summaryrefslogtreecommitdiffstats
path: root/src/usr
diff options
context:
space:
mode:
authorMichael Brown2014-03-28 16:45:10 +0100
committerMichael Brown2014-03-28 18:09:40 +0100
commitbc8ca6b8cea325e6507839e576d0d7eaa44e2af1 (patch)
treed74ee501d55b6dbaa5f5842c697e57295776b82e /src/usr
parent[crypto] Add pubkey_match() to check for matching public/private key pairs (diff)
downloadipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.gz
ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.xz
ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.zip
[crypto] Generalise X.509 cache to a full certificate store
Expand the concept of the X.509 cache to provide the functionality of a certificate store. Certificates in the store will be automatically used to complete certificate chains where applicable. The certificate store may be prepopulated at build time using the CERT=... build command line option. For example: make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt Certificates within the certificate store are not implicitly trusted; the trust list is specified using TRUST=... as before. For example: make bin/ipxe.usb CERT=root.crt TRUST=root.crt This can be used to embed the full trusted root certificate within the iPXE binary, which is potentially useful in an HTTPS-only environment in which there is no HTTP server from which to automatically download cross-signed certificates or other certificate chain fragments. This usage of CERT= extends the existing use of CERT= to specify the client certificate. The client certificate is now identified automatically by checking for a match against the private key. For example: make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/usr')
-rw-r--r--src/usr/imgtrust.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/usr/imgtrust.c b/src/usr/imgtrust.c
index c49eb7f2..da7ff2ef 100644
--- a/src/usr/imgtrust.c
+++ b/src/usr/imgtrust.c
@@ -84,7 +84,7 @@ int imgverify ( struct image *image, struct image *signature,
/* Use signature to verify image */
now = time ( NULL );
if ( ( rc = cms_verify ( sig, image->data, image->len,
- name, now, NULL ) ) != 0 )
+ name, now, NULL, NULL ) ) != 0 )
goto err_verify;
/* Drop reference to signature */