Hi, Attached is a patch to perform some certificate validity tests. In brief, it tests the certificate's validity period, the expected subject CN, and the issuer's signature. RSA+MD5 and RSA+SHA1 signatures are supported. A PEM file should be embedded into the gPXE image with the relevant CA certificate(s) named "ca.pem". (This file can contain multiple certificates.) There are three variables that can be used in a boot script:
x509.trust When set to anything, do not run any of these validity tests. x509.self When set to anything, allow self-signed certificates without an embedded copy. x509.service Allow the subject's CN value to match this in addition to the URI host name. (Useful for hosts without DNS names.) The patch itself crams most of the code into x509.c to keep damage local. Some other issues that I know should be addressed: - The current time is read directly from the CMOS RTC bytes. Is there a better (more portable) way to do this within gPXE? - PEM parsing should be moved somewhere to be run only once; it is now running inline with the validity test. - The comparisons between DNs is done byte-wise, rather than following the RFC's method of component comparison. So an example script snippet to successfully load a kernel from a web server with CN "bootserver" that will work without error if a PEM file was embedded containing the issuer cert: [...] dhcp net0 set x509.service bootserver kernel https://192.168.0.123/vmlinuz [...] I'd be interested in feedback on how this can be improved. Cheers
gpxe-https-secure.patch
Description: Binary data
_______________________________________________ gPXE mailing list gPXE@etherboot.org http://etherboot.org/mailman/listinfo/gpxe