[PATCH 0/5] net: lwip: root certificates
Da Xue
da at lessconfused.com
Fri Jul 18 19:34:10 CEST 2025
On Fri, Jul 18, 2025 at 10:08 AM Jerome Forissier
<jerome.forissier at linaro.org> wrote:
>
> Hi Da,
>
> On 7/15/25 06:45, Da Xue wrote:
> > Hi Jerome,
> >
> >> Then new Kconfig symbols are added to support providing the certificates
> >> at build time, as a DER or PEM encoded X509 collection:
> >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>.
> >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert
> >> command as well as for the builtin way).
> >>
> >> Here is a complete example (showing only the relevant output from the
> >> various commands):
> >>
> >> make qemu_arm64_lwip_defconfig
> >> wget https://curl.se/ca/cacert.pem
> >> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config
> >> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config
> >> make olddefconfig
> >> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-"
> >> qemu-system-aarch64 -M virt -nographic -cpu max \
> >> -object rng-random,id=rng0,filename=/dev/urandom \
> >> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin
> >> => dhcp
> >> # HTTPS transfer using the builtin CA certificates
> >> => wget https://www.google.com/
> >> 18724 bytes transferred in 15 ms (1.2 MiB/s)
> >> # Disable certificate validation
> >> => wget cacert 0 0
> >> # Unsafe HTTPS transfer
> >> => wget https://www.google.com/
> >> WARNING: no CA certificates, HTTPS connections not authenticated
> >> 16570 bytes transferred in 15 ms (1.1 MiB/s)
> >> # Dowload and apply CA certificates from the net
> >> => wget https://curl.se/ca/cacert.pem
> >> WARNING: no CA certificates, HTTPS connections not authenticated
> >> ##
> >> 233263 bytes transferred in 61 ms (3.6 MiB/s)
> >> => wget cacert $fileaddr $filesize
> >> # Now HTTPS is authenticated against the new CA
> >> => wget https://www.google.com/
> >> 18743 bytes transferred in 14 ms (1.3 MiB/s)
> >> # Drop the certificates again...
> >> => wget cacert 0 0
> >> # Check that transfer is not secure
> >> => wget https://www.google.com/
> >> WARNING: no CA certificates, HTTPS connections not authenticated
> >> # Restore the builtin CA
> >> => wget cacert builtin
> >> # No more WARNING
> >> => wget https://www.google.com/
> >> 18738 bytes transferred in 15 ms (1.2 MiB/s)
> >
> > Is there a simple way to convert multi-certificate root trust pem to
> > der? I tried packing it as a PKCS#7 and got "Could not parse
> > certificates (-8576)"
>
> AFAICT MBed TLS should be able to parse multiple root certificates as
> long as they are in DER form. U-Boot doesn't enable the PEM format at the
> moment, it is less space-efficient. Please try:
>
> openssl x509 -in cert.pem -outform DER -out cert.der
This only converts the first certificate to DER, not any of the other
certificates.
>
> Thanks,
> --
> Jerome
>
>
> >
> > Best Regards,
> > Da
Best Regards,
Da
More information about the U-Boot
mailing list