summaryrefslogtreecommitdiffstats
path: root/src/include/ipxe/cms.h
Commit message (Collapse)AuthorAgeFilesLines
* [legal] Relicense files under GPL2_OR_LATER_OR_UBDLMichael Brown2015-03-021-1/+1
| | | | | | | Relicense files for which I am the sole author (as identified by util/relicense.pl). Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise X.509 cache to a full certificate storeMichael Brown2014-03-281-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expand the concept of the X.509 cache to provide the functionality of a certificate store. Certificates in the store will be automatically used to complete certificate chains where applicable. The certificate store may be prepopulated at build time using the CERT=... build command line option. For example: make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt Certificates within the certificate store are not implicitly trusted; the trust list is specified using TRUST=... as before. For example: make bin/ipxe.usb CERT=root.crt TRUST=root.crt This can be used to embed the full trusted root certificate within the iPXE binary, which is potentially useful in an HTTPS-only environment in which there is no HTTP server from which to automatically download cross-signed certificates or other certificate chain fragments. This usage of CERT= extends the existing use of CERT= to specify the client certificate. The client certificate is now identified automatically by checking for a match against the private key. For example: make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow certificate chains to be long-lived data structuresMichael Brown2012-05-041-14/+39
| | | | | | | | | | | | | | | | | At present, certificate chain validation is treated as an instantaneous process that can be carried out using only data that is already in memory. This model does not allow for validation to include non-instantaneous steps, such as downloading a cross-signing certificate, or determining certificate revocation status via OCSP. Redesign the internal representation of certificate chains to allow chains to outlive the scope of the original source of certificates (such as a TLS Certificate record). Allow for certificates to be cached, so that each certificate needs to be validated only once. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add support for Cryptographic Message Syntax (PKCS #7)Michael Brown2012-03-221-0/+50
The Cryptographic Message Syntax (PKCS#7) provides a format for encapsulating digital signatures of arbitrary binary blobs. A signature can be generated using openssl cms -sign -in <file to sign> -binary -noattr \ -signer <signer>.crt -inkey <signer>.key -certfile <CA>.crt \ -outform DER -out <signature> Signed-off-by: Michael Brown <mcb30@ipxe.org>
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2026-02-28 18:22:32 +0100