diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-08-18 16:26:29 +0200 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-08-18 16:28:29 +0200 |
| commit | c340ef28fd384b567e35882d04ce17fa31b7384f (patch) | |
| tree | 40ec11263c3628c582ceebbaf4e72bb0f5ae9616 /Makefile.inc1 | |
| parent | a13f28d57ecfd136ce73493659c28a47fa1a4b9f (diff) | |
certctl: Reimplement in C
Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.
* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.
* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.
* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.
* We now also have tests.
Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896
Diffstat (limited to 'Makefile.inc1')
| -rw-r--r-- | Makefile.inc1 | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/Makefile.inc1 b/Makefile.inc1 index d8853fef321b..a16af09caea0 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -1542,14 +1542,10 @@ distributeworld installworld stageworld: _installcheck_world .PHONY .endif # make(distributeworld) ${_+_}cd ${.CURDIR}; ${IMAKE} re${.TARGET:S/world$//}; \ ${IMAKEENV} rm -rf ${INSTALLTMP} -.if !make(packageworld) && ${MK_CAROOT} != "no" - @if which openssl>/dev/null; then \ - PATH=${TMPPATH:Q}:${PATH:Q} \ - LOCALBASE=${LOCALBASE:Q} \ - sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCTLFLAGS} rehash; \ - else \ - echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \ - fi +.if !make(packageworld) && ${MK_CAROOT} != "no" && ${MK_OPENSSL} != "no" + PATH=${TMPPATH:Q}:${PATH:Q} \ + LOCALBASE=${LOCALBASE:Q} \ + certctl ${CERTCTLFLAGS} rehash .endif .if make(distributeworld) .for dist in ${EXTRA_DISTRIBUTIONS} @@ -2713,6 +2709,11 @@ _basic_bootstrap_tools+=sbin/md5 _basic_bootstrap_tools+=usr.sbin/tzsetup .endif +# certctl is needed as an install tool +.if ${MK_CAROOT} != "no" && ${MK_OPENSSL} != "no" +_certctl=usr.sbin/certctl +.endif + .if defined(BOOTSTRAP_ALL_TOOLS) _other_bootstrap_tools+=${_basic_bootstrap_tools} .for _subdir _links in ${_basic_bootstrap_tools_multilink} @@ -2776,6 +2777,7 @@ bootstrap-tools: ${_bt}-links .PHONY ${_strfile} \ usr.bin/dtc \ ${_cat} \ + ${_certctl} \ ${_kbdcontrol} \ ${_elftoolchain_libs} \ ${_libkldelf} \ |