[PATCH 1/5] net: lwip: extend wget to support CA (root) certificates

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri Feb 28 22:24:45 CET 2025


Hi Jerome

>
> +config WGET_CACERT
> +       bool "wget cacert"
> +       depends on CMD_WGET
> +       depends on WGET_HTTPS
> +       help
> +         Adds the "cacert" sub-command to wget to provide root certificates
> +         to the HTTPS engine.
> +
> +config MBEDTLS_LIB_X509_PEM
> +       depends on WGET_CACERT
> +       bool "Support for PEM-encoded X509 certificates"
> +       help
> +         This option enables MbedTLS to parse PEM-encoded X509 certificates.
> +         When disabled, only DER format is accepted.
> +
>  endif  # if CMD_NET

I guess that's needed because most of the RootCAs you can download are in PEM?

[...]

>  }
>
> +#if defined CONFIG_WGET_HTTPS

you can do #if IS_ENABLED() here

> +static char *cacert;
> +size_t cacert_size;
> +#endif
> +
> +#if defined CONFIG_WGET_CACERT
> +static int set_cacert(char * const saddr, char * const ssz)
> +{
> +       mbedtls_x509_crt crt;
> +       ulong addr, sz;
> +       int ret;
> +
> +       if (cacert)
> +               free(cacert);
> +
> +       addr = hextoul(saddr, NULL);
> +       sz = hextoul(ssz, NULL);
> +       sz++; /* For the trailing '\0' in case of a text (PEM) file */
> +
> +       if (!addr) {
> +               cacert = NULL;

cacert is already allocated. Can't we just free it here if it's
supposed to be removed and reuse the memory otherwise, instead of
doing free/alloc on every command?

> +               cacert_size = 0;
> +               return CMD_RET_SUCCESS;
> +       }
> +
> +       cacert = malloc(sz);
> +       if (!cacert)
> +               return CMD_RET_FAILURE;
> +       cacert_size = sz;
> +
> +       memcpy(cacert, (void *)addr, sz - 1);
> +       cacert[sz] = '\0';
> +
> +       mbedtls_x509_crt_init(&crt);
> +       ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size);
> +       if (ret) {
> +               printf("Could not parse certificates (%d)\n", ret);
> +               free(cacert);
> +               cacert = NULL;
> +               cacert_size = 0;
> +               return CMD_RET_FAILURE;
> +       }
> +
> +       return CMD_RET_SUCCESS;

[...]

Thanks
/Ilias


More information about the U-Boot mailing list