[PATCH v2 1/6] net: lwip: extend wget to support CA (root) certificates
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sun Mar 9 11:58:55 CET 2025
Hi Jerome, Heinrich
On Wed, 5 Mar 2025 at 17:13, Jerome Forissier
<jerome.forissier at linaro.org> wrote:
>
> Hi Heinrich,
>
> On 3/5/25 16:07, Heinrich Schuchardt wrote:
> > On 05.03.25 15:26, Jerome Forissier wrote:
> >> Add the "cacert" (Certification Authority certificates) subcommand to
> >> wget to pass root certificates to the code handling the HTTPS protocol.
> >> The subcommand is enabled by the WGET_CACERT Kconfig symbol.
> >>
> >> Usage example:
> >>
> >> => dhcp
> >> # Download some root certificates (note: not authenticated!)
> >> => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt
> >> # Provide root certificates
> >> => wget cacert $fileaddr $filesize
> >> # Enforce verification (it is optional by default)
> >> => wget cacert required
> >> # Forget the root certificates
> >> => wget cacert 0 0
> >> # Disable verification
> >> => wget cacert none
> >>
> >> Signed-off-by: Jerome Forissier <jerome.forissier at linaro.org>
> >> ---
> >> cmd/Kconfig | 8 ++++
> >> cmd/net-lwip.c | 17 ++++++--
> >> net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++--
> >> 3 files changed, 121 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/cmd/Kconfig b/cmd/Kconfig
> >> index 8dd42571abc..d469217c0ea 100644
> >> --- a/cmd/Kconfig
> >> +++ b/cmd/Kconfig
> >> @@ -2177,6 +2177,14 @@ config WGET_HTTPS
> >> help
> >> Enable TLS over http for wget.
> >>
> >> +config WGET_CACERT
> >> + bool "wget cacert"
> >> + depends on CMD_WGET
> >> + depends on WGET_HTTPS
> >> + help
> >> + Adds the "cacert" sub-command to wget to provide root certificates
> >> + to the HTTPS engine. Must be in DER format.
> >> +
> >
> > Shouldn't we build CA certs into U-Boot?
> > Downloading certs from unsafe media is not a good replacement.
>
> That's the purpose of patch 4/6 [1]. Although downloading may still be a
> valid option when used with hash verification as I mentioned in a reply to
> Ilias in v1 [2].
>
FWIW I think this still makes sense for peopke that don't want or can
not add the cert in the u-boot binary, but can add a signed script to
download it on the fly
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
More information about the U-Boot
mailing list