From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web10.5209.1576494717470084462 for ; Mon, 16 Dec 2019 03:11:58 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AA94C82058; Mon, 16 Dec 2019 16:49:01 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 697B382055; Mon, 16 Dec 2019 16:49:01 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Mon, 16 Dec 2019 16:49:01 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Mon, 16 Dec 2019 16:41:52 +0530 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "Wu, Jiaxin" , "Fu, Siyuan" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R Subject: reg: HTTPS Certificate Update Thread-Topic: reg: HTTPS Certificate Update Thread-Index: AdW0ARydMmD2tW+ITkCGvBPjuEe0Lw== Date: Mon, 16 Dec 2019 11:11:52 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.0.162] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25106.006 X-TM-AS-Result: No--17.162-5.0-31-10 X-imss-scan-details: No--17.162-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25106.006 X-TMASE-Result: 10--17.161600-10.000000 X-TMASE-MatchedRID: zndDlPK4YUq84PZraQ7pw5qrexa4CbEQAGqL073hbdUHdRB1vgNLmCVe fDVGpJ9wrbD0wYZv6i2LswG9JftQnk5ELU0/ZMVZPwKTD1v8YV45lSSSzBNFmDHbX0hpx/17Wmr Yr8SaWTUV0DgWKPjG3MhcS/DHAW5eGrdrVxv3+BjvVbHa5Rs8t0OvwxWboMrdu/zUE1SNSPmM0v GtzEpWJS2Hzt3dJuodvy1D537721dh9/cDmdaORiH9ExNVXbjbGfESeH6pl4ZHZg0gWH5yUdo4F ZoSpQ8YFrUgqrTL4vbrFyQfGPoq5fKBM2pCSxwPemu6h6JZhrmZEoWHC6Rh/ZZ5dyXMk0sSP7gD LiEt/1c9Rj4BR+Ma0Ahs1FawZHiW0Uvxpf8RiD1v/kcFnp29GCvnqYJI3/w7sstO9qYbwEmjxYy RBa/qJeBPbNdhr3+dPerMcoCGxRggBwKKRHe+r5MXAbGFW/Tf+xPucIBt6eG/1wq7DfJHYpTgst /9wfSlynFB3Foi95M= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE53B7EVENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE53B7EVENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello All: Need clarification on the Certificate Validation Procedure used in HTTP Boo= t. The certificate parsing done at HttpDxe in file HttpsSupport.c in the funct= ion TlsConfigCertificate(). The below code snippet is TlsSetSessionData call for each certificate data. while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListSi= ze)) { Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNA= TURE_LIST) + CertList->SignatureHeaderSize); CertCount =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIS= T) - CertList->SignatureHeaderSize) / CertList->SignatureSize; for (Index =3D 0; Index < CertCount; Index++) { // // EfiTlsConfigDataTypeCACertificate // Status =3D HttpInstance->TlsConfiguration->SetData ( HttpInstance->TlsConfigura= tion, EfiTlsConfigDataTypeCACert= ificate, Cert->SignatureData, CertList->SignatureSize - = sizeof (Cert->SignatureOwner) ); if (EFI_ERROR (Status)) { goto FreeCACert; } Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Signature= Size); } ItemDataSize -=3D CertList->SignatureListSize; CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Sig= natureListSize); } In the attached code, once an invalid certificate of available certificates= Set via TLS, if its failed the code does not post further certificates eve= n those could be valid certificates. Is the code is purposefully done? May we know the expected behavior of the = code. -Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE53B7EVENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello All:

 

Need clarification on the Certificate Validation Pro= cedure used in HTTP Boot.

 

The certificate parsing done at HttpDxe in file Http= sSupport.c in the function TlsConfigCertificate().

 

The below code snippet is TlsSetSessionData call for= each certificate data.

 

  while ((ItemDataSize > 0)= && (ItemDataSize >=3D CertList->SignatureListSize)) {

    Cert =3D (E= FI_SIGNATURE_DATA *) ((UINT8 *) CertList + size= of (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSi= ze);=

    CertCount  =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;

    for (Index =3D 0;= Index < CertCount; Index++) {

      //=

      // EfiTlsConfigDataTypeCACertificate<= /span>

      //=

      Status =3D HttpInstance->TlsConfiguration->SetData (

           &n= bsp;            = ;            &n= bsp;            Http= Instance->TlsConfiguration<= span style=3D"font-size:9.0pt;font-family:"Bookman Old Style",&qu= ot;serif";color:black">,

           &n= bsp;            = ;            &n= bsp;            EfiTlsConfigDataTypeCACertificate<= /span>,=

           &n= bsp;            = ;            &n= bsp;            Cert= ->SignatureData,

           &n= bsp;            = ;            &n= bsp;            Cert= List->SignatureSize - sizeof (Cert->SignatureOw= ner)=

           &n= bsp;            = ;            &n= bsp;            );

      if (EFI_ERROR (Status)) {

        goto FreeCACert;

      }<= /span>

      Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->);    }

    ItemDataSize -=3D CertList->SignatureListSize;<= /span>

    CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);

  }

 

In the attached code, once an invalid certificate of= available certificates Set via TLS, if its failed the code does not post f= urther certificates even those could be valid certificates.

 

Is the code is purposefully done? May we know the ex= pected behavior of the code.

 

-Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE53B7EVENUS1inmegat_--