certctl.8: Prefer the new TRUSTDESTDIR variable

With the reimplementation in C of certctl, the environment variable
previously known as CERTDESTDIR was renamed to TRUSTDESTDIR for
consistency.

Alth

certctl.8: Prefer the new TRUSTDESTDIR variable

With the reimplementation in C of certctl, the environment variable
previously known as CERTDESTDIR was renamed to TRUSTDESTDIR for
consistency.

Although the previous variable is still valid, prefer the new one, as it
is described in the manual page, while the old one is not.

Reviewed by: des
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54044

show more ...

certctl.8: Update documentation of BUNDLE

- Fix a typo.
- Provide the default path.

Reviewed by: des
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53001

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This rever

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This revert should be reverted once that is ready to land; I just need
this out of the tree temporarily because breakage is interfering with
release engineering for the upcoming 15.0-RELEASE.

Unsquashed reversions:
Revert "etc: add missing mtree entry for certctl tests"
This reverts commit f751757259158a8d3b81d4fb7576b3ebe226dece.
Revert "certctl: Fix bootstrap build"
This reverts commit c989e3cc3da1bfd8ac3ec5a05d1e86ab8ff719f7.
Revert "certctl: Reimplement in C"
This reverts commit 81d8827ad8752e35411204541f1f09df1481e417.

With hat: re@

show more ...

Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...

certctl: Add an option to copy files.

This is slower than linking but is the only method that works for all
cases, including running certctl from outside a jail that does not
contain the raw certifi

certctl: Add an option to copy files.

This is slower than linking but is the only method that works for all
cases, including running certctl from outside a jail that does not
contain the raw certificate data.

While here, fix a bug that occurs in unprivileged mode if DESTDIR
is unset or the root directory.

MFC after: 1 week
Reviewed by: dfr
Differential Revision: https://reviews.freebsd.org/D51373

show more ...

certctl.8: document LOCALBASE

Document the LOCALBASE variable and that it's set to user.localbase by
default. Update path defaults that depend on it.

Reviewed by: bcr
Differential Revision: https:

certctl.8: document LOCALBASE

Document the LOCALBASE variable and that it's set to user.localbase by
default. Update path defaults that depend on it.

Reviewed by: bcr
Differential Revision: https://reviews.freebsd.org/D40529

show more ...

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

certctl: Introduce a new -d <distbase> option

This will be used by Makefile.inc1 to fix -DNO_ROOT distributeworld,
which needs to split out DESTDIR from DISTBASE so the METALOG file
includes the bas

certctl: Introduce a new -d <distbase> option

This will be used by Makefile.inc1 to fix -DNO_ROOT distributeworld,
which needs to split out DESTDIR from DISTBASE so the METALOG file
includes the base/ prefix.

Reviewed by: kevans
Obtained from: CheriBSD
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35808

show more ...

secure/caroot, certctl: Rename secure/caroot/blacklisted

Old certctl commands still work for compatability, but are deprecated.

Approved by: secteam (gordon)
Differential Revision: https://reviews.

secure/caroot, certctl: Rename secure/caroot/blacklisted

Old certctl commands still work for compatability, but are deprecated.

Approved by: secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807

show more ...

Fix a typo

MFC after: 3 days

certctl.8: Correct the HISTORY section.

certctl was merged to stable/12 after 12.1 was branched.

PR: 246190
Reported by: Michael Osipov <michael.osipov@siemens.com>
MFC after: 3 days

Add an unprivileged mode where calls to install are passed appropriate
flags. For ease of integration, use the same flags as install:

-U unprivileged mode
-D <destdir> Specify DESTDIR (overrides

Add an unprivileged mode where calls to install are passed appropriate
flags. For ease of integration, use the same flags as install:

-U unprivileged mode
-D <destdir> Specify DESTDIR (overrides the environment)
-M <metalog> Full path to METALOG file

Reviewed by: kevans
Obtained from: CheriBSD
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D24932

show more ...

Merge ^/head r352764 through r353315.

[2/3] Add certctl(8)

This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primaril

[2/3] Add certctl(8)

This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from: secteam
Differential Revision: https://reviews.freebsd.org/D16857

show more ...

certctl.8: Prefer the new TRUSTDESTDIR variable

With the reimplementation in C of certctl, the environment variable
previously known as CERTDESTDIR was renamed to TRUSTDESTDIR for
consistency.

Alth

certctl.8: Prefer the new TRUSTDESTDIR variable

With the reimplementation in C of certctl, the environment variable
previously known as CERTDESTDIR was renamed to TRUSTDESTDIR for
consistency.

Although the previous variable is still valid, prefer the new one, as it
is described in the manual page, while the old one is not.

Reviewed by: des
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54044

show more ...

certctl.8: Update documentation of BUNDLE

- Fix a typo.
- Provide the default path.

Reviewed by: des
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53001

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This rever

Revert certctl reimplementation and follow-ups

The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).

This revert should be reverted once that is ready to land; I just need
this out of the tree temporarily because breakage is interfering with
release engineering for the upcoming 15.0-RELEASE.

Unsquashed reversions:
Revert "etc: add missing mtree entry for certctl tests"
This reverts commit f751757259158a8d3b81d4fb7576b3ebe226dece.
Revert "certctl: Fix bootstrap build"
This reverts commit c989e3cc3da1bfd8ac3ec5a05d1e86ab8ff719f7.
Revert "certctl: Reimplement in C"
This reverts commit 81d8827ad8752e35411204541f1f09df1481e417.

With hat: re@

show more ...

Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...