Home | History | Annotate | Line # | Download | only in rc.d 
      1  1.1  riastrad #!/bin/sh
      2  1.1  riastrad #
      3  1.3       kre # $NetBSD: certctl_init,v 1.3 2023/12/25 07:46:12 kre Exp $
      4  1.1  riastrad #
      5  1.1  riastrad # PROVIDE: certctl_init
      6  1.1  riastrad # REQUIRE: mountcritremote
      7  1.1  riastrad #
      8  1.1  riastrad # This script ensures that we run `certctl rehash' on first boot of a
      9  1.1  riastrad # live image to configure TLS trust anchors for OpenSSL in
     10  1.1  riastrad # /etc/openssl/certs.  We do this only on first boot by testing whether
     11  1.1  riastrad # /etc/openssl/certs is an empty directory.
     12  1.1  riastrad #
     13  1.1  riastrad # Requires mountcritremote for /usr/sbin/certctl.
     14  1.1  riastrad #
     15  1.1  riastrad # This is a stop-gap measure to ensure we get TLS trust anchors with
     16  1.1  riastrad # live images, which we can't prepare at build time because the
     17  1.1  riastrad # preparation requires running openssl(1) as a tool.  This stop-gap
     18  1.1  riastrad # measure should perhaps be replaced by a more general-purpose way to
     19  1.1  riastrad # run postinstall on first boot of the image, but that's a riskier
     20  1.1  riastrad # proposition to implement on short notice for netbsd-10.
     21  1.1  riastrad 
     22  1.1  riastrad $_rc_subr_loaded . /etc/rc.subr
     23  1.1  riastrad 
     24  1.1  riastrad name="certctl_init"
     25  1.1  riastrad rcvar=${name}
     26  1.1  riastrad start_cmd="certctl_init"
     27  1.1  riastrad stop_cmd=":"
     28  1.1  riastrad 
     29  1.1  riastrad certctl_init()
     30  1.1  riastrad {
     31  1.1  riastrad 	local certsdir
     32  1.1  riastrad 
     33  1.1  riastrad 	certsdir=/etc/openssl/certs
     34  1.1  riastrad 
     35  1.1  riastrad 	# If /etc/openssl/certs is a symlink, or exists but is not a
     36  1.1  riastrad 	# directory, or is a directory but is nonempty, then we're not
     37  1.1  riastrad 	# in the first boot's initial configuration.  So do nothing.
     38  1.1  riastrad 	if [ -h "$certsdir" ] ||
     39  1.2       kre 	    { [ -e "$certsdir" ] && ! [ -d "$certsdir" ] ; } ||
     40  1.2       kre 	    ( [ -d "$certsdir" ] &&
     41  1.2       kre 		find -f "$certsdir" -- -maxdepth 0 -type d -empty -exit 1 )
     42  1.3       kre 	then
     43  1.1  riastrad 		return
     44  1.1  riastrad 	fi
     45  1.1  riastrad 
     46  1.1  riastrad 	# Otherwise, if /etc/openssl/certs is nonexistent or is an
     47  1.1  riastrad 	# empty directory, run `certctl rehash'.
     48  1.1  riastrad 	echo "Configuring TLS trust anchors."
     49  1.1  riastrad 	certctl rehash
     50  1.1  riastrad }
     51  1.1  riastrad 
     52  1.1  riastrad load_rc_config $name
     53  1.1  riastrad run_rc_command "$1"
     54