Ar dir +Add +.Ar dir +to the certificate search path. +.Ar dir +must be an absolute pathname, +.Xr vis 3 Ns -encoded . +.Pp +All certificates must have unique base names across all directories +in the certificate search path. +.\"""""""""""""""""" +.It Cm manual +Manual override. +If specified, +.Nm +will +.Em not +modify +.Ar certsdir , +but may still check consistency of the configuration when run and +update +.Ar distrustdir . +.\"""""""""""""""""" +.El +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh FILES +.Bl -tag -width Pa +.It Pa /etc/openssl/certs +Default directory of hashed HTTPS CA certificates. +.It Pa /etc/openssl/certs/ca-certificates.crt +Default single-file HTTPS CA certificate bundle. +.It Pa /etc/openssl/certs.conf +Default configuration file for HTTPS CA certificates. +.It Pa /etc/openssl/untrusted +Default +.Ar untrusted +directory of excluded HTTPS CA certificates. +.It Pa /usr/share/certs/mozilla/all +All root CA certificates published by Mozilla, including untrustworthy +certificates. +.It Pa /usr/share/certs/mozilla/code +All root CA certificates published by Mozilla for use in code-signing. +.It Pa /usr/share/certs/mozilla/email +All root CA certificates published by Mozilla for use in email +authentication. +.It Pa /usr/share/certs/mozilla/server +All root CA certificates published by Mozilla for use in HTTPS server +authentication. +.El +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh EXAMPLES +Example configuration file +.Pq Pa /etc/openssl/certs.conf : +.Bd -literal -offset indent +netbsd-certctl 20230816 + +# Blank lines and comments are ignored. +# Comments begin with a `#' sign. + +# Gather certificates from files called *.cer, *.crt, and *.pem +# under these directories. +path /usr/share/certs/mozilla/server +path /usr/pkg/share/chromium-cacerts + +# If the next line is uncommented, certctl(8) will decline to +# touch /etc/openssl/certs. +#manual +.Ed +.Pp +Exclude a certificate: +.Bd -literal -offset indent +$ certctl untrust /usr/share/certs/mozilla/server/GTS_Root_R1.pem +.Ed +.Pp +There is no need to run +.Nm Cm rehash +explicitly after +.Nm Cm untrust , +but if you do, the setting will persist. +.Pp +Rebuild the hashed certificate cache at +.Pa /etc/myapplication/certs +from +.Pa /etc/myapplication/certs.conf +and +.Pa /etc/myapplication/untrusted : +.Bd -literal -offset indent +$ certctl -c /etc/myapplication/certs \e + -C /etc/myapplication/certs.conf \e + -u /etc/myapplication/untrusted +.Ed +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh DIAGNOSTICS +.Ex -std +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh COMPATIBILITY +The +.Nm +utility is mostly compatible with a utility of the same name in +.Fx . +Differences: +.Bl -enum +.\"""""""""""""""""" +.It +.Fx Nm +supports destdir/metalog handling; +.Nx Nm +does not. +.\"""""""""""""""""" +.It +.Fx Nm +treats +.Pa /etc/ssl/certs +and +.Pa /etc/ssl/untrusted +both as configuration +.Em and +as caches; +.Nx Nm +treats +.Pa /etc/openssl/certs.conf +and +.Pa /etc/openssl/untrusted +as configuration, and treats +.Pa /etc/openssl/certs +strictly as a cache. +.Fx Nm +will forget any +.Nm Cm untrust +settings on +.Nm Cm rehash , +but +.Nx Nm +will remember them. +.\"""""""""""""""""" +.It +.Fx Nm +takes configuration through environment variables; +.Nx Nm +takes configuration through a file and command-line arguments. +.El +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh SEE ALSO +.Xr openssl 1 , +.Xr openssl_rehash 1 +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh HISTORY +.Nm +first appeared in +.Nx 10.0 . +A utility of the same name previously appeared in +.Fx 12.2 . diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh new file mode 100755 index 000000000000..8e5e3b1e26d8 --- /dev/null +++ b/usr.sbin/certctl/certctl.sh @@ -0,0 +1,658 @@ +#!/bin/sh + +# $NetBSD: certctl.sh,v 1.1 2023/08/26 05:27:15 riastradh Exp $ +# +# Copyright (c) 2023 The NetBSD Foundation, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +set -o pipefail +set -Ceu + +progname=$(basename -- "$0") + +### Options and arguments + +usage() +{ + exec >&2 + printf 'Usage: %s %s\n' \ + "$progname" \ + "[-nv] [-C ] [-c ] [-u ]" + printf ' ...\n' + printf ' %s list\n' "$progname" + printf ' %s rehash\n' "$progname" + printf ' %s trust \n' "$progname" + printf ' %s untrust \n' "$progname" + printf ' %s untrusted\n' "$progname" + exit 1 +} + +certsdir=/etc/openssl/certs +config=/etc/openssl/certs.conf +distrustdir=/etc/openssl/untrusted +nflag=false # dry run +vflag=false # verbose + +# Options used by FreeBSD: +# +# -D destdir +# -M metalog +# -U (unprivileged) +# -d distbase +# +while getopts C:c:nu:v f; do + case $f in + C) config=$OPTARG;; + c) certsdir=$OPTARG;; + n) nflag=true;; + u) distrustdir=$OPTARG;; + v) vflag=true;; + \?) usage;; + esac +done +shift $((OPTIND - 1)) + +if [ $# -lt 1 ]; then + usage +fi +cmd=$1 + +### Global state + +config_paths= +config_manual=false +tmpfile= + +# If tmpfile is set to nonempty, clean it up on exit. + +trap 'test -n "$tmpfile" && rm -f "$tmpfile"' EXIT HUP INT TERM + +### Subroutines + +# error ... +# +# Print an error message to stderr. +# +# Does not exit the process. +# +error() +{ + echo "$progname:" "$@" >&2 +} + +# run ... +# +# Print a command if verbose, and run it unless it's a dry run. +# +run() +{ + local t q cmdline + + if $vflag; then # print command if verbose + for t; do + case $t in + ''|*[^[:alnum:]+,-./:=_@]*) + # empty or unsafe -- quotify + ;; + *) + # nonempty and safe-only -- no quotify + cmdline="${cmdline:+$cmdline }$t" + continue + ;; + esac + q=$(printf '%s' "$t" | sed -e "s/'/'\\\''/g'") + cmdline="${cmdline:+$cmdline }'$q'" + done + printf '%s\n' "$cmdline" + fi + if ! $nflag; then # skip command if dry run + "$@" + fi +} + +# configure +# +# Parse the configuration file, initializing config_*. +# +configure() +{ + local lineno status formatok vconfig line contline op path vpath vop + + # Count line numbers, record a persistent error status to + # return at the end, and record whether we got a format line. + lineno=0 + status=0 + formatok=false + + # vis the config name for terminal-safe error messages. + vconfig=$(printf '%s' "$config" | vis -M) + + # Read and process each line of the config file. + while read -r line; do + lineno=$((lineno + 1)) + + # If the line ends in an odd number of backslashes, it + # has a continuation line, so read on. + while expr "$line" : '^\(\\\\\)*\\' >/dev/null || + expr "$line" : '^.*[^\\]\(\\\\\)*\\$' >/dev/null; do + if ! read -r contline; then + error "$vconfig:$lineno: premature end of file" + return 1 + fi + line="$line$contline" + done + + # Skip blank lines and comments. + case $line in + ''|'#'*) + continue + ;; + esac + + # Require the first non-blank/comment line to identify + # the config file format. + if ! $formatok; then + if [ "$line" = "netbsd-certctl 20230816" ]; then + formatok=true + continue + else + error "$vconfig:$lineno: missing format line" + status=1 + break + fi + fi + + # Split the line into words and dispatch on the first. + set -- $line + op=$1 + case $op in + manual) + config_manual=true + ;; + path) + if [ $# -lt 2 ]; then + error "$vconfig:$lineno: missing path" + status=1 + continue + fi + if [ $# -gt 3 ]; then + error "$vconfig:$lineno: excess args" + status=1 + continue + fi + + # Unvis the path. Hack: if the user has had + # the audacity to choose a path ending in + # newlines, prevent the shell from consuming + # them so we don't choke on their subterfuge. + path=$(printf '%s.' "$2" | unvis) + path=${path%.} + + # Ensure the path is absolute. It is unclear + # what directory it should be relative to if + # not. + case $path in + /*) + ;; + *) + error "$vconfig:$lineno:" \ + "relative path forbidden" + status=1 + continue + ;; + esac + + # Record the vis-encoded path in a + # space-separated list. + vpath=$(printf '%s' "$path" | vis -M) + config_paths="$config_paths $vpath" + ;; + *) + vop=$(printf '%s' "$op" | vis -M) + error "$vconfig:$lineno: unknown command: $vop" + ;; + esac + done <$config + + return $status +} + +# list_default_trusted +# +# List the vis-encoded certificate paths and their base names, +# separated by a space, for the certificates that are trusted by +# default according to the configuration. +# +# No order guaranteed; caller must sort. +# +list_default_trusted() +{ + local vpath path cert base vcert vbase + + for vpath in $config_paths; do + path=$(printf '%s.' "$vpath" | unvis) + path=${path%.} + + # Enumerate the .pem, .cer, and .crt files. + for cert in "$path"/*.pem "$path"/*.cer "$path"/*.crt; do + # vis the certificate path. + vcert=$(printf '%s' "$cert" | vis -M) + + # If the file doesn't exist, then either: + # + # (a) it's a broken symlink, so fail; + # or + # (b) the shell glob failed to match, + # so ignore it and move on. + if [ ! -e "$cert" ]; then + if [ -h "$cert" ]; then + error "broken symlink: $vcert" + status=1 + fi + continue + fi + + # Print the vis-encoded absolute path to the + # certificate and base name on a single line. + vbase=$(basename -- "$vcert.") + vbase=${vbase%.} + printf '%s %s\n' "$vcert" "$vbase" + done + done +} + +# list_distrusted +# +# List the vis-encoded certificate paths and their base names, +# separated by a space, for the certificates that have been +# distrusted by the user. +# +# No order guaranteed; caller must sort. +# +list_distrusted() +{ + local status link vlink cert vcert + + status=0 + + for link in "$distrustdir"/*; do + # vis the link for terminal-safe error messages. + vlink=$(printf '%s' "$link" | vis -M) + + # The distrust directory must only have symlinks to + # certificates. If we find a non-symlink, print a + # warning and arrange to fail. + if [ ! -h "$link" ]; then + if [ ! -e "$link" ] && \ + [ "$link" = "$distrustdir/*" ]; then + # Shell glob matched nothing -- just + # ignore it. + break + fi + error "distrusted non-symlink: $vlink" + status=1 + continue + fi + + # Read the target of the symlink, nonrecursively. If + # the user has had the audacity to make a symlink whose + # target ends in newline, prevent the shell from + # consuming them so we don't choke on their subterfuge. + cert=$(readlink -n -- "$link" && printf .) + cert=${cert%.} + + # Warn if the target is relative. Although it is clear + # what directory it would be relative to, there might + # be issues with canonicalization. + case $cert in + /*) + ;; + *) + vlink=$(printf '%s' "$link" | vis -M) + vcert=$(printf '%s' "$cert" | vis -M) + error "distrusted relative symlink: $vlink -> $vcert" + ;; + esac + + # Print the vis-encoded absolute path to the + # certificate and base name on a single line. + vcert=$(printf '%s' "$cert" | vis -M) + vbase=$(basename -- "$vcert.") + vbase=${vbase%.} + printf '%s %s\n' "$vcert" "$vbase" + done + + return $status +} + +# list_trusted +# +# List the trusted certificates, excluding the distrusted one, as +# one vis(3) line per certificate. Reject duplicate base names, +# since we will be creating symlinks to the same base names in +# the certsdir. Sorted lexicographically by vis-encoding. +# +list_trusted() +{ + + # XXX Use dev/ino to match files instead of symlink targets? + + { + list_default_trusted \ + | while read -r vcert vbase; do + printf 'trust %s %s\n' "$vcert" "$vbase" + done + + # XXX Find a good way to list the default-untrusted + # certificates, so if you have already distrusted one + # and it is removed from default-trust on update, + # nothing warns about this. + + # list_default_untrusted \ + # | while read -r vcert vbase; do + # printf 'distrust %s %s\n' "$vcert" "$vbase" + # done + + list_distrusted \ + | while read -r vcert vbase; do + printf 'distrust %s %s\n' "$vcert" "$vbase" + done + } | awk -v progname="$progname" ' + BEGIN { status = 0 } + $1 == "trust" && $3 in trust && $2 != trust[$3] { + printf "%s: duplicate base name %s\n %s\n %s\n", \ + progname, $3, trust[$3], $2 >"/dev/stderr" + status = 1 + next + } + $1 == "trust" { trust[$3] = $2 } + $1 == "distrust" && !trust[$3] && !distrust[$3] { + printf "%s: distrusted certificate not found: %s\n", \ + progname, $3 >"/dev/stderr" + status = 1 + } + $1 == "distrust" && $2 in trust && $2 != trust[$3] { + printf "%s: distrusted certificate %s" \ + " has multiple paths\n" \ + " %s\n %s\n", + progname, $3, trust[$3], $2 >"/dev/stderr" + status = 1 + } + $1 == "distrust" { distrust[$3] = 1 } + END { + for (vbase in trust) { + if (!distrust[vbase]) + print trust[vbase] + } + exit status + } + ' | sort -u +} + +# rehash +# +# Delete and rebuild certsdir. +# +rehash() +{ + local vcert cert certbase hash counter bundle vbundle + + # If manual operation is enabled, refuse to rehash the + # certsdir, but succeed anyway so this can safely be used in + # automated scripts. + if $config_manual; then + error "manual certificates enabled, not rehashing" + return + fi + + # Delete the active certificates symlink cache. + run rm -rf "$certsdir" + run mkdir "$certsdir" + + # Create a temporary file for the single-file bundle. This + # will be automatically deleted on normal exit or + # SIGHUP/SIGINT/SIGTERM. + if ! $nflag; then + tmpfile=$(mktemp -t "$progname.XXXXXX") + fi + + # Recreate symlinks for all of the trusted certificates. + list_trusted \ + | while read -r vcert; do + cert=$(printf '%s.' "$vcert" | unvis) + cert=${cert%.} + run ln -s -- "$cert" "$certsdir" + + # Add the certificate to the single-file bundle. + if ! $nflag; then + cat -- "$cert" >>$tmpfile + fi + done + + # Hash the directory with openssl. + # + # XXX Pass `-v' to openssl in a way that doesn't mix with our + # shell-safe verbose commands? (Need to handle `-n' too.) + run openssl rehash -- "$certsdir" + + # Install the single-file bundle. + bundle=$certsdir/ca-certificates.crt + vbundle=$(printf '%s' "$bundle" | vis -M) + $vflag && printf '# create %s\n' "$vbundle" + if ! $nflag; then + cp -- "$tmpfile" "$bundle" + rm -f -- "$tmpfile" + tmpfile= + fi +} + +### Commands + +usage_list() +{ + exec >&2 + printf 'Usage: %s list\n' "$progname" + exit 1 +} +cmd_list() +{ + test $# -eq 1 || usage_list + + configure + + list_trusted \ + | while read -r vcert vbase; do + printf '%s\n' "$vcert" + done +} + +usage_rehash() +{ + exec >&2 + printf 'Usage: %s rehash\n' "$progname" + exit 1 +} +cmd_rehash() +{ + test $# -eq 1 || usage_rehash + + configure + + rehash +} + +usage_trust() +{ + exec >&2 + printf 'Usage: %s trust \n' "$progname" + exit 1 +} +cmd_trust() +{ + local cert vcert certbase vcertbase + + test $# -eq 2 || usage_trust + cert=$2 + + configure + + # XXX Accept base name. + + # vis the certificate path for terminal-safe error messages. + vcert=$(printf '%s' "$cert" | vis -M) + + # Verify the certificate actually exists. + if [ ! -f "$cert" ]; then + error "no such certificate: $vcert" + return 1 + fi + + # Verify we currently distrust a certificate by this base name. + certbase=$(basename -- "$cert.") + certbase=${certbase%.} + if [ ! -h "$distrustdir/$certbase" ]; then + error "not currently distrusted: $vcert" + return 1 + fi + + # Verify the certificate we distrust by this base name is the + # same one. + target=$(readlink -n -- "$distrustdir/$certbase" && printf .) + target=${target%.} + if [ "$cert" != "$target" ]; then + vcertbase=$(basename -- "$vcert") + error "distrusted $vcertbase does not point to $vcert" + return 1 + fi + + # Remove the link from the distrusted directory, and rehash -- + # quietly, so verbose output emphasizes the distrust part and + # not the whole certificate set. + run rm -- "$distrustdir/$certbase" + $vflag && echo '# rehash' + vflag=false + rehash +} + +usage_untrust() +{ + exec >&2 + printf 'Usage: %s untrust \n' "$progname" + exit 1 +} +cmd_untrust() +{ + local cert vcert certbase vcertbase target vtarget + + test $# -eq 2 || usage_untrust + cert=$2 + + configure + + # vis the certificate path for terminal-safe error messages. + vcert=$(printf '%s' "$cert" | vis -M) + + # Verify the certificate actually exists. Otherwise, you might + # fail to distrust a certificate you intended to distrust, + # e.g. if you made a typo in its path. + if [ ! -f "$cert" ]; then + error "no such certificate: $vcert" + return 1 + fi + + # Check whether this certificate is already distrusted. + # - If the same base name points to the same path, stop here. + # - Otherwise, fail noisily. + certbase=$(basename "$cert.") + certbase=${certbase%.} + if [ -h "$distrustdir/$certbase" ]; then + target=$(readlink -n -- "$distrustdir/$certbase" && printf .) + target=${target%.} + if [ "$target" = "$cert" ]; then + $vflag && echo '# already distrusted' + return + fi + vcertbase=$(printf '%s' "$certbase" | vis -M) + vtarget=$(printf '%s' "$target" | vis -M) + error "distrusted $vcertbase at different path $vtarget" + return 1 + fi + + # Create the distrustdir if needed, create a symlink in it, and + # rehash -- quietly, so verbose output emphasizes the distrust + # part and not the whole certificate set. + test -d "$distrustdir" || run mkdir -- "$distrustdir" + run ln -s -- "$cert" "$distrustdir" + $vflag && echo '# rehash' + vflag=false + rehash +} + +usage_untrusted() +{ + exec >&2 + printf 'Usage: %s untrusted\n' "$progname" + exit 1 +} +cmd_untrusted() +{ + test $# -eq 1 || usage_untrusted + + configure + + list_distrusted \ + | while read -r vcert vbase; do + printf '%s\n' "$vcert" + done +} + +### Main + +# We accept the following aliases for user interface compatibility with +# FreeBSD: +# +# blacklist = untrust +# blacklisted = untrusted +# unblacklist = trust + +case $cmd in +list) cmd_list "$@" + ;; +rehash) cmd_rehash "$@" + ;; +trust|unblacklist) + cmd_trust "$@" + ;; +untrust|blacklist) + cmd_untrust "$@" + ;; +untrusted|blacklisted) + cmd_untrusted "$@" + ;; +*) vcmd=$(printf '%s' "$cmd" | vis -M) + printf '%s: unknown command: %s\n' "$progname" "$vcmd" >&2 + usage + ;; +esac diff --git a/usr.sbin/certctl/certs.conf b/usr.sbin/certctl/certs.conf new file mode 100644 index 000000000000..e64e79cd72e5 --- /dev/null +++ b/usr.sbin/certctl/certs.conf @@ -0,0 +1,13 @@ +netbsd-certctl 20230816 + +# $NetBSD: certs.conf,v 1.1 2023/08/26 05:27:15 riastradh Exp $ +# +# Configuration file for certctl(8) to manage HTTPS root CA +# certificates in /etc/openssl/certs. +# + +path /usr/share/certs/mozilla/server + +# For manual control over /etc/openssl/certs, e.g. if you want to +# install a separate CA bundle from pkgsrc, uncomment the next line: +#manual