From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web12.7067.1576835838783406503 for ; Fri, 20 Dec 2019 01:57:19 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2497382047; Fri, 20 Dec 2019 15:34:23 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EB32082046; Fri, 20 Dec 2019 15:34:22 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 20 Dec 2019 15:34:22 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 20 Dec 2019 15:27:12 +0530 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "jiaxin.wu@intel.com" , "Fu, Siyuan" , "Rabeda, Maciej" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R Subject: Re: [edk2-devel] reg: HTTPS Certificate Update Thread-Topic: [edk2-devel] reg: HTTPS Certificate Update Thread-Index: AdW0ARydMmD2tW+ITkCGvBPjuEe0LwC6wbdAAArNf5AAARsogA== Date: Fri, 20 Dec 2019 09:57:12 +0000 Message-ID: References: <895558F6EA4E3B41AC93A00D163B727416FC4BF2@SHSMSX107.ccr.corp.intel.com> In-Reply-To: <895558F6EA4E3B41AC93A00D163B727416FC4BF2@SHSMSX107.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.0.215] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25114.006 X-TM-AS-Result: No--24.230-5.0-31-10 X-imss-scan-details: No--24.230-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25114.006 X-TMASE-Result: 10--24.230000-10.000000 X-TMASE-MatchedRID: mGV7xPP3pcU7iuZ/mdYYtmJRRxdRw9yaLsgkZ1N10d80Fj2+65Kzaln6 0dE2BHICIvsGb4fde7JTL5B6BWU2DYL6+xAsVqH9tXl9IxEPXOrbbi55eq0ou0szbsTB6rnYXtC ve4MvQMLYMEqhScrQBZr5ykm9NtIcV447DNvw38YALXQ2iLjYMDGXvEw0cGUikkJ8gFxhltg6we bmdkR8JaB11RkmaqHeLyz9QvAyHjrdXhRKGhNdp/kuQv9PIVnNA8JWjPNEoHH/YdAwNi5SnEXlK qlv+LEtSU9OAQ9PtL7YeXBrcJgL5CY6ALX8FNLOPTublrdV/SMpKNXTLE1zD+32COEbqAZSy8w7 Tc/p2QFRxSLvaaPraJzEHTUOuMX3Ub4EdIZGxuDauSE8GZ3pwZCDE1eB6kTUNWlqv3euRjX2050 VdgpOMkRfCdMIZ+bd/Sl5cYQQGW+YcCnZQnz5PErRZP/NcCCSkDNs4OMoXxKahG/i8Ja1Y/DwDy V4OCc/W01/W0YcEw6soC9I+K53IeqhuTPUDQDtzcoP6tZuq3FJPus6r/YfultyNHRhmjtfAllRM NbKfG3a8AiR/nR5g8KVNVkgZd/IHiG5YR9Ep+kXM2Z1UyweuO/JKo63i0vVLPtrQd14tHvkDSnQ 4pt5DQ5VocU4CFzq5rnnDTmVbKq08Z6Wwo67iLrc+7YnTztWeUQNvU47zuibuQcHZubU2usWKYs k3bHm/m1eclzfu8pv/kcFnp29GIXfI/GVGhaYb1gcTJvPJGzCX0YsfK3COp5Oa1OWcC7ut7BGF0 2PPFs7oFSoH4N03A6w00GeWBFafS0Ip2eEHnyvXSmSdlcYms8943oc3p3sErIHQfb5KDe4UWwlt DXjMCPzRlrdFGDwKYaeSMpCsbb4l11+BlgRC2iJsJXap/kJrdScPcLjW+CdVXlWkTsV9w== X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE57A35VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE57A35VENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks Jiaxin for the prompt reply. Created ticket : https://bugzilla.tianocore.org/show_bug.cgi?id=3D2433 From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Wu, = Jiaxin Sent: Friday, December 20, 2019 3:17 PM To: Sivaraman Nainar; devel@edk2.groups.io; Fu, Siyuan; Rabeda, Maciej Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; B= huvaneshwari M R Subject: Re: [edk2-devel] reg: HTTPS Certificate Update Hi Siva, I agree we should continue the next certificates configuration even the cu= rrent one is invalid (since we already have the sanity check before the set= ting). Please report one Bugzilla for the issue. Maciej, can you help fix on that? Thanks, Jiaxin From: Sivaraman Nainar > Sent: Friday, December 20, 2019 12:16 PM To: devel@edk2.groups.io; Wu, Jiaxin >; Fu, Siyuan > Cc: Madhan B. Santharam >; Arun Su= bramanian B >; Ar= un Sura Soundara Pandian >; Bhuvaneshwari M R > Subject: RE: reg: HTTPS Certificate Update Hello Jiaxin / Siyuan: Would you please feedback on this. -Siva From: Sivaraman Nainar Sent: Monday, December 16, 2019 4:42 PM To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan' Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; B= huvaneshwari M R Subject: reg: HTTPS Certificate Update Hello All: Need clarification on the Certificate Validation Procedure used in HTTP Bo= ot. The certificate parsing done at HttpDxe in file HttpsSupport.c in the func= tion TlsConfigCertificate(). The below code snippet is TlsSetSessionData call for each certificate data= . while ((ItemDataSize > 0) && (ItemDataSize >=3D CertList->SignatureListS= ize)) { Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGN= ATURE_LIST) + CertList->SignatureHeaderSize); CertCount =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LI= ST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; for (Index =3D 0; Index < CertCount; Index++) { // // EfiTlsConfigDataTypeCACertificate // Status =3D HttpInstance->TlsConfiguration->SetData ( HttpInstance->TlsConfigur= ation, EfiTlsConfigDataTypeCACer= tificate, Cert->SignatureData, CertList->SignatureSize -= sizeof (Cert->SignatureOwner) ); if (EFI_ERROR (Status)) { goto FreeCACert; } Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Signatur= eSize); } ItemDataSize -=3D CertList->SignatureListSize; CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Si= gnatureListSize); } In the attached code, once an invalid certificate of available certificate= s Set via TLS, if its failed the code does not post further certificates ev= en those could be valid certificates. Is the code is purposefully done? May we know the expected behavior of the= code. -Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE57A35VENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks Jiaxin for the= prompt reply.

 

Created ticket : https:= //bugzilla.tianocore.org/show_bug.cgi?id=3D2433

 

From: devel@edk2.groups.io [mailto:devel@edk= 2.groups.io] On Behalf Of Wu, Jiaxin
Sent: Friday, December 20, 2019 3:17 PM
To: Sivaraman Nainar; devel@edk2.groups.io; Fu, Siyuan; Rabeda, Mac= iej
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pan= dian; Bhuvaneshwari M R
Subject: Re: [edk2-devel] reg: HTTPS Certificate Update<= /p>

 

Hi Siva,

 

I agree we should continue the next certificates co= nfiguration even the current one is invalid (since we already have the sani= ty check before the setting).

 

Please report one Bugzilla for the issue.

 

Maciej, can you help fix on that?

 

Thanks,

Jiaxin

 

From: Si= varaman Nainar <sivaramann@= amiindia.co.in>
Sent: Friday, December 20, 2019 12:16 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.co= m>; Fu, Siyuan <siyuan.fu@= intel.com>
Cc: Madhan B. Santharam <madh= ans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian &= lt;arunsuras@amiindia.co.in= >; Bhuvaneshwari M R <b= huvaneshwarimr@amiindia.co.in>
Subject: RE: reg: HTTPS Certificate Update

 

Hello Jiaxin / Siyuan= :

 

Would you please feed= back on this.

 

-Siva

From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel@edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pan= dian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update

 

Hello All:

 

Need clarification on the Certificate Validation Pr= ocedure used in HTTP Boot.

 

The certificate parsing done at HttpDxe in file Htt= psSupport.c in the function TlsConfigCertificate().

 

The below code snippet is TlsSetSessionData call fo= r each certificate data.

 

  while ((ItemDataSize > 0= ) && (ItemDataSize >=3D CertList->SignatureListSize)) {

    Cert =3D (= EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + siz= eof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderS= ize);

    CertCount  =3D (CertList->SignatureListSizesizeof (EFI_SIGNATURE_LI= ST) - CertList->SignatureHeaderSize<= /span>) / CertList->SignatureSize;

    for (Index =3D 0= ; Index < CertCount; Index++) {

      //

      // EfiTlsConfigDataTypeCACertificate=

      //

      Status =3D HttpInstance-><= span style=3D"font-size:9.0pt;font-family:"Bookman Old Style",&qu= ot;serif";color:#0000C0">TlsConfiguration->SetData (

           &= nbsp;           &nbs= p;            &= nbsp;            Htt= pInstance->TlsConfiguration= ,

           &= nbsp;           &nbs= p;            &= nbsp;            EfiTlsConfigDataTypeCACertificate= ,

           &= nbsp;           &nbs= p;            &= nbsp;            Cer= t->SignatureData,

           &= nbsp;           &nbs= p;            &= nbsp;            Cer= tList->SignatureSize - sizeof (Cert->Signatu= reOwner)

           &= nbsp;           &nbs= p;            &= nbsp;            );<= /span>

      if (EFI_ERROR (Status)) {<= /p>

        goto FreeCACert;

      }=

      Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);

    }

    ItemDataSize -=3D CertList->SignatureListSize;=

    CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);

  }

 

In the attached code, once an invalid certificate o= f available certificates Set via TLS, if its failed the code does not post = further certificates even those could be valid certificates.

 

Is the code is purposefully done? May we know the e= xpected behavior of the code.

 

-Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE57A35VENUS1inmegat_--