reg: HTTPS Certificate Validation During Enrollment

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* reg: HTTPS Certificate Validation During Enrollment
@ 2019-12-24  5:16 Sivaraman Nainar
  2019-12-24  7:59 ` Siyuan, Fu
  0 siblings, 1 reply; 4+ messages in thread
From: Sivaraman Nainar @ 2019-12-24  5:16 UTC (permalink / raw)
  To: devel@edk2.groups.io, Wu, Jiaxin, Fu, Siyuan
  Cc: Madhan B. Santharam, Arun Subramanian  B,
	Arun Sura Soundara Pandian, Bhuvaneshwari M R, Ramesh R.

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

Hello all:

Right now the HTTPS Certificates are getting validated during TlsConfigCertificate()by HTTPDxe Driver.

But during enrollment of certificate via TLSDXE driver, it does not have any validation and it keep appending the TLSCaCert variable with the certificate provided.

Assume an invalid certificate keep loaded via TLS Auth configuration page, the NVRAM would be filled with garbage.

Is there any plan to have certificate validation during Enrollment?

-Siva

[-- Attachment #2: Type: text/html, Size: 2683 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: HTTPS Certificate Validation During Enrollment
  2019-12-24  5:16 reg: HTTPS Certificate Validation During Enrollment Sivaraman Nainar
@ 2019-12-24  7:59 ` Siyuan, Fu
  2019-12-27  7:26   ` Sivaraman Nainar
  0 siblings, 1 reply; 4+ messages in thread
From: Siyuan, Fu @ 2019-12-24  7:59 UTC (permalink / raw)
  To: Sivaraman Nainar, devel@edk2.groups.io, Wu, Jiaxin
  Cc: Madhan B. Santharam, Arun Subramanian  B,
	Arun Sura Soundara Pandian, Bhuvaneshwari M R, Ramesh R.

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

Hi, Siva

We don’t think this is a real problem. The cert is saved as NV variable just like any other EFI variables, there are some basic checks like verify it’s a valid DER-encoded certificate before saving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.

If someone want to fill the NV variable storage full with garbage, they can simply use SetVaraible service, not necessary to use this page.

Best Regards
Siyuan

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019年12月24日 13:17
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

Hello all:

Right now the HTTPS Certificates are getting validated during TlsConfigCertificate()by HTTPDxe Driver.

But during enrollment of certificate via TLSDXE driver, it does not have any validation and it keep appending the TLSCaCert variable with the certificate provided.

Assume an invalid certificate keep loaded via TLS Auth configuration page, the NVRAM would be filled with garbage.

Is there any plan to have certificate validation during Enrollment?

-Siva

[-- Attachment #2: Type: text/html, Size: 5533 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: HTTPS Certificate Validation During Enrollment
  2019-12-24  7:59 ` Siyuan, Fu
@ 2019-12-27  7:26   ` Sivaraman Nainar
  2019-12-27  7:46     ` Siyuan, Fu
  0 siblings, 1 reply; 4+ messages in thread
From: Sivaraman Nainar @ 2019-12-27  7:26 UTC (permalink / raw)
  To: Fu, Siyuan, devel@edk2.groups.io, Wu, Jiaxin
  Cc: Madhan B. Santharam, Arun Subramanian  B,
	Arun Sura Soundara Pandian, Bhuvaneshwari M R, Ramesh R.

[-- Attachment #1: Type: text/plain, Size: 2267 bytes --]

Siyuan:

I agree. The basic check whatever we are doing here is the file extension only. Do you mean that could be enough and TLS will take care of validating the certificate during the connection State?

-Siva
From: Fu, Siyuan [mailto:siyuan.fu@intel.com]
Sent: Tuesday, December 24, 2019 1:30 PM
To: Sivaraman Nainar; devel@edk2.groups.io; Wu, Jiaxin
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R; Ramesh R.
Subject: RE: HTTPS Certificate Validation During Enrollment

Hi, Siva

We don’t think this is a real problem. The cert is saved as NV variable just like any other EFI variables, there are some basic checks like verify it’s a valid DER-encoded certificate before saving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.

If someone want to fill the NV variable storage full with garbage, they can simply use SetVaraible service, not necessary to use this page.

Best Regards
Siyuan

From: Sivaraman Nainar <sivaramann@amiindia.co.in<mailto:sivaramann@amiindia.co.in>>
Sent: 2019年12月24日 13:17
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wu, Jiaxin <jiaxin.wu@intel.com<mailto:jiaxin.wu@intel.com>>; Fu, Siyuan <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>
Cc: Madhan B. Santharam <madhans@ami.com<mailto:madhans@ami.com>>; Arun Subramanian B <arunsubramanianb@ami.com<mailto:arunsubramanianb@ami.com>>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in<mailto:arunsuras@amiindia.co.in>>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in<mailto:bhuvaneshwarimr@amiindia.co.in>>; Ramesh R. <rameshr@ami.com<mailto:rameshr@ami.com>>
Subject: reg: HTTPS Certificate Validation During Enrollment

Hello all:

Right now the HTTPS Certificates are getting validated during TlsConfigCertificate()by HTTPDxe Driver.

But during enrollment of certificate via TLSDXE driver, it does not have any validation and it keep appending the TLSCaCert variable with the certificate provided.

Assume an invalid certificate keep loaded via TLS Auth configuration page, the NVRAM would be filled with garbage.

Is there any plan to have certificate validation during Enrollment?

-Siva

[-- Attachment #2: Type: text/html, Size: 7124 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: HTTPS Certificate Validation During Enrollment
  2019-12-27  7:26   ` Sivaraman Nainar
@ 2019-12-27  7:46     ` Siyuan, Fu
  0 siblings, 0 replies; 4+ messages in thread
From: Siyuan, Fu @ 2019-12-27  7:46 UTC (permalink / raw)
  To: Sivaraman Nainar, devel@edk2.groups.io, Wu, Jiaxin
  Cc: Madhan B. Santharam, Arun Subramanian  B,
	Arun Sura Soundara Pandian, Bhuvaneshwari M R, Ramesh R.

[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

Yes

Best Regards
Siyuan

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019年12月27日 15:26
To: Fu, Siyuan <siyuan.fu@intel.com>; devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: RE: HTTPS Certificate Validation During Enrollment

Siyuan:

I agree. The basic check whatever we are doing here is the file extension only. Do you mean that could be enough and TLS will take care of validating the certificate during the connection State?

-Siva
From: Fu, Siyuan [mailto:siyuan.fu@intel.com]
Sent: Tuesday, December 24, 2019 1:30 PM
To: Sivaraman Nainar; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wu, Jiaxin
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R; Ramesh R.
Subject: RE: HTTPS Certificate Validation During Enrollment

Hi, Siva

We don’t think this is a real problem. The cert is saved as NV variable just like any other EFI variables, there are some basic checks like verify it’s a valid DER-encoded certificate before saving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.

If someone want to fill the NV variable storage full with garbage, they can simply use SetVaraible service, not necessary to use this page.

Best Regards
Siyuan

From: Sivaraman Nainar <sivaramann@amiindia.co.in<mailto:sivaramann@amiindia.co.in>>
Sent: 2019年12月24日 13:17
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wu, Jiaxin <jiaxin.wu@intel.com<mailto:jiaxin.wu@intel.com>>; Fu, Siyuan <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>
Cc: Madhan B. Santharam <madhans@ami.com<mailto:madhans@ami.com>>; Arun Subramanian B <arunsubramanianb@ami.com<mailto:arunsubramanianb@ami.com>>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in<mailto:arunsuras@amiindia.co.in>>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in<mailto:bhuvaneshwarimr@amiindia.co.in>>; Ramesh R. <rameshr@ami.com<mailto:rameshr@ami.com>>
Subject: reg: HTTPS Certificate Validation During Enrollment

Hello all:

Right now the HTTPS Certificates are getting validated during TlsConfigCertificate()by HTTPDxe Driver.

But during enrollment of certificate via TLSDXE driver, it does not have any validation and it keep appending the TLSCaCert variable with the certificate provided.

Assume an invalid certificate keep loaded via TLS Auth configuration page, the NVRAM would be filled with garbage.

Is there any plan to have certificate validation during Enrollment?

-Siva

[-- Attachment #2: Type: text/html, Size: 9070 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-12-27  7:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-24  5:16 reg: HTTPS Certificate Validation During Enrollment Sivaraman Nainar
2019-12-24  7:59 ` Siyuan, Fu
2019-12-27  7:26   ` Sivaraman Nainar
2019-12-27  7:46     ` Siyuan, Fu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox