3 files changed, 42 insertions, 6 deletions

diff --git a/cmd/Kconfig b/cmd/Kconfig
index 8dd42571abc..cd391d422ae 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -2169,7 +2169,6 @@ config WGET_HTTPS
 	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 	select X509_CERTIFICATE_PARSER
 	select PKCS7_MESSAGE_PARSER
-	select MBEDTLS_LIB_CRYPTO
 	select MBEDTLS_LIB_TLS
 	select RSA_VERIFY_WITH_PKEY
 	select X509_CERTIFICATE_PARSER
@@ -2177,6 +2176,28 @@ config WGET_HTTPS
 	help
 	  Enable TLS over http for wget.
 
+config WGET_CACERT
+	bool "wget cacert"
+	depends on CMD_WGET
+	depends on WGET_HTTPS
+	help
+	  Adds the "cacert" sub-command to wget to provide root certificates
+	  to the HTTPS engine. Must be in DER format.
+
+config WGET_BUILTIN_CACERT
+	bool "Built-in CA certificates"
+	depends on WGET_HTTPS
+	select BUILD_BIN2C
+
+config WGET_BUILTIN_CACERT_PATH
+	string "Path to root certificates"
+	depends on WGET_BUILTIN_CACERT
+	default "cacert.crt"
+	help
+	  Set this to the path to a DER-encoded X509 file containing
+	  Certification Authority certificates, a.k.a. root certificates, for
+	  the purpose of authenticating HTTPS connections.
+
 endif  # if CMD_NET
 
 config CMD_PXE
diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c
index 0fd446ecb20..58c10fbec7d 100644
--- a/cmd/net-lwip.c
+++ b/cmd/net-lwip.c
@@ -27,9 +27,24 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname",
 #endif
 
 #if defined(CONFIG_CMD_WGET)
-U_BOOT_CMD(wget, 3, 1, do_wget,
-	   "boot image via network using HTTP/HTTPS protocol",
+U_BOOT_CMD(wget, 4, 1, do_wget,
+	   "boot image via network using HTTP/HTTPS protocol"
+#if defined(CONFIG_WGET_CACERT)
+	   "\nwget cacert - configure wget root certificates"
+#endif
+	   ,
 	   "[loadAddress] url\n"
-	   "wget [loadAddress] [host:]path"
+	   "wget [loadAddress] [host:]path\n"
+	   "    - load file"
+#if defined(CONFIG_WGET_CACERT)
+	   "\nwget cacert <address> <length>\n"
+	   "    - provide CA certificates (0 0 to remove current)"
+	   "\nwget cacert none|optional|required\n"
+	   "    - set server certificate verification mode (default: optional)"
+#if defined(CONFIG_WGET_BUILTIN_CACERT)
+	   "\nwget cacert builtin\n"
+	   "    - use the builtin CA certificates"
+#endif
+#endif
 );
 #endif
diff --git a/cmd/ufetch.c b/cmd/ufetch.c
index ed5a856c7ab..46bd16824e6 100644
--- a/cmd/ufetch.c
+++ b/cmd/ufetch.c
@@ -24,8 +24,8 @@
 DECLARE_GLOBAL_DATA_PTR;
 
 #define LINE_WIDTH 40
-#define BLUE "\033[38;5;4m"
-#define YELLOW "\033[38;5;11m"
+#define BLUE "\033[34m"
+#define YELLOW "\033[33m"
 #define BOLD "\033[1m"
 #define RESET "\033[0m"
 static const char * const logo_lines[] = {