From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by mx.groups.io with SMTP id smtpd.web10.30961.1632748502207870730 for ; Mon, 27 Sep 2021 06:15:03 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: huawei.com, ip: 45.249.212.188, mailfrom: xiewenyi2@huawei.com) Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.57]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HJ30f6rnQzRbq5; Mon, 27 Sep 2021 21:10:42 +0800 (CST) Received: from kwepemm600004.china.huawei.com (7.193.23.242) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Mon, 27 Sep 2021 21:14:58 +0800 Received: from [10.174.253.58] (10.174.253.58) by kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Mon, 27 Sep 2021 21:14:57 +0800 Subject: Re: [edk2-discuss] a question about X509 flag To: =?UTF-8?Q?Marvin_H=c3=a4user?= , CC: , Jian J Wang , , , "devel@edk2.groups.io" References: From: "wenyi,xie" Message-ID: <26a883b2-9068-459e-169e-35ce84c9fc9b@huawei.com> Date: Mon, 27 Sep 2021 21:14:53 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.0.1 MIME-Version: 1.0 In-Reply-To: X-Originating-IP: [10.174.253.58] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To kwepemm600004.china.huawei.com (7.193.23.242) X-CFilter-Loop: Reflected Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2021/9/27 17:21, Marvin H=C3=A4user wrote: > Hey Wenyi, >=20 > Sorry, I cannot help with the time one, but "partial chain" is how virtua= lly any other crypto-solution works out-of-the-box. Basically there is a di= sagreement about what defines a root certificate, and while some think it i= s the OpenSSL default of requiring a self-signed certificate for root, many= people including myself strongly disagree and do not believe it follows fr= om the RFCs. I'm not aware of any bad security implications of either model= . So, this merely allows any certificate in the chain (the top one may be s= elf-signed *if* it even is a certificate, it may just as well be a trusted = public key for all we know) to be eligible to be added to the trust store a= nd root a trust chain. >=20 Thank you for your explanation in detail, it helps a lot. X509_V_FLAG_PARTI= AL_CHAIN is clear to me now. Wenyi > Further reading: https://github.com/openssl/openssl/issues/7871 >=20 > Cc CryptoPkg maintainers and edk2-devel for further feedback >=20 > Best regards, > Marvin >=20 > On 27/09/2021 10:53, wenyi,xie via groups.io wrote: >> Hello, >> >> I have a question about flag set in X509_STORE. Does anyone know why nee= d to set flags X509_V_FLAG_PARTIAL_CHAIN and X509_V_FLAG_NO_CHECK_TIME to X= 509Store in TlsNew() (CryptoPkg\Library\TlsLib\TlsInit.c) >> >> Thanks >> Wenyi >> >> >>=20 >> >> >=20 > .