[PATCH 1/5] net: lwip: extend wget to support CA (root) certificates
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Feb 28 22:24:45 CET 2025
Hi Jerome
>
> +config WGET_CACERT
> + bool "wget cacert"
> + depends on CMD_WGET
> + depends on WGET_HTTPS
> + help
> + Adds the "cacert" sub-command to wget to provide root certificates
> + to the HTTPS engine.
> +
> +config MBEDTLS_LIB_X509_PEM
> + depends on WGET_CACERT
> + bool "Support for PEM-encoded X509 certificates"
> + help
> + This option enables MbedTLS to parse PEM-encoded X509 certificates.
> + When disabled, only DER format is accepted.
> +
> endif # if CMD_NET
I guess that's needed because most of the RootCAs you can download are in PEM?
[...]
> }
>
> +#if defined CONFIG_WGET_HTTPS
you can do #if IS_ENABLED() here
> +static char *cacert;
> +size_t cacert_size;
> +#endif
> +
> +#if defined CONFIG_WGET_CACERT
> +static int set_cacert(char * const saddr, char * const ssz)
> +{
> + mbedtls_x509_crt crt;
> + ulong addr, sz;
> + int ret;
> +
> + if (cacert)
> + free(cacert);
> +
> + addr = hextoul(saddr, NULL);
> + sz = hextoul(ssz, NULL);
> + sz++; /* For the trailing '\0' in case of a text (PEM) file */
> +
> + if (!addr) {
> + cacert = NULL;
cacert is already allocated. Can't we just free it here if it's
supposed to be removed and reuse the memory otherwise, instead of
doing free/alloc on every command?
> + cacert_size = 0;
> + return CMD_RET_SUCCESS;
> + }
> +
> + cacert = malloc(sz);
> + if (!cacert)
> + return CMD_RET_FAILURE;
> + cacert_size = sz;
> +
> + memcpy(cacert, (void *)addr, sz - 1);
> + cacert[sz] = '\0';
> +
> + mbedtls_x509_crt_init(&crt);
> + ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size);
> + if (ret) {
> + printf("Could not parse certificates (%d)\n", ret);
> + free(cacert);
> + cacert = NULL;
> + cacert_size = 0;
> + return CMD_RET_FAILURE;
> + }
> +
> + return CMD_RET_SUCCESS;
[...]
Thanks
/Ilias
More information about the U-Boot
mailing list