[PATCH 0/5] net: lwip: root certificates
Jerome Forissier
jerome.forissier at linaro.org
Thu Feb 27 19:31:08 CET 2025
On 2/27/25 19:06, Tom Rini wrote:
> On Thu, Feb 27, 2025 at 05:09:00PM +0100, Jerome Forissier wrote:
>
>> This series adds support for HTTP server authentication using root (CA)
>> certificates.
>>
>> As a first step, the wget command is extended to support a sub-command:
>> cacert <addr> <size>. The memory region shall contain the CA
>> certificates. With this, it is possible to load the certificates from
>> storage or get them from the network for example, which is convenient
>> for testing at least. The Kconfig symbol for this feature is
>> WGET_CACERT=y.
>>
>> Then new Kconfig symbols are added to support providing the certificates
>> at build time, as a DER or PEM encoded X509 collection:
>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>.
>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert
>> command as well as for the builtin way).
>>
>> Here is a complete example (showing only the relevant output from the
>> various commands):
>>
>> make qemu_arm64_lwip_defconfig
>> wget https://curl.se/ca/cacert.pem
>> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config
>> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config
>> make olddefconfig
>> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-"
>> qemu-system-aarch64 -M virt -nographic -cpu max \
>> -object rng-random,id=rng0,filename=/dev/urandom \
>> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin
>> => dhcp
>> # HTTPS transfer using the builtin CA certificates
>> => wget https://www.google.com/
>> 18724 bytes transferred in 15 ms (1.2 MiB/s)
>> # Disable certificate validation
>> => wget cacert 0 0
>> # Unsafe HTTPS transfer
>> => wget https://www.google.com/
>> WARNING: no CA certificates, HTTPS connections not authenticated
>> 16570 bytes transferred in 15 ms (1.1 MiB/s)
>> # Dowload and apply CA certificates from the net
>> => wget https://curl.se/ca/cacert.pem
>> WARNING: no CA certificates, HTTPS connections not authenticated
>> ##
>> 233263 bytes transferred in 61 ms (3.6 MiB/s)
>> => wget cacert $fileaddr $filesize
>> # Now HTTPS is authenticated against the new CA
>> => wget https://www.google.com/
>> 18743 bytes transferred in 14 ms (1.3 MiB/s)
>> # Drop the certificates again...
>> => wget cacert 0 0
>> # Check that transfer is not secure
>> => wget https://www.google.com/
>> WARNING: no CA certificates, HTTPS connections not authenticated
>> # Restore the builtin CA
>> => wget cacert builtin
>> # No more WARNING
>> => wget https://www.google.com/
>> 18738 bytes transferred in 15 ms (1.2 MiB/s)
>
> As part of v2, please update the documentation as well with some example
> like the above (perhaps as enable X/Y/Z then at run time ...), thanks!
Will do.
Thanks,
--
Jerome
More information about the U-Boot
mailing list