From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web10.5322.1576815371263889387 for ; Thu, 19 Dec 2019 20:16:12 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66C9F82055; Fri, 20 Dec 2019 09:53:17 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 35B078204A; Fri, 20 Dec 2019 09:53:17 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 20 Dec 2019 09:53:17 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 20 Dec 2019 09:46:07 +0530 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "Wu, Jiaxin" , "Fu, Siyuan" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R Subject: Re: reg: HTTPS Certificate Update Thread-Topic: reg: HTTPS Certificate Update Thread-Index: AdW0ARydMmD2tW+ITkCGvBPjuEe0LwC6wbdA Date: Fri, 20 Dec 2019 04:16:06 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.84.197] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25114.004 X-TM-AS-Result: No--22.666-5.0-31-10 X-imss-scan-details: No--22.666-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25114.004 X-TMASE-Result: 10--22.666400-10.000000 X-TMASE-MatchedRID: 9d2LtCNB3NLTi04NASO/NR3Pziq4eLUfIfyQNHR2naYfmRnL8RBuBNTd oymgz2hCA3dCtzPHQyVM7zHCz5s/RcfRpPyT2xbKHTcjQ7W4FBE5WwYQCs4Bn3v3ioAd9KrSVXb N88IKuLQ0v+vN1TFrsw+zIpFjc5zzAyPdSNDdGO8o19GoN4WoGEkQGNGmCuF4RjHvrQ40NxZAD6 VtmA0b5bLq3owNfCWJywbjaYYplj9HW+94FA8JF8K1Ib9JAALx6r3HCixfuKcc4ri4RJV/1YfNL 7D/HMEOxCW4LIIVzgLZPU+b5RcHaHzrWhwAg+mwydRP56yRRA/QTttTsZbKLwNPGPNKJEnBevRA e5P8R94/+RSNQ9LGXuQNKdDim3kNDlWhxTgIXOrmuecNOZVsqrTxnpbCjruIrMb0wgp4b8YXFrd Ss7X/23tIsfwLp8/lCGzUVrBkeJbRS/Gl/xGIPW/+RwWenb0YK+epgkjf/Duyy072phvASaPFjJ EFr+ol4E9s12Gvf5096sxygIbFGCAHAopEd76v7YMzUPTwtd0oOSC33Zf2dhWy8e9BjnkasJA4c t9QY7AidTY1OjgnGA== X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE573A5VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE573A5VENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello Jiaxin / Siyuan: Would you please feedback on this. -Siva From: Sivaraman Nainar Sent: Monday, December 16, 2019 4:42 PM To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan' Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bh= uvaneshwari M R Subject: reg: HTTPS Certificate Update Hello All: Need clarification on the Certificate Validation Procedure used in HTTP Boo= t. The certificate parsing done at HttpDxe in file HttpsSupport.c in the funct= ion TlsConfigCertificate(). The below code snippet is TlsSetSessionData call for each certificate data. while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListSi= ze)) { Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNA= TURE_LIST) + CertList->SignatureHeaderSize); CertCount =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIS= T) - CertList->SignatureHeaderSize) / CertList->SignatureSize; for (Index =3D 0; Index < CertCount; Index++) { // // EfiTlsConfigDataTypeCACertificate // Status =3D HttpInstance->TlsConfiguration->SetData ( HttpInstance->TlsConfigura= tion, EfiTlsConfigDataTypeCACert= ificate, Cert->SignatureData, CertList->SignatureSize - = sizeof (Cert->SignatureOwner) ); if (EFI_ERROR (Status)) { goto FreeCACert; } Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Signature= Size); } ItemDataSize -=3D CertList->SignatureListSize; CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Sig= natureListSize); } In the attached code, once an invalid certificate of available certificates= Set via TLS, if its failed the code does not post further certificates eve= n those could be valid certificates. Is the code is purposefully done? May we know the expected behavior of the = code. -Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE573A5VENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello Jiaxin / Siyuan:=

 

Would you please feedb= ack on this.

 

-Siva

From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pand= ian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update

 

Hello All:

 

Need clarification on the Certificate Validation Pro= cedure used in HTTP Boot.

 

The certificate parsing done at HttpDxe in file Http= sSupport.c in the function TlsConfigCertificate().

 

The below code snippet is TlsSetSessionData call for= each certificate data.

 

  while ((ItemDataSize > 0)= && (ItemDataSize >=3D CertList->SignatureListSize)) {

    Cert =3D (E= FI_SIGNATURE_DATA *) ((UINT8 *) CertList + size= of (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSi= ze);=

    CertCount  =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;

    for (Index =3D 0;= Index < CertCount; Index++) {

      //=

      // EfiTlsConfigDataTypeCACertificate<= /span>

      //=

      Status =3D HttpInstance->TlsConfiguration->SetData (

           &n= bsp;            = ;            &n= bsp;            Http= Instance->TlsConfiguration<= span style=3D"font-size:9.0pt;font-family:"Bookman Old Style",&qu= ot;serif";color:black">,

           &n= bsp;            = ;            &n= bsp;            EfiTlsConfigDataTypeCACertificate<= /span>,=

           &n= bsp;            = ;            &n= bsp;            Cert= ->SignatureData,

           &n= bsp;            = ;            &n= bsp;            Cert= List->SignatureSize - sizeof (Cert->SignatureOw= ner)=

           &n= bsp;            = ;            &n= bsp;            );

      if (EFI_ERROR (Status)) {

        goto FreeCACert;

      }<= /span>

      Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->);    }

    ItemDataSize -=3D CertList->SignatureListSize;<= /span>

    CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);

  }

 

In the attached code, once an invalid certificate of= available certificates Set via TLS, if its failed the code does not post f= urther certificates even those could be valid certificates.

 

Is the code is purposefully done? May we know the ex= pected behavior of the code.

 

-Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE573A5VENUS1inmegat_--