Author: kevans
Date: Thu Oct 3 20:45:52 2019
New Revision: 353070
URL: https://svnweb.freebsd.org/changeset/base/353070
Log:
certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:
$ certctl list
# reviews output -- ah, yeah, I don't trust that one
$ certctl blacklist ce5e74ef.0
$ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
described it to them in `certctl list` output -- I see little sense in
forcing another level of filesystem inspection to determien what cert file
this physically corresponds to.
Modified:
head/usr.sbin/certctl/certctl.sh
Modified: head/usr.sbin/certctl/certctl.sh
==============================================================================
--- head/usr.sbin/certctl/certctl.sh Thu Oct 3 20:39:17 2019
(r353069)
+++ head/usr.sbin/certctl/certctl.sh Thu Oct 3 20:45:52 2019
(r353070)
@@ -74,11 +74,21 @@ create_trusted_link()
create_blacklisted()
{
- local hash
+ local hash srcfile filename
- hash=$( do_hash "$1" ) || return
- [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist"
- [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$BLACKLISTDESTDIR/$hash.0"
+ # If it exists as a file, we'll try that; otherwise, we'll scan
+ if [ -e "$1" ]; then
+ hash=$( do_hash "$1" ) || return
+ srcfile=$(realpath "$1")
+ filename="$hash.0"
+ elif [ -e "${CERTDESTDIR}/$1" ]; then
+ srcfile=$(realpath "${CERTDESTDIR}/$1")
+ filename="$1"
+ else
+ return
+ fi
+ [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
+ [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename"
}
do_scan()
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
