certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This rever

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This revert should be reverted once that is ready to land; I just need
this out of the tree temporarily because breakage is interfering with
release engineering for the upcoming 15.0-RELEASE.

Unsquashed reversions:
Revert "etc: add missing mtree entry for certctl tests"
This reverts commit f751757259158a8d3b81d4fb7576b3ebe226dece.
Revert "certctl: Fix bootstrap build"
This reverts commit c989e3cc3da1bfd8ac3ec5a05d1e86ab8ff719f7.
Revert "certctl: Reimplement in C"
This reverts commit 81d8827ad8752e35411204541f1f09df1481e417.

With hat: re@

show more ...

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...

Remove residual blank line at start of Makefile

This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

pkgbase: reorganise caroot and openssl packages

This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.

PR: 272816
Reviewed by: manu
Differ

pkgbase: reorganise caroot and openssl packages

This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.

PR: 272816
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D41321

show more ...

pkgbase: Put certctl in the FreeBSD-caroot package

There is no reason that this shouldn't be there.
Change the dependency of caroot from utilities to openssl as it's
the only command that it uses no

pkgbase: Put certctl in the FreeBSD-caroot package

There is no reason that this shouldn't be there.
Change the dependency of caroot from utilities to openssl as it's
the only command that it uses not in runtime.

MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33458

show more ...

Merge ^/head r352764 through r353315.

[2/3] Add certctl(8)

This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primaril

[2/3] Add certctl(8)

This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from: secteam
Differential Revision: https://reviews.freebsd.org/D16857

show more ...