From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web10.28868.1577431597012817134 for ; Thu, 26 Dec 2019 23:26:37 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0DE8D82047; Fri, 27 Dec 2019 13:03:43 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DF07782046; Fri, 27 Dec 2019 13:03:42 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 27 Dec 2019 13:03:42 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 27 Dec 2019 12:56:28 +0530 From: "Sivaraman Nainar" To: "Fu, Siyuan" , "devel@edk2.groups.io" , "Wu, Jiaxin" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: Re: HTTPS Certificate Validation During Enrollment Thread-Topic: HTTPS Certificate Validation During Enrollment Thread-Index: AQHVujAf5hMCPToMiEuoF3oElxaXQKfNmUYQ Date: Fri, 27 Dec 2019 07:26:28 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.84.197] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25130.001 X-TM-AS-Result: No--20.424-5.0-31-10 X-imss-scan-details: No--20.424-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25130.001 X-TMASE-Result: 10--20.423800-10.000000 X-TMASE-MatchedRID: dL10VBB8yofTi04NASO/NUhwlOfYeSqxItpoBuaLs/xScXQMxepe+yPT yo5Y6UW7tFD2rOIklhLyNJ7OroLG4vtT+mdK1/CBu6cTLrgJBGpwbyuQg4BU6bV5fSMRD1zq2hu dWC5jyTMbILjeD67+fa/B2qdX0IwX/8TykoC75C30VCHd+VQiHqNeL/tbjwkHHWtVZN0asTh0I3 2NgqhePL3bwgo3is2hb2s/Bd16DhWHWAZx0LGJkUOTmmhJhc2XzhWjmy90rdsv4fVTr0+gIDWLX jPF1x3xFH8qAkSW20C1DDl5/wf923fxmyp6rwRIwbRQ2Bpmlioay+BQxgCfhQsFkS6ogv1Kk72Z AbHiMLdJruLhYwZjAX/ZKyBTyPI1bu8QqMQjwvKA3KVVsj8QDKgJ/sh288AnOtbatF9N8at69EB 7k/xH3rnnY96UEu4mexFu2ndtjxcMRVPkzQcfhXpruoeiWYa5mRKFhwukYf2WeXclzJNLEj+4Ay 4hLf9XjyXC7yPnZ4inRlHozcupenZH581LXAeZqYZNDK2MDCVbD9LQcHt6gxuYmISDRdMb5GpAD FtYP37i8zVgXoAltuSU/Kg0ZdIPWBy1qPIV5k07AFczfjr/7AKHodx+mGMxhBqAiLDnqOX4jN21 m8K9sgKpcmx/xBpyhvZcDZcgyHI= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_ Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Siyuan: I agree. The basic check whatever we are doing here is the file extension o= nly. Do you mean that could be enough and TLS will take care of validating = the certificate during the connection State? -Siva From: Fu, Siyuan [mailto:siyuan.fu@intel.com] Sent: Tuesday, December 24, 2019 1:30 PM To: Sivaraman Nainar; devel@edk2.groups.io; Wu, Jiaxin Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bh= uvaneshwari M R; Ramesh R. Subject: RE: HTTPS Certificate Validation During Enrollment Hi, Siva We don=1B$B!G=1B(Bt think this is a real problem. The cert is saved as NV v= ariable just like any other EFI variables, there are some basic checks like= verify it=1B$B!G=1B(Bs a valid DER-encoded certificate before saving the c= ertificate, and TLS config driver also provides a page to allow user to del= ete unused cert from system. If someone want to fill the NV variable storage full with garbage, they can= simply use SetVaraible service, not necessary to use this page. Best Regards Siyuan From: Sivaraman Nainar > Sent: 2019=1B$BG/=1B(B12=1B$B7n=1B(B24=1B$BF|=1B(B 13:17 To: devel@edk2.groups.io; Wu, Jiaxin >; Fu, Siyuan > Cc: Madhan B. Santharam >; Arun Sub= ramanian B >; Aru= n Sura Soundara Pandian >; Bhuvaneshwari M R >; Ramesh R. > Subject: reg: HTTPS Certificate Validation During Enrollment Hello all: Right now the HTTPS Certificates are getting validated during TlsConfigCert= ificate()by HTTPDxe Driver. But during enrollment of certificate via TLSDXE driver, it does not have an= y validation and it keep appending the TLSCaCert variable with the certific= ate provided. Assume an invalid certificate keep loaded via TLS Auth configuration page, = the NVRAM would be filled with garbage. Is there any plan to have certificate validation during Enrollment? -Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_ Content-Type: text/html; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable

Siyuan:

 

I agree. The basic check whatever we are doing here is the file extens= ion only. Do you mean that could be enough and TLS will take care of valida= ting the certificate during the connection State?

 

-Siva

From: Fu, Siyuan [mailto:siyuan.fu@intel.com]=
Sent: Tuesday, December 24, 2019 1:30 PM
To: Sivaraman Nainar; devel@edk2.groups.io; Wu, Jiaxin
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pand= ian; Bhuvaneshwari M R; Ramesh R.
Subject: RE: HTTPS Certificate Validation During Enrollment

 

Hi, Siva

 

We don=1B$B!G=1B(Bt think this is a real problem. Th= e cert is saved as NV variable just like any other EFI variables, there are= some basic checks like verify it=1B$B!G=1B(Bs a valid DER-encoded certific= ate before saving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.=

 

If someone want to fill the NV variable storage full= with garbage, they can simply use SetVaraible service, not necessary to us= e this page.

 

Best Regards

Siyuan

 

From: Siv= araman Nainar <sivaramann@a= miindia.co.in>
Sent: 2019=1B$BG/=1B(B12=1B$B7n=1B(B24=1B$BF|=1B(B 13:17
To: devel@edk2.groups.io= ; Wu, Jiaxin <jiaxin.wu@intel.com= >; Fu, Siyuan <siyuan.fu@i= ntel.com>
Cc: Madhan B. Santharam <madha= ns@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian &l= t;arunsuras@amiindia.co.in&= gt;; Bhuvaneshwari M R <bh= uvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

 

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_--