From: Jerome Forissier <jerome.forissier@linaro.org>
To: u-boot@lists.denx.de
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Jerome Forissier <jerome.forissier@linaro.org>
Subject: [PATCH 0/5] net: lwip: root certificates
Date: Thu, 27 Feb 2025 17:09:00 +0100 [thread overview]
Message-ID: <cover.1740672437.git.jerome.forissier@linaro.org> (raw)
This series adds support for HTTP server authentication using root (CA)
certificates.
As a first step, the wget command is extended to support a sub-command:
cacert <addr> <size>. The memory region shall contain the CA
certificates. With this, it is possible to load the certificates from
storage or get them from the network for example, which is convenient
for testing at least. The Kconfig symbol for this feature is
WGET_CACERT=y.
Then new Kconfig symbols are added to support providing the certificates
at build time, as a DER or PEM encoded X509 collection:
WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>.
Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert
command as well as for the builtin way).
Here is a complete example (showing only the relevant output from the
various commands):
make qemu_arm64_lwip_defconfig
wget https://curl.se/ca/cacert.pem
echo CONFIG_WGET_BUILTIN_CACERT=y >>.config
echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config
make olddefconfig
make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-"
qemu-system-aarch64 -M virt -nographic -cpu max \
-object rng-random,id=rng0,filename=/dev/urandom \
-device virtio-rng-pci,rng=rng0 -bios u-boot.bin
=> dhcp
# HTTPS transfer using the builtin CA certificates
=> wget https://www.google.com/
18724 bytes transferred in 15 ms (1.2 MiB/s)
# Disable certificate validation
=> wget cacert 0 0
# Unsafe HTTPS transfer
=> wget https://www.google.com/
WARNING: no CA certificates, HTTPS connections not authenticated
16570 bytes transferred in 15 ms (1.1 MiB/s)
# Dowload and apply CA certificates from the net
=> wget https://curl.se/ca/cacert.pem
WARNING: no CA certificates, HTTPS connections not authenticated
##
233263 bytes transferred in 61 ms (3.6 MiB/s)
=> wget cacert $fileaddr $filesize
# Now HTTPS is authenticated against the new CA
=> wget https://www.google.com/
18743 bytes transferred in 14 ms (1.3 MiB/s)
# Drop the certificates again...
=> wget cacert 0 0
# Check that transfer is not secure
=> wget https://www.google.com/
WARNING: no CA certificates, HTTPS connections not authenticated
# Restore the builtin CA
=> wget cacert builtin
# No more WARNING
=> wget https://www.google.com/
18738 bytes transferred in 15 ms (1.2 MiB/s)
Jerome Forissier (5):
net: lwip: extend wget to support CA (root) certificates
lwip: tls: enforce checking of server certificates based on CA
availability
lwip: tls: warn when no CA exists amd log certificate validation
errors
net: lwip: add support for built-in root certificates
configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and
MBEDTLS_LIB_X509_PEM
cmd/Kconfig | 29 ++++++
cmd/net-lwip.c | 19 +++-
configs/qemu_arm64_lwip_defconfig | 2 +
.../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +-
.../lwip/apps/altcp_tls_mbedtls_opts.h | 6 --
lib/mbedtls/Makefile | 3 +
lib/mbedtls/mbedtls_def_config.h | 5 ++
net/lwip/Makefile | 6 ++
net/lwip/wget.c | 90 ++++++++++++++++++-
9 files changed, 158 insertions(+), 11 deletions(-)
--
2.43.0
next reply other threads:[~2025-02-27 16:09 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-27 16:09 Jerome Forissier [this message]
2025-02-27 16:09 ` [PATCH 1/5] net: lwip: extend wget to support CA (root) certificates Jerome Forissier
2025-02-28 21:24 ` Ilias Apalodimas
2025-03-05 12:09 ` Jerome Forissier
2025-02-27 16:09 ` [PATCH 2/5] lwip: tls: enforce checking of server certificates based on CA availability Jerome Forissier
2025-02-28 21:26 ` Ilias Apalodimas
2025-03-05 12:27 ` Jerome Forissier
2025-02-27 16:09 ` [PATCH 3/5] lwip: tls: warn when no CA exists amd log certificate validation errors Jerome Forissier
2025-02-28 21:28 ` Ilias Apalodimas
2025-02-27 16:09 ` [PATCH 4/5] net: lwip: add support for built-in root certificates Jerome Forissier
2025-02-27 16:38 ` Jerome Forissier
2025-03-01 6:59 ` Ilias Apalodimas
2025-03-05 12:34 ` Jerome Forissier
2025-02-27 16:09 ` [PATCH 5/5] configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and MBEDTLS_LIB_X509_PEM Jerome Forissier
2025-02-28 21:28 ` Ilias Apalodimas
2025-02-27 16:27 ` [PATCH 0/5] net: lwip: root certificates Simon Glass
2025-02-27 16:43 ` Jerome Forissier
2025-03-04 15:46 ` Simon Glass
2025-03-07 10:49 ` Jerome Forissier
2025-03-13 12:51 ` Simon Glass
2025-03-13 13:23 ` Jerome Forissier
2025-03-14 22:01 ` Jerome Forissier
2025-03-15 12:47 ` Simon Glass
2025-02-27 18:06 ` Tom Rini
2025-02-27 18:31 ` Jerome Forissier
2025-02-28 7:40 ` Ilias Apalodimas
2025-02-28 11:42 ` Jerome Forissier
2025-07-15 4:45 ` Da Xue
2025-07-18 14:08 ` Jerome Forissier
2025-07-18 17:34 ` Da Xue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1740672437.git.jerome.forissier@linaro.org \
--to=jerome.forissier@linaro.org \
--cc=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox