Bug 250681 - certctl(8) blacklisting certificates still shown as trusted
Summary: certctl(8) blacklisting certificates still shown as trusted
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: Kyle Evans
URL: https://reviews.freebsd.org/D28056
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-28 03:22 UTC by corvid
Modified: 2023-02-03 14:01 UTC (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description corvid 2020-10-28 03:22:38 UTC 
This is in 12.2-RELEASE, which is not an option yet.

I blacklisted some certificates, and "certctl blacklisted" showed them getting blacklisted, but "certctl list" would also still show them. My common sense tells me that I can’t have a certificate trusted and blacklisted at the same time.
Comment 1 Kyle Evans freebsd_committer freebsd_triage 2020-10-28 14:59:56 UTC 
I think the issue here is that blacklisting a cert does not trigger a rehash, so certctl list won't reflect it until the next rehash. We should make this more proactive and actually remove it from /etc/ssl/certs, though...
Comment 2 corvid 2020-10-28 16:38:08 UTC 
When I had tried rehashing yesterday, it would undo my blacklisting. Or at least so it seemed.
Comment 3 Kyle Evans freebsd_committer freebsd_triage 2020-10-28 16:51:31 UTC 
(In reply to corvid from comment #2)

Oh, oh dear. =(
Comment 4 Mina Galić freebsd_triage 2023-02-01 00:54:38 UTC 
let's untrust all certificates in Base:

meena@fbsd14-amd64 ~> find /usr/share/certs/trusted/ -type f | xargs -n1 sudo -H certctl untrust
Adding /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem to untrusted list
Adding /usr/share/certs/trusted/Chambers_of_Commerce_Root_-_2008.pem to untrusted list
Adding /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem to untrusted list
Adding /usr/share/certs/trusted/QuoVadis_Root_CA.pem to untrusted list
Adding /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem to untrusted list
Adding /usr/share/certs/trusted/AddTrust_External_Root.pem to untrusted list
Adding /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem to untrusted list
Adding /usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem to untrusted list
Adding /usr/share/certs/trusted/Global_Chambersign_Root_-_2008.pem to untrusted list
Adding /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem to untrusted list
Adding /usr/share/certs/trusted/D-TRUST_Root_CA_3_2013.pem to untrusted list
Adding /usr/share/certs/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem to untrusted list
Adding /usr/share/certs/trusted/Camerfirma_Chambers_of_Commerce_Root.pem to untrusted list
Adding /usr/share/certs/trusted/EC-ACC.pem to untrusted list
Adding /usr/share/certs/trusted/Camerfirma_Global_Chambersign_Root.pem to untrusted list
Adding /usr/share/certs/trusted/Trustis_FPS_Root_CA.pem to untrusted list
Adding /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem to untrusted list
Adding /usr/share/certs/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem to untrusted list
Adding /usr/share/certs/trusted/SwissSign_Platinum_CA_-_G2.pem to untrusted list
Adding /usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem to untrusted list
Adding /usr/share/certs/trusted/GeoTrust_Global_CA.pem to untrusted list
Adding /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem to untrusted list
Adding /usr/share/certs/trusted/Taiwan_GRCA.pem to untrusted list
Adding /usr/share/certs/trusted/VeriSign_Universal_Root_Certification_Authority.pem to untrusted list
Adding /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem to untrusted list
Adding /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem to untrusted list
Adding /usr/share/certs/trusted/thawte_Primary_Root_CA.pem to untrusted list
Adding /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem to untrusted list
Adding /usr/share/certs/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem to untrusted list
Adding /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem to untrusted list
Adding /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem to untrusted list
Adding /usr/share/certs/trusted/Certum_Root_CA.pem to untrusted list
Adding /usr/share/certs/trusted/GeoTrust_Universal_CA.pem to untrusted list
Adding /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem to untrusted list
Adding /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem to untrusted list
Adding /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem to untrusted list
Adding /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem to untrusted list
Adding /usr/share/certs/trusted/Sonera_Class_2_Root_CA.pem to untrusted list

worked?

meena@fbsd14-amd64 ~> certctl untrusted
Listing Untrusted Certificates:
080911ac.0      QuoVadis Root Certification Authority
0b7c536a.0      D-TRUST Root CA 3 2013
0c4c9b6c.0      Global Chambersign Root - 2008
116bf586.0      GeoTrust Primary Certification Authority - G2
128805a3.0      EE Certification Centre Root CA
1320b215.0      Symantec Class 2 Public Primary Certification Authority - G6
157753a5.0      AddTrust External CA Root
26312675.0      Symantec Class 1 Public Primary Certification Authority - G6
2c543cd1.0      GeoTrust Global CA
2e4eed3c.0      thawte Primary Root CA
349f2832.0      EC-ACC
442adcac.0      Certum CA
480720ec.0      GeoTrust Primary Certification Authority
4d4ba017.0      Symantec Class 2 Public Primary Certification Authority - G4
5a4d6896.0      Staat der Nederlanden Root CA - G3
5c44d531.0      Staat der Nederlanden Root CA - G2
62744ee1.0      Symantec Class 1 Public Primary Certification Authority - G4
6410666e.0      subject=C = TW, O = Government Root Certification Authority
7d0b38bd.0      VeriSign Class 3 Public Primary Certification Authority - G4
861a399d.0      AddTrust Class 1 CA Root
8867006a.0      GeoTrust Universal CA 2
9c2e7d30.0      Sonera Class2 CA
a8dee976.0      SwissSign Platinum CA - G2
ad088e1d.0      GeoTrust Universal CA
b1b8a7f3.0      OISTE WISeKey Global Root GA CA
b204d74a.0      VeriSign Class 3 Public Primary Certification Authority - G5
ba89ed3b.0      thawte Primary Root CA - G3
c01cdfa2.0      VeriSign Universal Root Certification Authority
c089bbbd.0      thawte Primary Root CA - G2
c0ff1f52.0      VeriSign Class 3 Public Primary Certification Authority - G3
c47d9980.0      Chambers of Commerce Root - 2008
cb59f961.0      Global Chambersign Root
d853d49e.0      subject=C = GB, O = Trustis Limited, OU = Trustis FPS Root CA
dc45b0bd.0      VeriSign Class 2 Public Primary Certification Authority - G3
def36a68.0      LuxTrust Global Root 2
e2799e36.0      GeoTrust Primary Certification Authority - G3
ee1365c0.0      VeriSign Class 1 Public Primary Certification Authority - G3
f90208f7.0      Chambers of Commerce Root

meena@fbsd14-amd64 ~> meena@fbsd14-amd64 ~> sudo -H certctl rehash
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...



meena@fbsd14-amd64 ~> sudo -H certctl list
Listing Trusted Certificates:
080911ac.0      QuoVadis Root Certification Authority
0b7c536a.0      D-TRUST Root CA 3 2013
0c4c9b6c.0      Global Chambersign Root - 2008
116bf586.0      GeoTrust Primary Certification Authority - G2
128805a3.0      EE Certification Centre Root CA
1320b215.0      Symantec Class 2 Public Primary Certification Authority - G6
157753a5.0      AddTrust External CA Root
26312675.0      Symantec Class 1 Public Primary Certification Authority - G6
2c543cd1.0      GeoTrust Global CA
2e4eed3c.0      thawte Primary Root CA
349f2832.0      EC-ACC
442adcac.0      Certum CA
480720ec.0      GeoTrust Primary Certification Authority
4d4ba017.0      Symantec Class 2 Public Primary Certification Authority - G4
5a4d6896.0      Staat der Nederlanden Root CA - G3
5c44d531.0      Staat der Nederlanden Root CA - G2
62744ee1.0      Symantec Class 1 Public Primary Certification Authority - G4
6410666e.0      subject=C = TW, O = Government Root Certification Authority
7d0b38bd.0      VeriSign Class 3 Public Primary Certification Authority - G4
861a399d.0      AddTrust Class 1 CA Root
8867006a.0      GeoTrust Universal CA 2
9c2e7d30.0      Sonera Class2 CA
a8dee976.0      SwissSign Platinum CA - G2
ad088e1d.0      GeoTrust Universal CA
b1b8a7f3.0      OISTE WISeKey Global Root GA CA
b204d74a.0      VeriSign Class 3 Public Primary Certification Authority - G5
ba89ed3b.0      thawte Primary Root CA - G3
c01cdfa2.0      VeriSign Universal Root Certification Authority
c089bbbd.0      thawte Primary Root CA - G2
c0ff1f52.0      VeriSign Class 3 Public Primary Certification Authority - G3
c47d9980.0      Chambers of Commerce Root - 2008
c622f41b.0      minica root ca 083271
cb59f961.0      Global Chambersign Root
cd8c0d63.0      subject=C = ES, O = FNMT-RCM, OU = AC RAIZ FNMT-RCM
d853d49e.0      subject=C = GB, O = Trustis Limited, OU = Trustis FPS Root CA
dc45b0bd.0      VeriSign Class 2 Public Primary Certification Authority - G3
def36a68.0      LuxTrust Global Root 2
e2799e36.0      GeoTrust Primary Certification Authority - G3
ee1365c0.0      VeriSign Class 1 Public Primary Certification Authority - G3
f90208f7.0      Chambers of Commerce Root
meena@fbsd14-amd64 ~> 


nope, they are trusted and untrusted at the same time.
Comment 5 Mina Galić freebsd_triage 2023-02-03 14:01:12 UTC 
added a patch here, for at least addressing the behaviour I'm seeing: https://reviews.freebsd.org/D38370