summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Brown2012-03-18 23:55:29 +0100
committerMichael Brown2012-03-19 01:23:29 +0100
commitaee3a064f22f994a930990c1bb0d339412e65d76 (patch)
treed19164d6ccbfb5ad68938a25cb4d106b243fbecf
parent[tls] Add full X.509 certificate parsing (diff)
downloadipxe-aee3a064f22f994a930990c1bb0d339412e65d76.tar.gz
ipxe-aee3a064f22f994a930990c1bb0d339412e65d76.tar.xz
ipxe-aee3a064f22f994a930990c1bb0d339412e65d76.zip
[build] Allow trusted root certificates to be specified at build time
Allow trusted root certificates to be specified at build time using the syntax make TRUST=/path/to/certificate1,/path/to/certificate2,... The build process uses openssl to calculate the SHA-256 fingerprints of the specified certificates, and adds them to the root certificate store in rootcert.c. The certificates can be in any format understood by openssl. The certificates may be server certificates or (more usefully) CA certificates. If no trusted certificates are specified, then the default "iPXE root CA" certificate will be used. Signed-off-by: Michael Brown <mcb30@ipxe.org>
-rw-r--r--src/Makefile1
-rw-r--r--src/Makefile.housekeeping28
2 files changed, 29 insertions, 0 deletions
diff --git a/src/Makefile b/src/Makefile
index c30dc5c9..0189a469 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -32,6 +32,7 @@ RANLIB := $(CROSS_COMPILE)ranlib
OBJCOPY := $(CROSS_COMPILE)objcopy
NM := $(CROSS_COMPILE)nm
OBJDUMP := $(CROSS_COMPILE)objdump
+OPENSSL := openssl
PARSEROM := ./util/parserom.pl
FIXROM := ./util/fixrom.pl
SYMCHECK := ./util/symcheck.pl
diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index 41c59562..daac97b9 100644
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -637,6 +637,34 @@ $(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC)
CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"
+# List of trusted root certificates
+#
+TRUSTED_LIST := $(BIN)/.trusted.list
+ifeq ($(wildcard $(TRUSTED_LIST)),)
+TRUST_OLD := <invalid>
+else
+TRUST_OLD := $(shell cat $(TRUSTED_LIST))
+endif
+ifneq ($(TRUST_OLD),$(TRUST))
+$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
+endif
+
+$(TRUSTED_LIST) :
+
+VERYCLEANUP += $(TRUSTED_LIST)
+
+# Trusted root certificate fingerprints
+#
+TRUSTED_CERTS := $(subst $(COMMA), ,$(TRUST))
+TRUSTED_FPS := $(foreach CERT,$(TRUSTED_CERTS),\
+ 0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\
+ $(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \
+ -fingerprint))))$(COMMA))
+
+$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST)
+
+CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
+
# Generate error usage information
#
$(BIN)/%.einfo : $(BIN)/%.o