Re: reg: HTTPS Certificate Update

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Sivaraman Nainar <sivaramann@amiindia.co.in>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Fu, Siyuan" <siyuan.fu@intel.com>,
	"Rabeda, Maciej" <maciej.rabeda@linux.intel.com>
Cc: "Madhan B. Santharam" <madhans@ami.com>,
	"Arun Subramanian  B" <arunsubramanianb@ami.com>,
	Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>,
	Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>
Subject: Re: reg: HTTPS Certificate Update
Date: Fri, 20 Dec 2019 09:46:59 +0000	[thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727416FC4BF2@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <B4DE137BDB63634BAC03BD9DE765F197029AE573A5@VENUS1.in.megatrends.com>

[-- Attachment #1: Type: text/plain, Size: 2801 bytes --]

Hi Siva,

I agree we should continue the next certificates configuration even the current one is invalid (since we already have the sanity check before the setting).

Please report one Bugzilla for the issue.

Maciej, can you help fix on that?

Thanks,
Jiaxin

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: Friday, December 20, 2019 12:16 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>
Subject: RE: reg: HTTPS Certificate Update

Hello Jiaxin / Siyuan:

Would you please feedback on this.

-Siva
From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update

Hello All:

Need clarification on the Certificate Validation Procedure used in HTTP Boot.

The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().

The below code snippet is TlsSetSessionData call for each certificate data.

  while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
    Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
    CertCount  = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
    for (Index = 0; Index < CertCount; Index++) {
      //
      // EfiTlsConfigDataTypeCACertificate
      //
      Status = HttpInstance->TlsConfiguration->SetData (
                                                 HttpInstance->TlsConfiguration,
                                                 EfiTlsConfigDataTypeCACertificate,
                                                 Cert->SignatureData,
                                                 CertList->SignatureSize - sizeof (Cert->SignatureOwner)
                                                 );
      if (EFI_ERROR (Status)) {
        goto FreeCACert;
      }
      Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
    }
    ItemDataSize -= CertList->SignatureListSize;
    CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
  }

In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.

Is the code is purposefully done? May we know the expected behavior of the code.

-Siva

[-- Attachment #2: Type: text/html, Size: 20133 bytes --]

next prev parent reply	other threads:[~2019-12-20  9:47 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-20  4:16 reg: HTTPS Certificate Update Sivaraman Nainar
2019-12-20  9:46 ` Wu, Jiaxin [this message]
2019-12-20  9:57   ` [edk2-devel] " Sivaraman Nainar
  -- strict thread matches above, loose matches on Subject: below --
2019-12-16 11:11 Sivaraman Nainar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=895558F6EA4E3B41AC93A00D163B727416FC4BF2@SHSMSX107.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox