Re: git: 81d8827ad875 - main - certctl: Reimplement in C

In reply to: Dag-Erling Smørgrav : "git: 81d8827ad875 - main - certctl: Reimplement in C"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 14 Aug 2025 09:59:52 UTC
On 14 Aug 2025, at 0:25, Dag-Erling Smørgrav wrote:
> The branch main has been updated by des:
>
> URL: 
> https://cgit.FreeBSD.org/src/commit/?id=81d8827ad8752e35411204541f1f09df1481e417
>
> commit 81d8827ad8752e35411204541f1f09df1481e417
> Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
> AuthorDate: 2025-08-13 22:25:27 +0000
> Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
> CommitDate: 2025-08-13 22:25:27 +0000
>
>     certctl: Reimplement in C
>
>     Notable changes include:
>
>     * We no longer forget manually untrusted certificates when 
> rehashing.
>
>     * Rehash will now scan the existing directory and progressively 
> replace
>       its contents with those of the new trust store.  The trust store 
> as a
>       whole is not replaced atomically, but each file within it is.
>
>     * We no longer attempt to link to the original files, but we don't 
> copy
>       them either.  Instead, we write each certificate out in its 
> minimal
>       form.
>
>     * We now generate a trust bundle in addition to the hashed 
> diretory.
>       This also contains only the minimal DER form of each 
> certificate.
>
>     * The C version is approximately two orders of magnitude faster 
> than the
>       sh version, with rehash taking ~100 ms vs ~5-25 s depending on 
> whether
>       ca_root_nss is installed.
>
>     * The DISTBASE concept has been dropped; the same effect can be 
> achieved
>       by adjusting DESTDIR.
>
>     * We now also have rudimentary tests.
>
>     Reviewed by:    kevans
>     Differential Revision:  https://reviews.freebsd.org/D42320

I’m seeing errors like this during bricoler test runs now:

> /usr/home/kp/bricoler/freebsd-src-regression-suite-vm-image/image.amd64.amd64-METALOG.mtree:38358: 
> error: word too long to fit buffer (max 10 characters)

Those are all lines with absolute paths (e.g. /etc/ssl/cert.pem rather 
than ./etc/ssl/cert.pem).
This hack seems to fix things for me, but I’m nowhere near familiar 
enough with the relevant build bits to say for sure if that’s right or 
not:

	diff --git a/usr.sbin/certctl/certctl.c b/usr.sbin/certctl/certctl.c
	index 365870167aeb..336a49830a3d 100644
	--- a/usr.sbin/certctl/certctl.c
	+++ b/usr.sbin/certctl/certctl.c
	@@ -490,7 +490,7 @@ write_certs(const char *dir, struct cert_tree 
*tree)
	                }
	                /* emit metalog */
	                if (mlf != NULL) {
	-                       fprintf(mlf, "%s/%s type=file "
	+                       fprintf(mlf, "./%s/%s type=file "
	                            "uname=%s gname=%s mode=%#o size=%ld\n",
	                            unexpand_path(dir), path,
	                            uname, gname, mode, ftell(f));
	@@ -561,7 +561,7 @@ write_bundle(const char *dir, const char *file, 
struct cert_tree *tree)
	        }
	        if (ret == 0 && mlf != NULL) {
	                fprintf(mlf,
	-                   "%s/%s type=file uname=%s gname=%s mode=%#o 
size=%ld\n",
	+                   "./%s/%s type=file uname=%s gname=%s mode=%#o 
size=%ld\n",
	                    unexpand_path(dir), file, uname, gname, mode, 
ftell(f));
	        }
	        fclose(f);

—
Kristof