Change Details

certctl: Reimplement in C. This is a work in progress. Notable changes include: * We no longer forget manually untrusted certificates when rehashing. * Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a while is not replaced atomically, but each file within it is. * We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form. * We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate. * The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed. All commands are now implemented. TODO: * Respect TRUSTPATH and UNTRUSTPATH environment variables. * Respect CERTDESTDIR and UNTRUSTDESTDIR environment variables. * Add an environment variable for the bundle. * Add tests.

certctl: Reimplement in C. This is a work in progress. Notable changes include: * We no longer forget manually untrusted certificates when rehashing. * Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a while is not replaced atomically, but each file within it is. * We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form. * We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate. * The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed. All commands are now implemented. TODO: * Respect TRUSTPATH and UNTRUSTPATH environment variables. * Respect CERTDESTDIR and UNTRUSTDESTDIR environment variables. * Add an environment variable for the bundle. * Add tests.

certctl: Reimplement in C. This is a work in progress. Notable changes include: * We no longer forget manually untrusted certificates when rehashing. * Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a while is not replaced atomically, but each file within it is. * We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form. * We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate. * The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed. All commands are now implemented. TODO: * Respect TRUSTPATH and UNTRUSTPATH environment variables. * Respect CERTDESTDIR and UNTRUSTDESTDIR environment variables. * Add an environment variable for the bundle. * Add tests.