HomeFreeBSD
Diffusion FreeBSD src repository 81d8827ad875

certctl: Reimplement in C
81d8827ad875
Actions

Description

certctl: Reimplement in C

Notable changes include:

  • We no longer forget manually untrusted certificates when rehashing.
  • Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a whole is not replaced atomically, but each file within it is.
  • We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form.
  • We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate.
  • The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed.
  • The DISTBASE concept has been dropped; the same effect can be achieved by adjusting DESTDIR.
  • We now also have rudimentary tests.

Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42320

Details

Provenance
desAuthored on Aug 13 2025, 10:25 PM
Reviewer
kevans
Differential Revision
D42320: certctl: Reimplement in C
Parents
rG178b9c236474: tests/ci: Add missing kmods and pkgs to unskip tests
Branches
Unknown
Tags
Unknown
Reverted By
rG31ac42b486eb: Revert certctl reimplementation and follow-ups

Changes (9)

PathSize
usr.sbin/
certctl/

rG81d8827ad875

View Options

Makefile.inc1

Loading...
View Options

usr.sbin/certctl/Makefile

Loading...
View Options

usr.sbin/certctl/certctl.8

Loading...
View Options

usr.sbin/certctl/certctl.c

Loading...
View Options

usr.sbin/certctl/certctl.sh

Loading...
View Options

usr.sbin/certctl/tests/Makefile

Loading...
View Options

usr.sbin/certctl/tests/certctl.subr

Loading...
View Options

usr.sbin/certctl/tests/certctl_test.sh

Loading...