certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by:

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52121

show more ...

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This rever

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This revert should be reverted once that is ready to land; I just need
this out of the tree temporarily because breakage is interfering with
release engineering for the upcoming 15.0-RELEASE.

Unsquashed reversions:
Revert "etc: add missing mtree entry for certctl tests"
This reverts commit f751757259158a8d3b81d4fb7576b3ebe226dece.
Revert "certctl: Fix bootstrap build"
This reverts commit c989e3cc3da1bfd8ac3ec5a05d1e86ab8ff719f7.
Revert "certctl: Reimplement in C"
This reverts commit 81d8827ad8752e35411204541f1f09df1481e417.

With hat: re@

show more ...

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...