@@ -2177,6 +2177,21 @@ config WGET_HTTPS
help
Enable TLS over http for wget.
+config WGET_CACERT
+ bool "wget cacert"
+ depends on CMD_WGET
+ depends on WGET_HTTPS
+ help
+ Adds the "cacert" sub-command to wget to provide root certificates
+ to the HTTPS engine.
+
+config MBEDTLS_LIB_X509_PEM
+ depends on WGET_CACERT
+ bool "Support for PEM-encoded X509 certificates"
+ help
+ This option enables MbedTLS to parse PEM-encoded X509 certificates.
+ When disabled, only DER format is accepted.
+
endif # if CMD_NET
config CMD_PXE
@@ -27,9 +27,18 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname",
#endif
#if defined(CONFIG_CMD_WGET)
-U_BOOT_CMD(wget, 3, 1, do_wget,
- "boot image via network using HTTP/HTTPS protocol",
+U_BOOT_CMD(wget, 4, 1, do_wget,
+ "boot image via network using HTTP/HTTPS protocol"
+#if defined(CONFIG_WGET_CACERT)
+ "\nwget cacert - configure wget root certificates"
+#endif
+ ,
"[loadAddress] url\n"
- "wget [loadAddress] [host:]path"
+ "wget [loadAddress] [host:]path\n"
+ " - load file"
+#if defined(CONFIG_WGET_CACERT)
+ "\nwget cacert <address> <length>\n"
+ " - provide CA certificates (0 0 to disable verification)"
+#endif
);
#endif
@@ -57,6 +57,9 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crt.o
mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pkcs7.o
+mbedtls_lib_x509-$(CONFIG_MBEDTLS_LIB_X509_PEM) += \
+ $(MBEDTLS_LIB_DIR)/base64.o \
+ $(MBEDTLS_LIB_DIR)/pem.o
#mbedTLS TLS support
obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
@@ -138,6 +138,11 @@
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+/* CA certificates parsing */
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509_PEM)
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_BASE64_C
+#endif
#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
#endif /* #if defined CONFIG_MBEDTLS_LIB */
@@ -285,6 +285,53 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct
return ERR_OK;
}
+#if defined CONFIG_WGET_HTTPS
+static char *cacert;
+size_t cacert_size;
+#endif
+
+#if defined CONFIG_WGET_CACERT
+static int set_cacert(char * const saddr, char * const ssz)
+{
+ mbedtls_x509_crt crt;
+ ulong addr, sz;
+ int ret;
+
+ if (cacert)
+ free(cacert);
+
+ addr = hextoul(saddr, NULL);
+ sz = hextoul(ssz, NULL);
+ sz++; /* For the trailing '\0' in case of a text (PEM) file */
+
+ if (!addr) {
+ cacert = NULL;
+ cacert_size = 0;
+ return CMD_RET_SUCCESS;
+ }
+
+ cacert = malloc(sz);
+ if (!cacert)
+ return CMD_RET_FAILURE;
+ cacert_size = sz;
+
+ memcpy(cacert, (void *)addr, sz - 1);
+ cacert[sz] = '\0';
+
+ mbedtls_x509_crt_init(&crt);
+ ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size);
+ if (ret) {
+ printf("Could not parse certificates (%d)\n", ret);
+ free(cacert);
+ cacert = NULL;
+ cacert_size = 0;
+ return CMD_RET_FAILURE;
+ }
+
+ return CMD_RET_SUCCESS;
+}
+#endif
+
static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
{
#if defined CONFIG_WGET_HTTPS
@@ -316,7 +363,8 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
if (is_https) {
tls_allocator.alloc = &altcp_tls_alloc;
tls_allocator.arg =
- altcp_tls_create_config_client(NULL, 0, ctx.server_name);
+ altcp_tls_create_config_client(cacert, cacert_size,
+ ctx.server_name);
if (!tls_allocator.arg) {
log_err("error: Cannot create a TLS connection\n");
@@ -369,6 +417,11 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[])
ulong dst_addr;
char nurl[1024];
+#if defined CONFIG_WGET_CACERT
+ if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert")))
+ return set_cacert(argv[2], argv[3]);
+#endif
+
if (argc < 2 || argc > 3)
return CMD_RET_USAGE;
Add the "cacert" (Certification Authority certificates) subcommand to wget to pass root certificates to the code handling the HTTPS protocol. The subcommand is enabled by the WGET_CACERT Kconfig symbol. Usage example: => dhcp # Download some root certificates (note: not authenticated!) => wget https://curl.se/ca/cacert.pem # Enable certificate verification => wget cacert $loadaddr $filesize # Disable certificate verification => wget cacert 0 0 Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> --- cmd/Kconfig | 15 +++++++++ cmd/net-lwip.c | 15 +++++++-- lib/mbedtls/Makefile | 3 ++ lib/mbedtls/mbedtls_def_config.h | 5 +++ net/lwip/wget.c | 55 +++++++++++++++++++++++++++++++- 5 files changed, 89 insertions(+), 4 deletions(-)