diff options
| author | Michael Brown | 2012-03-20 14:32:20 +0100 |
|---|---|---|
| committer | Michael Brown | 2012-03-20 21:39:11 +0100 |
| commit | 8685280cbddc6e2d050d5e94719cab5d4ba866fc (patch) | |
| tree | 53a8892a384c29516558eaca59cc9038cb9072f4 /src/Makefile.housekeeping | |
| parent | [crypto] Use linker tables for RSA digestInfo prefixes (diff) | |
| download | ipxe-8685280cbddc6e2d050d5e94719cab5d4ba866fc.tar.gz ipxe-8685280cbddc6e2d050d5e94719cab5d4ba866fc.tar.xz ipxe-8685280cbddc6e2d050d5e94719cab5d4ba866fc.zip | |
[build] Allow a client certificate to be specified at build time
Allow a client certificate and corresponding private key to be
specified at build time using the syntax
make CERT=/path/to/certificate KEY=/path/to/key
The build process uses openssl to convert the files into DER format,
and includes them within the client certificate store in
clientcert.c. The build process will prompt for the private key
password if applicable.
Note that the private key is stored unencrypted, and so the resulting
iPXE binary (and the temporary files created during the build process)
should be treated as being equivalent to an unencrypted private key
file.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/Makefile.housekeeping')
| -rw-r--r-- | src/Makefile.housekeeping | 80 |
1 files changed, 74 insertions, 6 deletions
diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index daac97b9..0fab407c 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -629,12 +629,6 @@ EMBED_ALL := $(foreach i,$(call seq,1,$(words $(EMBEDDED_FILES))),\ $(BIN)/embedded.o : $(EMBEDDED_FILES) $(EMBEDDED_LIST) -# This file uses .incbin inline assembly to include a binary file. -# Unfortunately ccache does not detect this dependency and caches builds even -# when the binary file has changed. -# -$(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC) - CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)" # List of trusted root certificates @@ -665,6 +659,80 @@ $(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST) CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)") +# (Single-element) list of client certificates +# +CERT_LIST := $(BIN)/.certificate.list +ifeq ($(wildcard $(CERT_LIST)),) +CERT_OLD := <invalid> +else +CERT_OLD := $(shell cat $(CERT_LIST)) +endif +ifneq ($(CERT_OLD),$(CERT)) +$(shell $(ECHO) "$(CERT)" > $(CERT_LIST)) +endif + +$(CERT_LIST) : + +VERYCLEANUP += $(CERT_LIST) + +# Embedded client certificate +# +CERT_INC := $(BIN)/.certificate.der + +ifdef CERT +$(CERT_INC) : $(CERT) $(CERT_LIST) + $(Q)$(OPENSSL) x509 -in $< -outform DER -out $@ + +$(BIN)/clientcert.o : $(CERT_INC) +endif + +CLEANUP += $(CERT_INC) + +$(BIN)/clientcert.o : $(CERT_LIST) + +CFLAGS_clientcert += $(if $(CERT),-DCERTIFICATE="\"$(CERT_INC)\"") + +# (Single-element) list of client private keys +# +KEY_LIST := $(BIN)/.private_key.list +ifeq ($(wildcard $(KEY_LIST)),) +KEY_OLD := <invalid> +else +KEY_OLD := $(shell cat $(KEY_LIST)) +endif +ifneq ($(KEY_OLD),$(KEY)) +$(shell $(ECHO) "$(KEY)" > $(KEY_LIST)) +endif + +$(KEY_LIST) : + +VERYCLEANUP += $(KEY_LIST) + +# Embedded client private key +# +KEY_INC := $(BIN)/.private_key.der + +ifdef KEY +$(KEY_INC) : $(KEY) $(KEY_LIST) + $(Q)$(OPENSSL) rsa -in $< -outform DER -out $@ + +$(BIN)/clientcert.o : $(KEY_INC) +endif + +CLEANUP += $(KEY_INC) + +$(BIN)/clientcert.o : $(KEY_LIST) + +CFLAGS_clientcert += $(if $(KEY),-DPRIVATE_KEY="\"$(KEY_INC)\"") + +# These files use .incbin inline assembly to include a binary file. +# Unfortunately ccache does not detect this dependency and caches +# builds even when the binary file has changed. +# +$(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC) + +$(BIN)/clientcert.o : override CC := env CCACHE_DISABLE=1 $(CC) + # Generate error usage information # $(BIN)/%.einfo : $(BIN)/%.o |