iPXE
|
Root certificate store. More...
#include <stdlib.h>
#include <ipxe/crypto.h>
#include <ipxe/sha256.h>
#include <ipxe/x509.h>
#include <ipxe/settings.h>
#include <ipxe/dhcp.h>
#include <ipxe/init.h>
#include <ipxe/rootcert.h>
Go to the source code of this file.
Macros | |
#define | FINGERPRINT_LEN SHA256_DIGEST_SIZE |
Length of a root certificate fingerprint. More... | |
#define | ALLOW_TRUST_OVERRIDE 1 |
#define | TRUSTED |
Functions | |
FILE_LICENCE (GPL2_OR_LATER_OR_UBDL) | |
static struct setting trust_setting | __setting (SETTING_CRYPTO, trust) |
Root certificate fingerprint setting. More... | |
static void | rootcert_init (void) |
Initialise root certificate. More... | |
struct startup_fn rootcert_startup_fn | __startup_fn (STARTUP_LATE) |
Root certificate initialiser. More... | |
Variables | |
static const uint8_t | fingerprints [] = { TRUSTED } |
Root certificate fingerprints. More... | |
struct x509_root | root_certificates |
Root certificates. More... | |
Root certificate store.
Definition in file rootcert.c.
#define FINGERPRINT_LEN SHA256_DIGEST_SIZE |
Length of a root certificate fingerprint.
Definition at line 42 of file rootcert.c.
#define ALLOW_TRUST_OVERRIDE 1 |
Definition at line 48 of file rootcert.c.
#define TRUSTED |
Definition at line 53 of file rootcert.c.
FILE_LICENCE | ( | GPL2_OR_LATER_OR_UBDL | ) |
|
static |
Root certificate fingerprint setting.
|
static |
Initialise root certificate.
The list of trusted root certificates can be specified at build time using the TRUST= build parameter. If no certificates are specified, then the default iPXE root CA certificate is trusted.
If no certificates were explicitly specified, then we allow the list of trusted root certificate fingerprints to be overridden using the "trust" setting, but only at the point of iPXE initialisation. This prevents untrusted sources of settings (e.g. DHCP) from subverting the chain of trust, while allowing trustworthy sources (e.g. VMware GuestInfo or non-volatile stored options) to specify the trusted root certificate without requiring a rebuild.
Definition at line 96 of file rootcert.c.
References ALLOW_TRUST_OVERRIDE, x509_root::count, DBGC, DBGC_HDA, fetch_raw_setting_copy(), FINGERPRINT_LEN, x509_root::fingerprints, len, NULL, and root_certificates.
struct startup_fn rootcert_startup_fn __startup_fn | ( | STARTUP_LATE | ) |
Root certificate initialiser.
Root certificate fingerprints.
Definition at line 62 of file rootcert.c.
struct x509_root root_certificates |
Root certificates.
Definition at line 73 of file rootcert.c.
Referenced by add_tls(), ocsp_prepare_test(), rootcert_init(), x509_is_valid(), and x509_validate().