diff options
| author | Jerome Forissier <[email protected]> | 2025-03-05 15:26:42 +0100 |
|---|---|---|
| committer | Jerome Forissier <[email protected]> | 2025-03-11 14:16:03 +0100 |
| commit | 2df965d385872b2ae49a79c2cab4679a8999467f (patch) | |
| tree | 98e155e93f866b6376f1474e232085b7937e7d1f /cmd | |
| parent | 64ce9bfc6d53423d4f6d382837a33c3dffb152af (diff) | |
net: lwip: extend wget to support CA (root) certificates
Add the "cacert" (Certification Authority certificates) subcommand to
wget to pass root certificates to the code handling the HTTPS protocol.
The subcommand is enabled by the WGET_CACERT Kconfig symbol.
Usage example:
=> dhcp
# Download some root certificates (note: not authenticated!)
=> wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt
# Provide root certificates
=> wget cacert $fileaddr $filesize
# Enforce verification (it is optional by default)
=> wget cacert required
# Forget the root certificates
=> wget cacert 0 0
# Disable verification
=> wget cacert none
Signed-off-by: Jerome Forissier <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/Kconfig | 8 | ||||
| -rw-r--r-- | cmd/net-lwip.c | 17 |
2 files changed, 22 insertions, 3 deletions
diff --git a/cmd/Kconfig b/cmd/Kconfig index bfed141914a..764de482890 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2176,6 +2176,14 @@ config WGET_HTTPS help Enable TLS over http for wget. +config WGET_CACERT + bool "wget cacert" + depends on CMD_WGET + depends on WGET_HTTPS + help + Adds the "cacert" sub-command to wget to provide root certificates + to the HTTPS engine. Must be in DER format. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0fd446ecb20..1152c94a6dc 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -27,9 +27,20 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname", #endif #if defined(CONFIG_CMD_WGET) -U_BOOT_CMD(wget, 3, 1, do_wget, - "boot image via network using HTTP/HTTPS protocol", +U_BOOT_CMD(wget, 4, 1, do_wget, + "boot image via network using HTTP/HTTPS protocol" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert - configure wget root certificates" +#endif + , "[loadAddress] url\n" - "wget [loadAddress] [host:]path" + "wget [loadAddress] [host:]path\n" + " - load file" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert <address> <length>\n" + " - provide CA certificates (0 0 to remove current)" + "\nwget cacert none|optional|required\n" + " - set server certificate verification mode (default: optional)" +#endif ); #endif |