[build] Allow a client certificate to be specified at build time

Allow a client certificate and corresponding private key to be
specified at build time using the syntax

  make CERT=/path/to/certificate KEY=/path/to/key

The build process uses openssl to convert the files into DER format,
and includes them within the client certificate store in
clientcert.c.  The build process will prompt for the private key
password if applicable.

Note that the private key is stored unencrypted, and so the resulting
iPXE binary (and the temporary files created during the build process)
should be treated as being equivalent to an unencrypted private key
file.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 43 insertions, 0 deletions

diff --git a/src/include/ipxe/clientcert.h b/src/include/ipxe/clientcert.h
new file mode 100644
index 000000000..08f62eb73
--- /dev/null
+++ b/src/include/ipxe/clientcert.h
@@ -0,0 +1,43 @@
+#ifndef _IPXE_CLIENTCERT_H
+#define _IPXE_CLIENTCERT_H
+
+/** @file
+ *
+ * Client certificate store
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+#include <stdint.h>
+
+/** A client certificate */
+struct client_certificate {
+	/** Data */
+	const void *data;
+	/** Length */
+	size_t len;
+};
+
+/** A client private key */
+struct client_private_key {
+	/** Data */
+	const void *data;
+	/** Length */
+	size_t len;
+};
+
+extern struct client_certificate client_certificate;
+extern struct client_private_key client_private_key;
+
+/**
+ * Check for presence of a client certificate
+ *
+ * @ret have_cert	We have a client certificate and private key
+ */
+static inline int have_client_certificate ( void ) {
+	return ( ( client_certificate.len > 0 ) &&
+		 ( client_private_key.len > 0 ) );
+}
+
+#endif /* _IPXE_CLIENTCERT_H */