From: Michael Brown Date: Sun, 18 Mar 2012 22:55:29 +0000 (+0000) Subject: [build] Allow trusted root certificates to be specified at build time X-Git-Tag: v1.20.1~1927 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aee3a064f22f994a930990c1bb0d339412e65d76;p=thirdparty%2Fipxe.git [build] Allow trusted root certificates to be specified at build time Allow trusted root certificates to be specified at build time using the syntax make TRUST=/path/to/certificate1,/path/to/certificate2,... The build process uses openssl to calculate the SHA-256 fingerprints of the specified certificates, and adds them to the root certificate store in rootcert.c. The certificates can be in any format understood by openssl. The certificates may be server certificates or (more usefully) CA certificates. If no trusted certificates are specified, then the default "iPXE root CA" certificate will be used. Signed-off-by: Michael Brown --- diff --git a/src/Makefile b/src/Makefile index c30dc5c97..0189a469d 100644 --- a/src/Makefile +++ b/src/Makefile @@ -32,6 +32,7 @@ RANLIB := $(CROSS_COMPILE)ranlib OBJCOPY := $(CROSS_COMPILE)objcopy NM := $(CROSS_COMPILE)nm OBJDUMP := $(CROSS_COMPILE)objdump +OPENSSL := openssl PARSEROM := ./util/parserom.pl FIXROM := ./util/fixrom.pl SYMCHECK := ./util/symcheck.pl diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index 41c595628..daac97b9f 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -637,6 +637,34 @@ $(BIN)/embedded.o : override CC := env CCACHE_DISABLE=1 $(CC) CFLAGS_embedded = -DEMBED_ALL="$(EMBED_ALL)" +# List of trusted root certificates +# +TRUSTED_LIST := $(BIN)/.trusted.list +ifeq ($(wildcard $(TRUSTED_LIST)),) +TRUST_OLD := +else +TRUST_OLD := $(shell cat $(TRUSTED_LIST)) +endif +ifneq ($(TRUST_OLD),$(TRUST)) +$(shell $(ECHO) "$(TRUST)" > $(TRUSTED_LIST)) +endif + +$(TRUSTED_LIST) : + +VERYCLEANUP += $(TRUSTED_LIST) + +# Trusted root certificate fingerprints +# +TRUSTED_CERTS := $(subst $(COMMA), ,$(TRUST)) +TRUSTED_FPS := $(foreach CERT,$(TRUSTED_CERTS),\ + 0x$(subst :,$(COMMA) 0x,$(lastword $(subst =, ,\ + $(shell $(OPENSSL) x509 -in $(CERT) -noout -sha256 \ + -fingerprint))))$(COMMA)) + +$(BIN)/rootcert.o : $(TRUSTED_FILES) $(TRUSTED_LIST) + +CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)") + # Generate error usage information # $(BIN)/%.einfo : $(BIN)/%.o