Hi Siva,

 

I agree we should continue the next certificates configuration even the current one is invalid (since we already have the sanity check before the setting).

 

Please report one Bugzilla for the issue.

 

Maciej, can you help fix on that?

 

Thanks,

Jiaxin

 

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: Friday, December 20, 2019 12:16 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>
Subject: RE: reg: HTTPS Certificate Update

 

Hello Jiaxin / Siyuan:

 

Would you please feedback on this.

 

-Siva

From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update

 

Hello All:

 

Need clarification on the Certificate Validation Procedure used in HTTP Boot.

 

The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().

 

The below code snippet is TlsSetSessionData call for each certificate data.

 

  while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {

    Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);

    CertCount  = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;

    for (Index = 0; Index < CertCount; Index++) {

      //

      // EfiTlsConfigDataTypeCACertificate

      //

      Status = HttpInstance->TlsConfiguration->SetData (

                                                 HttpInstance->TlsConfiguration,

                                                 EfiTlsConfigDataTypeCACertificate,

                                                 Cert->SignatureData,

                                                 CertList->SignatureSize - sizeof (Cert->SignatureOwner)

                                                 );

      if (EFI_ERROR (Status)) {

        goto FreeCACert;

      }

      Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);

    }

    ItemDataSize -= CertList->SignatureListSize;

    CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);

  }

 

In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.

 

Is the code is purposefully done? May we know the expected behavior of the code.

 

-Siva