Browse Source

[build] Allow trusted root certificates to be specified at build time

Allow trusted root certificates to be specified at build time using
the syntax

  make TRUST=/path/to/certificate1,/path/to/certificate2,...

The build process uses openssl to calculate the SHA-256 fingerprints
of the specified certificates, and adds them to the root certificate
store in rootcert.c.  The certificates can be in any format understood
by openssl.

The certificates may be server certificates or (more usefully) CA
certificates.

If no trusted certificates are specified, then the default "iPXE root
CA" certificate will be used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 years ago
parent
commit
aee3a064f2
2 changed files with 29 additions and 0 deletions
  1. 1
    0
      src/Makefile
  2. 28
    0
      src/Makefile.housekeeping

+ 1
- 0
src/Makefile View File

32
 OBJCOPY		:= $(CROSS_COMPILE)objcopy
32
 OBJCOPY		:= $(CROSS_COMPILE)objcopy
33
 NM		:= $(CROSS_COMPILE)nm
33
 NM		:= $(CROSS_COMPILE)nm
34
 OBJDUMP		:= $(CROSS_COMPILE)objdump
34
 OBJDUMP		:= $(CROSS_COMPILE)objdump
35
+OPENSSL		:= openssl
35
 PARSEROM	:= ./util/parserom.pl
36
 PARSEROM	:= ./util/parserom.pl
36
 FIXROM		:= ./util/fixrom.pl
37
 FIXROM		:= ./util/fixrom.pl
37
 SYMCHECK	:= ./util/symcheck.pl
38
 SYMCHECK	:= ./util/symcheck.pl

+ 28
- 0
src/Makefile.housekeeping View File

637
 
637
 
638
 CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"
638
 CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"
639
 
639
 
640
+# List of trusted root certificates
641
+#
642
+TRUSTED_LIST	:= $(BIN)/.trusted.list
643
+ifeq ($(wildcard $(TRUSTED_LIST)),)
644
+TRUST_OLD := <invalid>
645
+else
646
+TRUST_OLD := $(shell cat $(TRUSTED_LIST))
647
+endif
648
+ifneq ($(TRUST_OLD),$(TRUST))
649
+$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
650
+endif
651
+
652
+$(TRUSTED_LIST) :
653
+
654
+VERYCLEANUP	+= $(TRUSTED_LIST)
655
+
656
+# Trusted root certificate fingerprints
657
+#
658
+TRUSTED_CERTS	:= $(subst $(COMMA), ,$(TRUST))
659
+TRUSTED_FPS	:= $(foreach CERT,$(TRUSTED_CERTS),\
660
+		     0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\
661
+			 $(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \
662
+				 -fingerprint))))$(COMMA))
663
+
664
+$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST)
665
+
666
+CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")
667
+
640
 # Generate error usage information
668
 # Generate error usage information
641
 #
669
 #
642
 $(BIN)/%.einfo : $(BIN)/%.o
670
 $(BIN)/%.einfo : $(BIN)/%.o

Loading…
Cancel
Save