diff options
| author | Michael Brown | 2012-03-18 23:55:29 +0100 |
|---|---|---|
| committer | Michael Brown | 2012-03-19 01:23:29 +0100 |
| commit | aee3a064f22f994a930990c1bb0d339412e65d76 (patch) | |
| tree | d19164d6ccbfb5ad68938a25cb4d106b243fbecf | |
| parent | [tls] Add full X.509 certificate parsing (diff) | |
| download | ipxe-aee3a064f22f994a930990c1bb0d339412e65d76.tar.gz ipxe-aee3a064f22f994a930990c1bb0d339412e65d76.tar.xz ipxe-aee3a064f22f994a930990c1bb0d339412e65d76.zip | |
[build] Allow trusted root certificates to be specified at build time
Allow trusted root certificates to be specified at build time using
the syntax
make TRUST=/path/to/certificate1,/path/to/certificate2,...
The build process uses openssl to calculate the SHA-256 fingerprints
of the specified certificates, and adds them to the root certificate
store in rootcert.c. The certificates can be in any format understood
by openssl.
The certificates may be server certificates or (more usefully) CA
certificates.
If no trusted certificates are specified, then the default "iPXE root
CA" certificate will be used.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
| -rw-r--r-- | src/Makefile | 1 | ||||
| -rw-r--r-- | src/Makefile.housekeeping | 28 |
2 files changed, 29 insertions, 0 deletions
diff --git a/src/Makefile b/src/Makefile index c30dc5c97..0189a469d 100644 --- a/src/Makefile +++ b/src/Makefile @@ -32,6 +32,7 @@ RANLIB := $(CROSS_COMPILE)ranlib OBJCOPY := $(CROSS_COMPILE)objcopy NM := $(CROSS_COMPILE)nm OBJDUMP := $(CROSS_COMPILE)objdump +OPENSSL := openssl PARSEROM := ./util/parserom.pl FIXROM := ./util/fixrom.pl SYMCHECK := ./util/symcheck.pl diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index 41c595628..daac97b9f 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -637,6 +637,34 @@ $(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC) CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)" +# List of trusted root certificates +# +TRUSTED_LIST := $(BIN)/.trusted.list +ifeq ($(wildcard $(TRUSTED_LIST)),) +TRUST_OLD := <invalid> +else +TRUST_OLD := $(shell cat $(TRUSTED_LIST)) +endif +ifneq ($(TRUST_OLD),$(TRUST)) +$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST)) +endif + +$(TRUSTED_LIST) : + +VERYCLEANUP += $(TRUSTED_LIST) + +# Trusted root certificate fingerprints +# +TRUSTED_CERTS := $(subst $(COMMA), ,$(TRUST)) +TRUSTED_FPS := $(foreach CERT,$(TRUSTED_CERTS),\ + 0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\ + $(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \ + -fingerprint))))$(COMMA)) + +$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST) + +CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)") + # Generate error usage information # $(BIN)/%.einfo : $(BIN)/%.o |