From bc8ca6b8cea325e6507839e576d0d7eaa44e2af1 Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Fri, 28 Mar 2014 15:45:10 +0000
Subject: [crypto] Generalise X.509 cache to a full certificate store

Expand the concept of the X.509 cache to provide the functionality of
a certificate store.  Certificates in the store will be automatically
used to complete certificate chains where applicable.

The certificate store may be prepopulated at build time using the
CERT=... build command line option.  For example:

  make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt

Certificates within the certificate store are not implicitly trusted;
the trust list is specified using TRUST=... as before.  For example:

  make bin/ipxe.usb CERT=root.crt TRUST=root.crt

This can be used to embed the full trusted root certificate within the
iPXE binary, which is potentially useful in an HTTPS-only environment
in which there is no HTTP server from which to automatically download
cross-signed certificates or other certificate chain fragments.

This usage of CERT= extends the existing use of CERT= to specify the
client certificate.  The client certificate is now identified
automatically by checking for a match against the private key.  For
example:

  make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/include/ipxe/privkey.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 src/include/ipxe/privkey.h

(limited to 'src/include/ipxe/privkey.h')

diff --git a/src/include/ipxe/privkey.h b/src/include/ipxe/privkey.h
new file mode 100644
index 000000000..39049ac9f
--- /dev/null
+++ b/src/include/ipxe/privkey.h
@@ -0,0 +1,16 @@
+#ifndef _IPXE_PRIVKEY_H
+#define _IPXE_PRIVKEY_H
+
+/** @file
+ *
+ * Private key
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+#include <ipxe/asn1.h>
+
+extern struct asn1_cursor private_key;
+
+#endif /* _IPXE_PRIVKEY_H */
-- 
cgit v1.2.3-55-g7522