Re: [edk2] internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE

Tue, 20 Mar 2018 18:31:34 -0700 

Hi, Laszlo

The data structure of EFI_TLS_CA_CERTIFICATE_VARIABLE is EFI_SIGNATURE_LIST and 
we have documented this in HTTPs Boot wiki page: 
https://github.com/tianocore/tianocore.github.io/wiki/HTTPS-Boot

You can refer section 31.4.1 "Signature Database" in UEFI 2.7 A for a detail 
description of EFI_SIGNATURE_LIST structure.


BestRegards
Fu Siyuan


> -----Original Message-----
> From: Laszlo Ersek [mailto:ler...@redhat.com]
> Sent: Tuesday, March 20, 2018 10:56 PM
> To: Wu, Jiaxin <jiaxin...@intel.com>; Fu, Siyuan <siyuan...@intel.com>
> Cc: edk2-devel-01 <edk2-devel@lists.01.org>; Daniel P. Berrange
> <berra...@redhat.com>
> Subject: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE
> 
> Hi Jiaxin, Siyuan,
> 
> setting *multiple* CA certificates for HTTPS server verification looks
> possible, from the following call tree:
> 
> TlsConfigCertificate()      [NetworkPkg/HttpDxe/HttpsSupport.c]
>   TlsConfigurationSetData() [NetworkPkg/TlsDxe/TlsConfigProtocol.c]
>     TlsSetCaCertificate()   [CryptoPkg/Library/TlsLib/TlsConfig.c]
>       X509_STORE_add_cert()
> 
> because the outermost TlsConfigCertificate() function implements a loop
> over the EFI_TLS_CA_CERTIFICATE_VARIABLE contents.
> 
> Is there natural-language documentation available about the internal
> structure of EFI_TLS_CA_CERTIFICATE_VARIABLE?
> 
> Because, OVMF should avoid taking one format of CA Cert list from QEMU
> (i.e. from the virtualization host) and converting it to the format
> expected by TlsConfigCertificate(). Instead, the "update-ca-trust"
> command should be taught (on the host system) to generate a binary
> certificate list file (somewhere under "/etc/pki/ca-trust/extracted", I
> believe) such that the file can be used directly for setting
> EFI_TLS_CA_CERTIFICATE_VARIABLE in the guest.
> 
> In order to write such an extractor for "update-ca-trust", the format of
> EFI_TLS_CA_CERTIFICATE_VARIABLE should be publicly documented. Also, a
> promise of stability wouldn't hurt. :)
> 
> (To refer back to the cipher suite list discussion
> <https://lists.01.org/pipermail/edk2-devel/2018-February/020944.html>,
> this stability / public documentation goal was guaranteed there, due to
> EFI_TLS_CIPHER being specified publicly.)
> 
> Thanks!
> Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to