On Fri, Jul 18, 2025 at 10:08 AM Jerome Forissier <jerome.foriss...@linaro.org> wrote: > > Hi Da, > > On 7/15/25 06:45, Da Xue wrote: > > Hi Jerome, > > > >> Then new Kconfig symbols are added to support providing the certificates > >> at build time, as a DER or PEM encoded X509 collection: > >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > >> command as well as for the builtin way). > >> > >> Here is a complete example (showing only the relevant output from the > >> various commands): > >> > >> make qemu_arm64_lwip_defconfig > >> wget https://curl.se/ca/cacert.pem > >> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config > >> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config > >> make olddefconfig > >> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" > >> qemu-system-aarch64 -M virt -nographic -cpu max \ > >> -object rng-random,id=rng0,filename=/dev/urandom \ > >> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin > >> => dhcp > >> # HTTPS transfer using the builtin CA certificates > >> => wget https://www.google.com/ > >> 18724 bytes transferred in 15 ms (1.2 MiB/s) > >> # Disable certificate validation > >> => wget cacert 0 0 > >> # Unsafe HTTPS transfer > >> => wget https://www.google.com/ > >> WARNING: no CA certificates, HTTPS connections not authenticated > >> 16570 bytes transferred in 15 ms (1.1 MiB/s) > >> # Dowload and apply CA certificates from the net > >> => wget https://curl.se/ca/cacert.pem > >> WARNING: no CA certificates, HTTPS connections not authenticated > >> ## > >> 233263 bytes transferred in 61 ms (3.6 MiB/s) > >> => wget cacert $fileaddr $filesize > >> # Now HTTPS is authenticated against the new CA > >> => wget https://www.google.com/ > >> 18743 bytes transferred in 14 ms (1.3 MiB/s) > >> # Drop the certificates again... > >> => wget cacert 0 0 > >> # Check that transfer is not secure > >> => wget https://www.google.com/ > >> WARNING: no CA certificates, HTTPS connections not authenticated > >> # Restore the builtin CA > >> => wget cacert builtin > >> # No more WARNING > >> => wget https://www.google.com/ > >> 18738 bytes transferred in 15 ms (1.2 MiB/s) > > > > Is there a simple way to convert multi-certificate root trust pem to > > der? I tried packing it as a PKCS#7 and got "Could not parse > > certificates (-8576)" > > AFAICT MBed TLS should be able to parse multiple root certificates as > long as they are in DER form. U-Boot doesn't enable the PEM format at the > moment, it is less space-efficient. Please try: > > openssl x509 -in cert.pem -outform DER -out cert.der
This only converts the first certificate to DER, not any of the other certificates. > > Thanks, > -- > Jerome > > > > > > Best Regards, > > Da Best Regards, Da
