[edk2-devel] reg: HTTPS Certificate Update

Fri Dec 20 09:46:59 UTC 2019

Hi Siva,

I agree we should continue the next certificates configuration even the current one is invalid (since we already have the sanity check before the setting).

Please report one Bugzilla for the issue.

Maciej, can you help fix on that?

Thanks,
Jiaxin

From: Sivaraman Nainar <sivaramann at amiindia.co.in>
Sent: Friday, December 20, 2019 12:16 PM
To: devel at edk2.groups.io; Wu, Jiaxin <jiaxin.wu at intel.com>; Fu, Siyuan <siyuan.fu at intel.com>
Cc: Madhan B. Santharam <madhans at ami.com>; Arun Subramanian B <arunsubramanianb at ami.com>; Arun Sura Soundara Pandian <arunsuras at amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr at amiindia.co.in>
Subject: RE: reg: HTTPS Certificate Update

Hello Jiaxin / Siyuan:

Would you please feedback on this.

-Siva
From: Sivaraman Nainar
Sent: Monday, December 16, 2019 4:42 PM
To: 'devel at edk2.groups.io'; 'Wu, Jiaxin'; 'Fu, Siyuan'
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bhuvaneshwari M R
Subject: reg: HTTPS Certificate Update

Hello All:

Need clarification on the Certificate Validation Procedure used in HTTP Boot.

The certificate parsing done at HttpDxe in file HttpsSupport.c in the function TlsConfigCertificate().

The below code snippet is TlsSetSessionData call for each certificate data.

  while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
    Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
    CertCount  = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
    for (Index = 0; Index < CertCount; Index++) {
      //
      // EfiTlsConfigDataTypeCACertificate
      //
      Status = HttpInstance->TlsConfiguration->SetData (
                                                 HttpInstance->TlsConfiguration,
                                                 EfiTlsConfigDataTypeCACertificate,
                                                 Cert->SignatureData,
                                                 CertList->SignatureSize - sizeof (Cert->SignatureOwner)
                                                 );
      if (EFI_ERROR (Status)) {
        goto FreeCACert;
      }
      Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
    }
    ItemDataSize -= CertList->SignatureListSize;
    CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
  }

In the attached code, once an invalid certificate of available certificates Set via TLS, if its failed the code does not post further certificates even those could be valid certificates.

Is the code is purposefully done? May we know the expected behavior of the code.

-Siva

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#52458): https://edk2.groups.io/g/devel/message/52458
Mute This Topic: https://groups.io/mt/68724546/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20191220/be4e368d/attachment.htm>