summaryrefslogtreecommitdiffstats
path: root/src/usr/imgtrust.c
Commit message (Collapse)AuthorAgeFilesLines
* [image] Use image_asn1() to extract data from CMS signature imagesMichael Brown2016-07-291-12/+10Star
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [legal] Relicense files under GPL2_OR_LATER_OR_UBDLMichael Brown2015-03-021-1/+5
| | | | | | | Relicense files for which I am the sole author (as identified by util/relicense.pl). Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise X.509 cache to a full certificate storeMichael Brown2014-03-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expand the concept of the X.509 cache to provide the functionality of a certificate store. Certificates in the store will be automatically used to complete certificate chains where applicable. The certificate store may be prepopulated at build time using the CERT=... build command line option. For example: make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt Certificates within the certificate store are not implicitly trusted; the trust list is specified using TRUST=... as before. For example: make bin/ipxe.usb CERT=root.crt TRUST=root.crt This can be used to embed the full trusted root certificate within the iPXE binary, which is potentially useful in an HTTPS-only environment in which there is no HTTP server from which to automatically download cross-signed certificates or other certificate chain fragments. This usage of CERT= extends the existing use of CERT= to specify the client certificate. The client certificate is now identified automatically by checking for a match against the private key. For example: make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [monojob] Add timeout parameter to monojob_wait()Michael Brown2013-11-011-1/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [legal] Update FSF mailing address in GPL licence textsMichael Brown2012-07-201-1/+2
| | | | | Suggested-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [image] Allow "imgtrust" to automatically download cross-signed certificatesMichael Brown2012-05-221-0/+13
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow certificate chains to be long-lived data structuresMichael Brown2012-05-041-6/+12
| | | | | | | | | | | | | | | | | At present, certificate chain validation is treated as an instantaneous process that can be carried out using only data that is already in memory. This model does not allow for validation to include non-instantaneous steps, such as downloading a cross-signing certificate, or determining certificate revocation status via OCSP. Redesign the internal representation of certificate chains to allow chains to outlive the scope of the original source of certificates (such as a TLS Certificate record). Allow for certificates to be cached, so that each certificate needs to be validated only once. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [image] Log results of image signature checksMichael Brown2012-03-271-0/+9
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [image] Add the "imgtrust" and "imgverify" commandsMichael Brown2012-03-251-0/+81
Signed-off-by: Michael Brown <mcb30@ipxe.org>
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-05-28 21:33:04 +0200