certctl: Include sys/types.h

This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be incl

certctl: Include sys/types.h

This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be including sys/types.h directly since it uses
size_t.

MFC after: 1 week

show more ...

certctl: Use __DECONST rather than reimplementing

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by:

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52121

show more ...

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...

certctl: Include sys/types.h

This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be incl

certctl: Include sys/types.h

This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be including sys/types.h directly since it uses
size_t.

MFC after: 1 week

show more ...

certctl: Use __DECONST rather than reimplementing

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by:

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52121

show more ...

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...

certctl: Include sys/types.h

This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be incl

certctl: Include sys/types.h

This is needed to fix bootstrapping on FreeBSD versions before commit
56ee5c551f89 ("sysctl: make sys/sysctl.h self contained"). Moreover,
certctl should really be including sys/types.h directly since it uses
size_t.

MFC after: 1 week

show more ...

certctl: Use __DECONST rather than reimplementing

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by:

certctl: Create output directories

In a pkgbase world, we cannot assume that these directories exist; we
must create them ourselves.

Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52121

show more ...

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* We now also have tests.

Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896

show more ...

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

Revert "certctl: Fix bootstrap build"

This reverts commit 42ac41983ee184e818f6e8da791a5c6c7530f87e.

certctl: Fix bootstrap build

Fixes: 81d8827ad875 ("certctl: Reimplement in C")

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
i

certctl: Reimplement in C

Notable changes include:

* We no longer forget manually untrusted certificates when rehashing.

* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.

* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.

* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.

* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.

* The DISTBASE concept has been dropped; the same effect can be achieved
by adjusting DESTDIR.

* We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

show more ...