| #
03221b18 |
| 22-Aug-2025 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
certctl: Create output directories
In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.
Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by:
certctl: Create output directories
In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.
Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52121
show more ...
|
| #
c340ef28 |
| 18-Aug-2025 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
certctl: Reimplement in C
Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace
i
certctl: Reimplement in C
Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.
* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.
* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.
* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.
* We now also have tests.
Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896
show more ...
|