* reg: HTTPS Certificate Update
@ 2019-12-16 11:11 Sivaraman Nainar
0 siblings, 0 replies; 4+ messages in thread
From: Sivaraman Nainar @ 2019-12-16 11:11 UTC (permalink / raw)
To: devel@edk2.groups.io, Wu, Jiaxin, Fu, Siyuan
Cc: Madhan B. Santharam, Arun Subramanian B,
Arun Sura Soundara Pandian, Bhuvaneshwari M R
[-- Attachment #1: Type: text/plain, Size: 1772 bytes --]
Hello All:
Need clarification on the Certificate Validation Procedure used in HTTP Boot.
The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().
The below code snippet is TlsSetSessionData call for each certificate data.
while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index = 0; Index < CertCount; Index++) {
//
// EfiTlsConfigDataTypeCACertificate
//
Status = HttpInstance->TlsConfiguration->SetData (
HttpInstance->TlsConfiguration,
EfiTlsConfigDataTypeCACertificate,
Cert->SignatureData,
CertList->SignatureSize - sizeof (Cert->SignatureOwner)
);
if (EFI_ERROR (Status)) {
goto FreeCACert;
}
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
}
ItemDataSize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
}
In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.
Is the code is purposefully done? May we know the expected behavior of the code.
-Siva
[-- Attachment #2: Type: text/html, Size: 18361 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: reg: HTTPS Certificate Update
@ 2019-12-20 4:16 Sivaraman Nainar
2019-12-20 9:46 ` Wu, Jiaxin
0 siblings, 1 reply; 4+ messages in thread
From: Sivaraman Nainar @ 2019-12-20 4:16 UTC (permalink / raw)
To: devel@edk2.groups.io, Wu, Jiaxin, Fu, Siyuan
Cc: Madhan B. Santharam, Arun Subramanian B,
Arun Sura Soundara Pandian, Bhuvaneshwari M R
[-- Attachment #1: Type: text/plain, Size: 2098 bytes --]
Hello Jiaxin / Siyuan:
Would you please feedback on this.
-Siva
From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update
Hello All:
Need clarification on the Certificate Validation Procedure used in HTTP Boot.
The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().
The below code snippet is TlsSetSessionData call for each certificate data.
while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index = 0; Index < CertCount; Index++) {
//
// EfiTlsConfigDataTypeCACertificate
//
Status = HttpInstance->TlsConfiguration->SetData (
HttpInstance->TlsConfiguration,
EfiTlsConfigDataTypeCACertificate,
Cert->SignatureData,
CertList->SignatureSize - sizeof (Cert->SignatureOwner)
);
if (EFI_ERROR (Status)) {
goto FreeCACert;
}
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
}
ItemDataSize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
}
In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.
Is the code is purposefully done? May we know the expected behavior of the code.
-Siva
[-- Attachment #2: Type: text/html, Size: 19325 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: reg: HTTPS Certificate Update
2019-12-20 4:16 reg: HTTPS Certificate Update Sivaraman Nainar
@ 2019-12-20 9:46 ` Wu, Jiaxin
2019-12-20 9:57 ` [edk2-devel] " Sivaraman Nainar
0 siblings, 1 reply; 4+ messages in thread
From: Wu, Jiaxin @ 2019-12-20 9:46 UTC (permalink / raw)
To: Sivaraman Nainar, devel@edk2.groups.io, Fu, Siyuan,
Rabeda, Maciej
Cc: Madhan B. Santharam, Arun Subramanian B,
Arun Sura Soundara Pandian, Bhuvaneshwari M R
[-- Attachment #1: Type: text/plain, Size: 2801 bytes --]
Hi Siva,
I agree we should continue the next certificates configuration even the current one is invalid (since we already have the sanity check before the setting).
Please report one Bugzilla for the issue.
Maciej, can you help fix on that?
Thanks,
Jiaxin
From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: Friday, December 20, 2019 12:16 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>
Subject: RE: reg: HTTPS Certificate Update
Hello Jiaxin / Siyuan:
Would you please feedback on this.
-Siva
From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update
Hello All:
Need clarification on the Certificate Validation Procedure used in HTTP Boot.
The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().
The below code snippet is TlsSetSessionData call for each certificate data.
while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index = 0; Index < CertCount; Index++) {
//
// EfiTlsConfigDataTypeCACertificate
//
Status = HttpInstance->TlsConfiguration->SetData (
HttpInstance->TlsConfiguration,
EfiTlsConfigDataTypeCACertificate,
Cert->SignatureData,
CertList->SignatureSize - sizeof (Cert->SignatureOwner)
);
if (EFI_ERROR (Status)) {
goto FreeCACert;
}
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
}
ItemDataSize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
}
In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.
Is the code is purposefully done? May we know the expected behavior of the code.
-Siva
[-- Attachment #2: Type: text/html, Size: 20133 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] reg: HTTPS Certificate Update
2019-12-20 9:46 ` Wu, Jiaxin
@ 2019-12-20 9:57 ` Sivaraman Nainar
0 siblings, 0 replies; 4+ messages in thread
From: Sivaraman Nainar @ 2019-12-20 9:57 UTC (permalink / raw)
To: devel@edk2.groups.io, jiaxin.wu@intel.com, Fu, Siyuan,
Rabeda, Maciej
Cc: Madhan B. Santharam, Arun Subramanian B,
Arun Sura Soundara Pandian, Bhuvaneshwari M R
[-- Attachment #1: Type: text/plain, Size: 3508 bytes --]
Thanks Jiaxin for the prompt reply.
Created ticket : https://bugzilla.tianocore.org/show_bug.cgi?id=2433
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Wu, Jiaxin
Sent: Friday, December 20, 2019 3:17 PM
To: Sivaraman Nainar; devel@edk2.groups.io; Fu, Siyuan; Rabeda, Maciej
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: Re: [edk2-devel] reg: HTTPS Certificate Update
Hi Siva,
I agree we should continue the next certificates configuration even the current one is invalid (since we already have the sanity check before the setting).
Please report one Bugzilla for the issue.
Maciej, can you help fix on that?
Thanks,
Jiaxin
From: Sivaraman Nainar <sivaramann@amiindia.co.in<mailto:sivaramann@amiindia.co.in>>
Sent: Friday, December 20, 2019 12:16 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wu, Jiaxin <jiaxin.wu@intel.com<mailto:jiaxin.wu@intel.com>>; Fu, Siyuan <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>
Cc: Madhan B. Santharam <madhans@ami.com<mailto:madhans@ami.com>>; Arun Subramanian B <arunsubramanianb@ami.com<mailto:arunsubramanianb@ami.com>>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in<mailto:arunsuras@amiindia.co.in>>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in<mailto:bhuvaneshwarimr@amiindia.co.in>>
Subject: RE: reg: HTTPS Certificate Update
Hello Jiaxin / Siyuan:
Would you please feedback on this.
-Siva
From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update
Hello All:
Need clarification on the Certificate Validation Procedure used in HTTP Boot.
The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().
The below code snippet is TlsSetSessionData call for each certificate data.
while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index = 0; Index < CertCount; Index++) {
//
// EfiTlsConfigDataTypeCACertificate
//
Status = HttpInstance->TlsConfiguration->SetData (
HttpInstance->TlsConfiguration,
EfiTlsConfigDataTypeCACertificate,
Cert->SignatureData,
CertList->SignatureSize - sizeof (Cert->SignatureOwner)
);
if (EFI_ERROR (Status)) {
goto FreeCACert;
}
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
}
ItemDataSize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
}
In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.
Is the code is purposefully done? May we know the expected behavior of the code.
-Siva
[-- Attachment #2: Type: text/html, Size: 23182 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-20 9:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-20 4:16 reg: HTTPS Certificate Update Sivaraman Nainar
2019-12-20 9:46 ` Wu, Jiaxin
2019-12-20 9:57 ` [edk2-devel] " Sivaraman Nainar
-- strict thread matches above, loose matches on Subject: below --
2019-12-16 11:11 Sivaraman Nainar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox