From: jacopo.r00ta@gmail.com
To: Laszlo Ersek <lersek@redhat.com>,devel@edk2.groups.io
Subject: Re: [edk2-devel] SSL handshake in HTTPS boot if the certificate was signed with a root certificate
Date: Thu, 26 Oct 2023 10:14:51 -0700 [thread overview]
Message-ID: <19195.1698340491183979433@groups.io> (raw)
In-Reply-To: <2502b234-23e7-a72e-1aa2-5b2318764aaa@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 6198 bytes --]
Hi Laszlo,
First of all thank you very much for your reply!
I'm using QEMU with OVMF. All the steps to reproduce this are:
* generate the root key
>
> openssl genrsa -out rootCA.key 4096
* create and sign the root certificate
>
> openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out
> rootCA.crt
* Create a config file with the following content (I basically want a self-signed certificate for the IP 192.168.120.1 )
>
> [req]
> default_bits = 4096
> default_md = sha256
> distinguished_name = req_distinguished_name
> x509_extensions = v3_req
> prompt = no
> [req_distinguished_name]
> C = US
> ST = VA
> L = SomeCity
> O = MyCompany
> OU = MyDivision
> CN = 192.168.120.1
> [v3_req]
> keyUsage = keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
> [alt_names]
> IP.1 = 192.168.120.1
* create the key
>
> openssl genrsa -out myip.key 2048
* create the csr
>
> openssl req -new -key myip.key -out myip.csr -config config
* sign the csr
>
> openssl x509 -req -in myip.csr -CA rootCA.crt -CAkey rootCA.key
> -CAcreateserial -out myip.crt -days 500 -sha256
* Then, I generate the.der certificate to be installed using the UEFI UI
>
> openssl x509 -in rootCA.crt -outform der -out rootCA.der
>
* Then, I use the UI to install it (the rootCA.der one)
I've uploaded all the files here in case (https://drive.google.com/drive/folders/19Yo3sWZJBe43augVIFFvEXNQU8rIqGIV?usp=sharing) .
The dump of rootCA.crt is
>
>
>
> openssl x509 -in rootCA.crt -text -noout
>
>
>
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 3b:b2:13:59:44:8a:2a:d2:ba:29:a0:e9:25:e1:32:6d:5a:e6:24:7b
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
> Validity
> Not Before: Oct 25 12:45:16 2023 GMT
> Not After : Aug 14 12:45:16 2026 GMT
> Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (4096 bit)
> Modulus:
> 00:90:9f:da:83:ac:88:44:4d:5c:1e:e7:8d:21:4b:
> 98:18:c9:d9:c0:b7:db:d4:f7:e1:54:b6:e4:e5:a8:
> c7:78:1f:47:f1:09:a6:fe:b5:08:c5:75:84:c5:26:
> 6d:c9:d2:9c:86:2d:09:3b:7e:10:ee:c6:21:fe:c1:
> b1:6c:f8:84:6c:e4:9f:92:29:46:9c:98:d6:9e:60:
> 39:b9:35:6c:2c:85:11:75:6b:e1:92:64:81:43:6e:
> cc:57:c5:eb:bd:a5:d3:40:99:d5:d0:db:6a:f0:51:
> 52:ed:72:31:c4:8a:06:19:d7:d4:1b:3b:d7:fc:a7:
> c4:25:b0:54:a0:10:c3:f5:0a:7b:25:36:95:84:b4:
> a4:85:66:9c:5c:93:af:ab:0a:6f:76:12:57:ed:b5:
> e3:09:93:a6:a3:3c:cc:f7:2e:83:25:1b:d2:3c:46:
> 36:3b:0d:17:87:84:dd:2e:88:7a:bb:ad:9d:5f:62:
> 78:68:d2:46:8f:21:08:53:ba:20:c0:15:28:7b:9a:
> f7:82:5d:27:46:0c:0f:5e:48:0e:f2:75:0b:22:98:
> 32:c6:e7:b3:21:3b:a1:e6:1b:f0:63:e2:6a:b6:ff:
> 94:d7:09:52:be:38:d0:a5:96:f6:1f:bb:b5:9f:11:
> 2b:ab:1d:39:dc:88:d5:ae:79:f3:9f:8c:72:5c:6c:
> b7:a1:51:62:af:69:2e:b4:ad:85:23:85:a0:7f:6d:
> 69:18:86:bd:07:f2:25:e2:4b:db:af:32:d0:bf:c7:
> a2:32:1f:7a:c9:bc:74:11:1c:a7:fb:99:5c:33:9b:
> 98:9a:fc:94:e3:40:2f:47:a6:b0:1f:28:23:4f:66:
> 3e:e6:84:47:8c:ed:f9:d0:8f:a6:b0:b5:37:77:91:
> bd:7d:cb:c0:f4:6e:07:e3:a2:c1:2e:16:1d:60:46:
> b9:66:6b:59:f8:83:91:17:21:20:ce:58:a6:a9:5b:
> fa:32:e6:47:32:b9:e5:5d:11:a0:d0:22:1e:2c:79:
> 42:d9:e4:99:55:6c:3d:9d:b2:94:7d:b9:09:7b:e2:
> 85:a5:bc:87:9e:50:2f:09:08:f9:f9:fd:0e:95:bb:
> 35:6d:f5:10:b7:81:e5:92:79:e5:23:55:48:7f:ce:
> 3f:cd:5f:4a:68:1f:33:25:7b:06:07:f1:74:76:de:
> 32:2e:89:10:0f:53:97:85:c7:c5:8a:e1:1a:8b:d7:
> 56:3b:d6:ab:07:a7:aa:e8:94:06:ba:ba:23:a5:87:
> f1:e1:fd:a6:2b:d0:63:54:f6:68:c2:be:d3:1a:d2:
> eb:6c:28:65:dd:c3:97:cb:23:d2:9e:f7:49:3e:da:
> 50:bf:98:0b:ec:96:50:9d:c4:4c:e7:81:05:ff:8c:
> 9a:ea:29
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> 31:18:EA:B2:10:C7:11:64:D6:5E:39:91:91:BE:D6:A4:10:24:9D:69
> X509v3 Authority Key Identifier:
> 31:18:EA:B2:10:C7:11:64:D6:5E:39:91:91:BE:D6:A4:10:24:9D:69
> X509v3 Basic Constraints: critical
> CA:TRUE
> Signature Algorithm: sha256WithRSAEncryption
> Signature Value:
> 37:76:7a:0c:12:d2:37:91:5a:8f:5a:20:34:bb:f5:3e:cc:f8:
> a3:e8:53:85:d8:99:2a:76:17:c5:e5:ae:fe:17:c9:f6:a1:ab:
> 15:4b:23:d8:84:f3:97:b8:c3:6c:30:1e:9f:2f:e3:3c:40:44:
> 5c:99:d3:d0:1b:47:fc:20:20:82:7c:58:61:d7:5e:fd:f4:73:
> da:a6:a1:65:e9:f9:48:b1:6f:9a:85:c6:fa:58:0e:39:78:2f:
> dd:dd:ff:ad:23:b7:df:fe:c0:a6:33:f2:25:ca:a5:2e:d9:99:
> 65:bb:6f:dc:cc:1f:23:07:99:87:fc:02:4b:fa:b6:25:34:56:
> c2:1a:2b:f2:04:8d:82:1f:d3:8c:46:32:0f:9b:32:31:b3:b5:
> d2:87:50:5e:13:f6:10:80:d2:d4:bc:b2:96:db:db:f1:c2:3a:
> f7:9c:a4:04:59:3a:db:a8:6f:f5:f0:46:7e:00:20:b9:6c:4e:
> f6:49:05:20:97:3d:73:6c:c2:2b:d6:c2:70:ea:46:cf:60:9f:
> c3:82:46:cc:ab:e0:c0:cb:b4:e5:62:72:d4:28:77:56:e9:97:
> ea:bc:d1:40:89:20:75:86:5f:1e:06:cc:d5:0f:49:dc:3a:cc:
> fe:70:32:a1:9a:d2:ab:e4:30:f4:34:5b:cc:93:02:00:26:68:
> 71:85:93:86:f7:d3:9d:91:c7:fb:21:e3:13:bd:8f:8c:05:f7:
> da:5f:8d:88:68:37:c0:5f:bc:62:94:96:bc:b3:8d:b3:d3:0d:
> 5a:47:00:a3:97:69:6b:27:d4:56:ff:c2:6c:ac:97:61:60:67:
> d3:59:dc:44:39:b0:4f:60:45:2b:0e:fc:2e:ce:a0:c0:93:4d:
> 69:f9:8b:77:15:76:0d:b3:5b:e8:a2:5a:c5:a6:55:2e:74:d8:
> 46:74:16:30:26:2c:9f:6d:49:06:1a:e4:d1:63:06:f4:be:dd:
> b0:5e:b5:c1:61:d8:3f:89:e4:96:66:bf:6d:d5:14:61:60:87:
> 32:31:61:ef:47:8a:53:61:42:35:df:d1:e0:a4:46:c6:97:ac:
> 43:06:c5:a3:bb:d0:a0:18:2a:e3:6b:6d:b5:c7:5c:19:31:ff:
> 66:f7:31:71:0f:eb:6d:db:33:f5:fe:90:bf:db:96:f7:02:60:
> 97:98:89:c5:dc:5f:80:74:6e:6b:67:ec:8b:33:1e:f2:63:05:
> 20:ee:eb:6d:2f:40:c0:2d:5a:49:8e:90:80:8b:f6:10:7d:90:
> e2:ea:72:33:90:ab:1f:76:07:41:29:3e:da:e0:58:b6:dc:81:
> 66:e1:f6:f2:0f:99:2a:71:50:bf:c2:0f:50:ab:b7:50:3b:55:
> 50:7d:eb:ba:73:2d:bb:8e
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110130): https://edk2.groups.io/g/devel/message/110130
Mute This Topic: https://groups.io/mt/102201552/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 14292 bytes --]
next prev parent reply other threads:[~2023-10-26 17:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-26 12:37 [edk2-devel] SSL handshake in HTTPS boot if the certificate was signed with a root certificate jacopo.r00ta
2023-10-26 16:26 ` Laszlo Ersek
2023-10-26 17:14 ` jacopo.r00ta [this message]
2023-10-26 17:19 ` jacopo.r00ta
2023-10-27 13:30 ` jacopo.r00ta
2023-10-27 14:28 ` jacopo.r00ta
2023-10-28 15:22 ` Laszlo Ersek
2023-10-31 6:10 ` jacopo.r00ta
2023-10-31 11:26 ` Laszlo Ersek
2023-11-01 6:31 ` jacopo.r00ta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19195.1698340491183979433@groups.io \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox