This series adds support for HTTP server authentication using root (CA) certificates.
As a first step, the wget command is extended to support a sub-command: cacert <addr> <size>. The memory region shall contain the CA certificates. With this, it is possible to load the certificates from storage or get them from the network for example, which is convenient for testing at least. The Kconfig symbol for this feature is WGET_CACERT=y. Then new Kconfig symbols are added to support providing the certificates at build time, as a DER or PEM encoded X509 collection: WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert command as well as for the builtin way). Here is a complete example (showing only the relevant output from the various commands): make qemu_arm64_lwip_defconfig wget https://curl.se/ca/cacert.pem echo CONFIG_WGET_BUILTIN_CACERT=y >>.config echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config make olddefconfig make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" qemu-system-aarch64 -M virt -nographic -cpu max \ -object rng-random,id=rng0,filename=/dev/urandom \ -device virtio-rng-pci,rng=rng0 -bios u-boot.bin => dhcp # HTTPS transfer using the builtin CA certificates => wget https://www.google.com/ 18724 bytes transferred in 15 ms (1.2 MiB/s) # Disable certificate validation => wget cacert 0 0 # Unsafe HTTPS transfer => wget https://www.google.com/ WARNING: no CA certificates, HTTPS connections not authenticated 16570 bytes transferred in 15 ms (1.1 MiB/s) # Dowload and apply CA certificates from the net => wget https://curl.se/ca/cacert.pem WARNING: no CA certificates, HTTPS connections not authenticated ## 233263 bytes transferred in 61 ms (3.6 MiB/s) => wget cacert $fileaddr $filesize # Now HTTPS is authenticated against the new CA => wget https://www.google.com/ 18743 bytes transferred in 14 ms (1.3 MiB/s) # Drop the certificates again... => wget cacert 0 0 # Check that transfer is not secure => wget https://www.google.com/ WARNING: no CA certificates, HTTPS connections not authenticated # Restore the builtin CA => wget cacert builtin # No more WARNING => wget https://www.google.com/ 18738 bytes transferred in 15 ms (1.2 MiB/s) Jerome Forissier (5): net: lwip: extend wget to support CA (root) certificates lwip: tls: enforce checking of server certificates based on CA availability lwip: tls: warn when no CA exists amd log certificate validation errors net: lwip: add support for built-in root certificates configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and MBEDTLS_LIB_X509_PEM cmd/Kconfig | 29 ++++++ cmd/net-lwip.c | 19 +++- configs/qemu_arm64_lwip_defconfig | 2 + .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- lib/mbedtls/Makefile | 3 + lib/mbedtls/mbedtls_def_config.h | 5 ++ net/lwip/Makefile | 6 ++ net/lwip/wget.c | 90 ++++++++++++++++++- 9 files changed, 158 insertions(+), 11 deletions(-) -- 2.43.0
