certctl: Unstickify (un)trusted certificatesEver since certctl was rewritten in C, the rehash command has reingestedTRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.This seeme
certctl: Unstickify (un)trusted certificatesEver since certctl was rewritten in C, the rehash command has reingestedTRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.This seemed like a good idea at the time but was, in retrospect, amistake, as it means a (un)trusted certificate remains (un)trustedforever (or at least until it expires) even if it is removed from(UN)TRUSTPATH. Among other issues, it causes ports QA to fail for anyport that either installs certificates or depends on a port that does.Although this behavior was undocumented, the change may surprise userswho have added certificates manually, so update the manual page to pointit out and add prominent warnings to the trust and untrust commands.PR: 290078MFC after: 1 weekReviewed by: kevans, bcrDifferential Revision: https://reviews.freebsd.org/D56617
show more ...
certctl: Create output directoriesIn a pkgbase world, we cannot assume that these directories exist; wemust create them ourselves.Fixes: c340ef28fd38 ("certctl: Reimplement in C")Reviewed by:
certctl: Create output directoriesIn a pkgbase world, we cannot assume that these directories exist; wemust create them ourselves.Fixes: c340ef28fd38 ("certctl: Reimplement in C")Reviewed by: markjDifferential Revision: https://reviews.freebsd.org/D52121
certctl: Reimplement in CNotable changes include:* We no longer forget manually untrusted certificates when rehashing.* Rehash will now scan the existing directory and progressively replace i
certctl: Reimplement in CNotable changes include:* We no longer forget manually untrusted certificates when rehashing.* Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a whole is not replaced atomically, but each file within it is.* We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form.* We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate. This allows e.g. Unbound to preload the bundle before chrooting.* The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed.* We now also have tests.Reviewed by: kevans, markjDifferential Revision: https://reviews.freebsd.org/D42320Differential Revision: https://reviews.freebsd.org/D51896
Revert certctl reimplementation and follow-upsThe reimplementation of certctl, while much needed, broke the releasebuild and 72 hours later corrections are still under review (D51896).This rever
Revert certctl reimplementation and follow-upsThe reimplementation of certctl, while much needed, broke the releasebuild and 72 hours later corrections are still under review (D51896).This revert should be reverted once that is ready to land; I just needthis out of the tree temporarily because breakage is interfering withrelease engineering for the upcoming 15.0-RELEASE.Unsquashed reversions:Revert "etc: add missing mtree entry for certctl tests"This reverts commit f751757259158a8d3b81d4fb7576b3ebe226dece.Revert "certctl: Fix bootstrap build"This reverts commit c989e3cc3da1bfd8ac3ec5a05d1e86ab8ff719f7.Revert "certctl: Reimplement in C"This reverts commit 81d8827ad8752e35411204541f1f09df1481e417.With hat: re@
certctl: Reimplement in CNotable changes include:* We no longer forget manually untrusted certificates when rehashing.* Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a whole is not replaced atomically, but each file within it is.* We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form.* We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate.* The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed.* The DISTBASE concept has been dropped; the same effect can be achieved by adjusting DESTDIR.* We now also have rudimentary tests.Reviewed by: kevansDifferential Revision: https://reviews.freebsd.org/D42320