From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web11.6990.1576835224115505422 for ; Fri, 20 Dec 2019 01:47:04 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiaxin.wu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Dec 2019 01:47:03 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,335,1571727600"; d="scan'208,217";a="390828443" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga005.jf.intel.com with ESMTP; 20 Dec 2019 01:47:03 -0800 Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 20 Dec 2019 01:47:02 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 20 Dec 2019 01:47:02 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.164]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.222]) with mapi id 14.03.0439.000; Fri, 20 Dec 2019 17:47:00 +0800 From: "Wu, Jiaxin" To: Sivaraman Nainar , "devel@edk2.groups.io" , "Fu, Siyuan" , "Rabeda, Maciej" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R Subject: Re: reg: HTTPS Certificate Update Thread-Topic: reg: HTTPS Certificate Update Thread-Index: AdW0ARydMmD2tW+ITkCGvBPjuEe0LwC6wbdAAArNf5A= Date: Fri, 20 Dec 2019 09:46:59 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B727416FC4BF2@SHSMSX107.ccr.corp.intel.com> References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzAzYjYxZjktYjhjYy00YzUyLTg4NWMtNWU4ZGJjYTdmZmEzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiZ0kyQkFOcFwvZm8rVFlPQ2FidnlKV01XVVBnb1l5MWNpMXJ4dk5yTWhmSnpmK1ZsRzNWM0ZPSGxmd3lrVDVtckYifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiaxin.wu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_895558F6EA4E3B41AC93A00D163B727416FC4BF2SHSMSX107ccrcor_" --_000_895558F6EA4E3B41AC93A00D163B727416FC4BF2SHSMSX107ccrcor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Siva, I agree we should continue the next certificates configuration even the cur= rent one is invalid (since we already have the sanity check before the sett= ing). Please report one Bugzilla for the issue. Maciej, can you help fix on that? Thanks, Jiaxin From: Sivaraman Nainar Sent: Friday, December 20, 2019 12:16 PM To: devel@edk2.groups.io; Wu, Jiaxin ; Fu, Siyuan Cc: Madhan B. Santharam ; Arun Subramanian B ; Arun Sura Soundara Pandian ; Bhuva= neshwari M R Subject: RE: reg: HTTPS Certificate Update Hello Jiaxin / Siyuan: Would you please feedback on this. -Siva From: Sivaraman Nainar Sent: Monday, December 16, 2019 4:42 PM To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan' Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bh= uvaneshwari M R Subject: reg: HTTPS Certificate Update Hello All: Need clarification on the Certificate Validation Procedure used in HTTP Boo= t. The certificate parsing done at HttpDxe in file HttpsSupport.c in the funct= ion TlsConfigCertificate(). The below code snippet is TlsSetSessionData call for each certificate data. while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListSi= ze)) { Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNA= TURE_LIST) + CertList->SignatureHeaderSize); CertCount =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIS= T) - CertList->SignatureHeaderSize) / CertList->SignatureSize; for (Index =3D 0; Index < CertCount; Index++) { // // EfiTlsConfigDataTypeCACertificate // Status =3D HttpInstance->TlsConfiguration->SetData ( HttpInstance->TlsConfigura= tion, EfiTlsConfigDataTypeCACert= ificate, Cert->SignatureData, CertList->SignatureSize - = sizeof (Cert->SignatureOwner) ); if (EFI_ERROR (Status)) { goto FreeCACert; } Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Signature= Size); } ItemDataSize -=3D CertList->SignatureListSize; CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Sig= natureListSize); } In the attached code, once an invalid certificate of available certificates= Set via TLS, if its failed the code does not post further certificates eve= n those could be valid certificates. Is the code is purposefully done? May we know the expected behavior of the = code. -Siva --_000_895558F6EA4E3B41AC93A00D163B727416FC4BF2SHSMSX107ccrcor_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Siva,

 

I agree we should continue the next certificates con= figuration even the current one is invalid (since we already have the sanit= y check before the setting).

 

Please report one Bugzilla for the issue.

 

Maciej, can you help fix on that?

 

Thanks,

Jiaxin

 

From: Siv= araman Nainar <sivaramann@amiindia.co.in>
Sent: Friday, December 20, 2019 12:16 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu= , Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B = <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@= amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>= ;
Subject: RE: reg: HTTPS Certificate Update

 

Hello Jiaxin / Siyuan:=

 

Would you please feedb= ack on this.

 

-Siva

From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pand= ian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update

 

Hello All:

 

Need clarification on the Certificate Validation Pro= cedure used in HTTP Boot.

 

The certificate parsing done at HttpDxe in file Http= sSupport.c in the function TlsConfigCertificate().

 

The below code snippet is TlsSetSessionData call for= each certificate data.

 

 = ; while ((ItemDataSi= ze > 0) && (ItemDataSiz= e >=3D CertList->SignatureListSize)) {

 = ;   Cert =3D (EFI_SIGNATURE_DATA= *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);

 = ;   CertCount  =3D (CertList->S= ignatureListSize - sizeof (= EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;

 = ;   for (Index =3D 0; Index < CertCount; I= ndex++) {

 = ;     //

 = ;     // EfiTlsConfigDataTypeCACertificate<= o:p>

 = ;     //

 = ;     Status =3D HttpInstance->TlsConfiguration->SetData (

 = ;            &n= bsp;            = ;            &n= bsp;          HttpInstance->= ;TlsConfiguration,=

 = ;            &n= bsp;            = ;            &n= bsp;          EfiTlsConfigDataTypeCACertificate,

 = ;            &n= bsp;            = ;            &n= bsp;          Cert->= SignatureData,<= /o:p>

 = ;            &n= bsp;            = ;            &n= bsp;          CertList->SignatureSize - sizeof (Cert-&g= t;SignatureOwner)<= span style=3D"font-size:9.0pt;font-family:"Bookman Old Style",ser= if">

 = ;            &n= bsp;            = ;            &n= bsp;          );

 = ;     if (EFI_ERROR (Sta= tus)) {

 = ;       goto FreeCACert;

 = ;     }

 = ;     Cert =3D (EFI_SIGNATURE= _DATA *) ((UINT8 *) Cert + CertList->SignatureS= ize);

 = ;   }

 = ;   ItemDataSize -=3D CertList->Sign= atureListSize;

 = ;   CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Signat= ureListSize);

 = ; }

 

In the attached code, once an invalid certificate of= available certificates Set via TLS, if its failed the code does not post f= urther certificates even those could be valid certificates.

 

Is the code is purposefully done? May we know the ex= pected behavior of the code.

 

-Siva

--_000_895558F6EA4E3B41AC93A00D163B727416FC4BF2SHSMSX107ccrcor_--