git: 87945a082980 - main - certctl: Fix recent regressions.

Fri, 20 Oct 2023 03:29:50 -0700 

The branch main has been updated by des:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=87945a082980260b52507ad5bfb3a0ce773a80da

commit 87945a082980260b52507ad5bfb3a0ce773a80da
Author:     Dag-Erling Smørgrav <[email protected]>
AuthorDate: 2023-10-20 10:29:06 +0000
Commit:     Dag-Erling Smørgrav <[email protected]>
CommitDate: 2023-10-20 10:29:40 +0000

    certctl: Fix recent regressions.
    
    - If an untrusted certificate is also found in the list of trusted
      certificate, issue a warning and skip it, but don't fail.
    - Split on -+BEGIN CERTIFICATE-+ instead of "Certificate:" since
      that's what we're really looking for.
    
    Also fix a long-standing bug: .crl files are not certificates, so we
    should not include them when searching for certificates.
    
    Reported by:    madpilot, netchild, tijl
    Reviewed by:    netchild, allanjude
    Differential Revision:  https://reviews.freebsd.org/D42276
---
 usr.sbin/certctl/certctl.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index b7d3a95bc7d7..2ffa94bc7db7 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -67,8 +67,7 @@ cert_files_in()
        find -L "$@" -type f \( \
             -name '*.pem' -or \
             -name '*.crt' -or \
-            -name '*.cer' -or \
-            -name '*.crl' \
+            -name '*.cer' \
        \) 2>/dev/null
 }
 
@@ -114,7 +113,7 @@ create_trusted()
                otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout 
-fingerprint)
                if [ "$certhash" = "$otherhash" ] ; then
                        info "Skipping untrusted certificate $hash ($otherfile)"
-                       return 1
+                       return 0
                fi
        done
        for otherfile in $(find $CERTDESTDIR -name "$hash.*") ; do
@@ -182,7 +181,7 @@ do_scan()
        IFS="$oldIFS"
        for CFILE in $(cert_files_in "$@") ; do
                verbose "Reading $CFILE"
-               case $(grep -c '^Certificate:$' "$CFILE") in
+               case $(egrep -c '^-+BEGIN CERTIFICATE-+$' "$CFILE") in
                0)
                        ;;
                1)
@@ -191,8 +190,8 @@ do_scan()
                *)
                        verbose "Multiple certificates found, splitting..."
                        SPLITDIR=$(mktemp -d)
-                       egrep '^[^#]' "$CFILE" | \
-                               split -p '^Certificate:$' - "$SPLITDIR/x"
+                       egrep '^(---|[0-9A-Za-z/+=]+$)' "$CFILE" | \
+                               split -p '^-+BEGIN CERTIFICATE-+$' - 
"$SPLITDIR/x"
                        for CERT in $(find "$SPLITDIR" -type f) ; do
                                "$CFUNC" "$CERT"
                        done

Reply via email to