From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx.groups.io with SMTP id smtpd.web10.28761.1632734479169495906 for ; Mon, 27 Sep 2021 02:21:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@posteo.de header.s=2017 header.b=oI/MdsDa; spf=pass (domain: posteo.de, ip: 185.67.36.66, mailfrom: mhaeuser@posteo.de) Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 52902240103 for ; Mon, 27 Sep 2021 11:21:17 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1632734477; bh=g6M+g5M2ikUY/70vF2/AqqB0NhpfRHmtPuHSe7bSrko=; h=Subject:To:From:Cc:Date:From; b=oI/MdsDaA0X+rjn3gjhK7RcqYtXq8Dv6i32ITymWzKrDkQejd543VhX1xrCGS+XRI FjRm7oWshPqexCOwS2wczVza3aCDXfyFjDtpAklFgjSRUcfepcTmGp7iFEGlYB03Hz bbsZhRo34RQv8P37m4pC4xn1XAfOu7tw8jsT8aPFJZLJhDXonWl5uID/XD9A3IWp8t d56rm8aCsQ+E1+E8vEAkAmyQMo2lxipLjnIkRvntRlrl4M5kPm8rFIz6ZP+M5u3Ge7 R2xDKN69P4WaQ94cBlqc6Abtf+5ceUeIAnz5yIrmim6B6biiZTjrVdu28YcdDlJsWL EQjT3zJbX8+kw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4HHxvw0kw8z9rxH; Mon, 27 Sep 2021 11:21:15 +0200 (CEST) Subject: Re: [edk2-discuss] a question about X509 flag To: discuss@edk2.groups.io, xiewenyi2@huawei.com References: From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= Cc: jiewen.yao@intel.com, Jian J Wang , xiaoyux.lu@intel.com, guomin.jiang@intel.com, "devel@edk2.groups.io" Message-ID: Date: Mon, 27 Sep 2021 09:21:15 +0000 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Hey Wenyi, Sorry, I cannot help with the time one, but "partial chain" is how virtually any other crypto-solution works out-of-the-box. Basically there is a disagreement about what defines a root certificate, and while some think it is the OpenSSL default of requiring a self-signed certificate for root, many people including myself strongly disagree and do not believe it follows from the RFCs. I'm not aware of any bad security implications of either model. So, this merely allows any certificate in the chain (the top one may be self-signed *if* it even is a certificate, it may just as well be a trusted public key for all we know) to be eligible to be added to the trust store and root a trust chain. Further reading: https://github.com/openssl/openssl/issues/7871 Cc CryptoPkg maintainers and edk2-devel for further feedback Best regards, Marvin On 27/09/2021 10:53, wenyi,xie via groups.io wrote: > Hello, > > I have a question about flag set in X509_STORE. Does anyone know why need to set flags X509_V_FLAG_PARTIAL_CHAIN and X509_V_FLAG_NO_CHECK_TIME to X509Store in TlsNew() (CryptoPkg\Library\TlsLib\TlsInit.c) > > Thanks > Wenyi > > > > >