Download raw body.
/etc/ssl/cert.pem : concatenate system and local files
Hi,
Following previous discussion on misc@ about how to add private trusted
certificate authorities on OpenBSD, I tried to look at it.
The following diff does:
- installing the trusted cert.pem (from lib/libcrypto) as cert.base.pem
- in rc(8), generate cert.pem from cert.base.pem (the system one) and
cert.local.pem (the local file)
The rest is about using cert.base.pem for installer or for rc (checking
libssl.so relinking).
misc@ discussion : https://marc.info/?l=openbsd-misc&m=177808544804485&w=2
Comments ?
--
Sebastien Marie
diff --git a/distrib/amd64/ramdisk_cd/list b/distrib/amd64/ramdisk_cd/list
index 2daf2d018e..88e2461bef 100644
--- a/distrib/amd64/ramdisk_cd/list
+++ b/distrib/amd64/ramdisk_cd/list
@@ -69,7 +69,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/arm64/ramdisk/list b/distrib/arm64/ramdisk/list
index 3a8ae2e6dd..e820b3d4f7 100644
--- a/distrib/arm64/ramdisk/list
+++ b/distrib/arm64/ramdisk/list
@@ -70,7 +70,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/armv7/ramdisk/list b/distrib/armv7/ramdisk/list
index a0f50dd607..b0745aa85a 100644
--- a/distrib/armv7/ramdisk/list
+++ b/distrib/armv7/ramdisk/list
@@ -69,7 +69,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/hppa/ramdisk/list b/distrib/hppa/ramdisk/list
index f6a78a103f..db2e4c4227 100644
--- a/distrib/hppa/ramdisk/list
+++ b/distrib/hppa/ramdisk/list
@@ -61,7 +61,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/i386/ramdisk_cd/list b/distrib/i386/ramdisk_cd/list
index d582b5bdff..1feed9ae90 100644
--- a/distrib/i386/ramdisk_cd/list
+++ b/distrib/i386/ramdisk_cd/list
@@ -66,7 +66,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/macppc/ramdisk/list b/distrib/macppc/ramdisk/list
index 62d9d91dd6..63425b9021 100644
--- a/distrib/macppc/ramdisk/list
+++ b/distrib/macppc/ramdisk/list
@@ -67,7 +67,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub
index 983881cfb3..a5f25ced10 100644
--- a/distrib/miniroot/install.sub
+++ b/distrib/miniroot/install.sub
@@ -3662,7 +3662,8 @@
[[ $1 == -!(stable) ]] && HTTP_SETDIR=snapshots/$ARCH
# Detect if ftp(1) has tls support and set defaults based on that.
-if [[ -e /etc/ssl/cert.pem ]]; then
+if [[ -e /etc/ssl/cert.base.pem ]]; then
+ ln -f /etc/ssl/cert.base.pem /etc/ssl/cert.pem
FTP_TLS=true
HTTP_PROTO=https
else
diff --git a/distrib/octeon/ramdisk/list b/distrib/octeon/ramdisk/list
index 10638a6d6f..9260ec11c7 100644
--- a/distrib/octeon/ramdisk/list
+++ b/distrib/octeon/ramdisk/list
@@ -65,7 +65,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/powerpc64/ramdisk/list b/distrib/powerpc64/ramdisk/list
index 8ae92b67a4..0291e02071 100644
--- a/distrib/powerpc64/ramdisk/list
+++ b/distrib/powerpc64/ramdisk/list
@@ -68,7 +68,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/riscv64/ramdisk/list b/distrib/riscv64/ramdisk/list
index d04c6addcd..832d58174d 100644
--- a/distrib/riscv64/ramdisk/list
+++ b/distrib/riscv64/ramdisk/list
@@ -67,7 +67,7 @@
ARGVLINK ksh -sh
SPECIAL rm bin/md5
-SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem
+SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem
LINK instbin usr/bin/ftp-ssl usr/bin/ftp
SPECIAL rm usr/bin/ftp-ssl
diff --git a/distrib/sets/lists/etc/mi b/distrib/sets/lists/etc/mi
index 2be6c70eb6..57a64e025c 100644
--- a/distrib/sets/lists/etc/mi
+++ b/distrib/sets/lists/etc/mi
@@ -37,7 +37,7 @@
./etc/spwd.db
./etc/ssh/ssh_config
./etc/ssh/sshd_config
-./etc/ssl/cert.pem
+./etc/ssl/cert.base.pem
./etc/ssl/ikeca.cnf
./etc/ssl/openssl.cnf
./etc/ssl/x509v3.cnf
diff --git a/etc/changelist b/etc/changelist
index 0dc0188b18..6da8ad922e 100644
--- a/etc/changelist
+++ b/etc/changelist
@@ -148,7 +148,8 @@
+/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/sshd_config
-/etc/ssl/cert.pem
+/etc/ssl/cert.base.pem
+/etc/ssl/cert.local.pem
/etc/suid_profile
/etc/sysctl.conf
/etc/syslog.conf
diff --git a/etc/rc b/etc/rc
index 53ceedd713..fa1b560aa2 100644
--- a/etc/rc
+++ b/etc/rc
@@ -227,7 +227,7 @@
[[ -s $_lib ]] && file $_lib | fgrep -q 'shared object'
LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}'
LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \
- x509 -in /etc/ssl/cert.pem -out /dev/null
+ x509 -in /etc/ssl/cert.base.pem -out /dev/null
$_install $_lib $_lib_dir/$_lib
fi
) || { _error=true; break; }
@@ -348,6 +348,33 @@
esac
}
+# Regenerate /etc/ssl/cert.pem from base and local files.
+regen_ssl_cert_pem() {
+ cert_tmp=$(mktemp -t /etc/ssl cert.pem.XXXXXXXX) && {
+
+ # always use cert.base.pem as base file
+ cat /etc/ssl/cert.base.pem >${cert_tmp}
+
+ # append cert.local.pem to cert.pem if exists
+ [ -r /etc/ssl/cert.local.pem ] && \
+ cat /etc/ssl/cert.local.pem >>${cert_tmp}
+
+ # check the resulting file is valid
+ if openssl x509 -in ${cert_tmp} -out /dev/null ; then
+ # pivot to cert.pem file
+ mv -f ${cert_tmp} /etc/ssl/cert.pem
+ else
+ rm -f ${cert_tmp}
+ fi
+ }
+
+ # ensure we have a cert.pem file
+ if [ ! -e /etc/ssl/cert.pem ] ; then
+ echo "error: fallback to default cert.pem" >&2
+ ln -f /etc/ssl/cert.base.pem /etc/ssl/cert.pem
+ fi
+}
+
# End subroutines.
stty status '^T'
@@ -503,6 +530,8 @@
mount -s /var/log >/dev/null 2>&1 # cannot be on NFS
mount -s /usr >/dev/null 2>&1 # if NFS, fstab must use IP address
+regen_ssl_cert_pem
+
reorder_libs 2>&1 |&
start_daemon slaacd dhcpleased resolvd >/dev/null 2>&1
diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile
index 92866400c2..cbac0b8090 100644
--- a/lib/libcrypto/Makefile
+++ b/lib/libcrypto/Makefile
@@ -748,7 +748,7 @@
${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \
${.CURDIR}/openssl.cnf ${DESTDIR}/etc/ssl/openssl.cnf && \
${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \
- ${.CURDIR}/cert.pem ${DESTDIR}/etc/ssl/cert.pem && \
+ ${.CURDIR}/cert.pem ${DESTDIR}/etc/ssl/cert.base.pem && \
${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \
${.CURDIR}/x509v3.cnf ${DESTDIR}/etc/ssl/x509v3.cnf
/etc/ssl/cert.pem : concatenate system and local files