commit 8fa383dac4f0d93b0d7f4f68c38a00b1e4f14e19
author Jerome Forissier <jerome.forissier@linaro.org> Wed Mar 05 15:26:42 2025 +0100
committer Jerome Forissier <jerome.forissier@linaro.org> Tue Mar 11 14:16:03 2025 +0100
tree 98e155e93f866b6376f1474e232085b7937e7d1f
parent 5b2e273ca088427966a94da3e320faaa9174e4b9

net: lwip: extend wget to support CA (root) certificates

Add the "cacert" (Certification Authority certificates) subcommand to
wget to pass root certificates to the code handling the HTTPS protocol.
The subcommand is enabled by the WGET_CACERT Kconfig symbol.

Usage example:

 => dhcp
 # Download some root certificates (note: not authenticated!)
 => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt
 # Provide root certificates
 => wget cacert $fileaddr $filesize
 # Enforce verification (it is optional by default)
 => wget cacert required
 # Forget the root certificates
 => wget cacert 0 0
 # Disable verification
 => wget cacert none

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

cmd/net-lwip.c

diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c
index 0fd446e..1152c94 100644
--- a/cmd/net-lwip.c
+++ b/cmd/net-lwip.c
@@ -27,9 +27,20 @@
 #endif
 
 #if defined(CONFIG_CMD_WGET)
-U_BOOT_CMD(wget, 3, 1, do_wget,
-	   "boot image via network using HTTP/HTTPS protocol",
+U_BOOT_CMD(wget, 4, 1, do_wget,
+	   "boot image via network using HTTP/HTTPS protocol"
+#if defined(CONFIG_WGET_CACERT)
+	   "\nwget cacert - configure wget root certificates"
+#endif
+	   ,
 	   "[loadAddress] url\n"
-	   "wget [loadAddress] [host:]path"
+	   "wget [loadAddress] [host:]path\n"
+	   "    - load file"
+#if defined(CONFIG_WGET_CACERT)
+	   "\nwget cacert <address> <length>\n"
+	   "    - provide CA certificates (0 0 to remove current)"
+	   "\nwget cacert none|optional|required\n"
+	   "    - set server certificate verification mode (default: optional)"
+#endif
 );
 #endif