certctl: Reimplement in C

Notable changes include: * We no longer forget manually untrusted certificates when rehashing. * Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a whole is not replaced atomically, but each file within it is. * We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form. * We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate. This allows e.g. Unbound to preload the bundle before chrooting. * The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed. * We now also have tests. Reviewed by: kevans, markj Differential Revision: https://reviews.freebsd.org/D42320 Differential Revision: https://reviews.freebsd.org/D51896
author: Dag-Erling Smørgrav <des@FreeBSD.org> 2025-08-18 16:26:29 +0200
committer: Dag-Erling Smørgrav <des@FreeBSD.org> 2025-08-18 16:28:29 +0200
commit: c340ef28fd384b567e35882d04ce17fa31b7384f (patch)
tree: 40ec11263c3628c582ceebbaf4e72bb0f5ae9616 /etc
parent: a13f28d57ecfd136ce73493659c28a47fa1a4b9f (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist
index 2c25d9386032..e6a013f010de 100644
--- a/etc/mtree/BSD.tests.dist
+++ b/etc/mtree/BSD.tests.dist
@@ -1255,6 +1255,8 @@
         ..
     ..
     usr.sbin
+        certctl
+        ..
         chown
         ..
         ctladm
author	Dag-Erling Smørgrav <des@FreeBSD.org>	2025-08-18 16:26:29 +0200
committer	Dag-Erling Smørgrav <des@FreeBSD.org>	2025-08-18 16:28:29 +0200
commit	c340ef28fd384b567e35882d04ce17fa31b7384f (patch)
tree	40ec11263c3628c582ceebbaf4e72bb0f5ae9616 /etc
parent	a13f28d57ecfd136ce73493659c28a47fa1a4b9f (diff)