Skip to content
Permalink
Browse files

[build] Allow trusted root certificates to be specified at build time

Allow trusted root certificates to be specified at build time using
the syntax

  make TRUST=/path/to/certificate1,/path/to/certificate2,...

The build process uses openssl to calculate the SHA-256 fingerprints
of the specified certificates, and adds them to the root certificate
store in rootcert.c.  The certificates can be in any format understood
by openssl.

The certificates may be server certificates or (more usefully) CA
certificates.

If no trusted certificates are specified, then the default "iPXE root
CA" certificate will be used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Mar 19, 2012
1 parent 4d3b547 commit aee3a064f22f994a930990c1bb0d339412e65d76
Showing with 29 additions and 0 deletions.
  1. +1 −0 src/Makefile
  2. +28 −0 src/Makefile.housekeeping
@@ -32,6 +32,7 @@ RANLIB := $(CROSS_COMPILE)ranlib
OBJCOPY := $(CROSS_COMPILE)objcopy
NM := $(CROSS_COMPILE)nm
OBJDUMP := $(CROSS_COMPILE)objdump
OPENSSL := openssl
PARSEROM := ./util/parserom.pl
FIXROM := ./util/fixrom.pl
SYMCHECK := ./util/symcheck.pl
@@ -637,6 +637,34 @@ $(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC)

CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)"

# List of trusted root certificates
#
TRUSTED_LIST := $(BIN)/.trusted.list
ifeq ($(wildcard $(TRUSTED_LIST)),)
TRUST_OLD := <invalid>
else
TRUST_OLD := $(shell cat $(TRUSTED_LIST))
endif
ifneq ($(TRUST_OLD),$(TRUST))
$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST))
endif

$(TRUSTED_LIST) :

VERYCLEANUP += $(TRUSTED_LIST)

# Trusted root certificate fingerprints
#
TRUSTED_CERTS := $(subst $(COMMA), ,$(TRUST))
TRUSTED_FPS := $(foreach CERT,$(TRUSTED_CERTS),\
0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\
$(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \
-fingerprint))))$(COMMA))

$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST)

CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")

# Generate error usage information
#
$(BIN)/%.einfo : $(BIN)/%.o

0 comments on commit aee3a06

Please sign in to comment.
You can’t perform that action at this time.