Hi Jiaxin, Siyuan,
setting *multiple* CA certificates for HTTPS server verification looks
possible, from the following call tree:
TlsConfigCertificate() [NetworkPkg/HttpDxe/HttpsSupport.c]
TlsConfigurationSetData() [NetworkPkg/TlsDxe/TlsConfigProtocol.c]
TlsSetCaCertificate() [CryptoPkg/Library/TlsLib/TlsConfig.c]
X509_STORE_add_cert()
because the outermost TlsConfigCertificate() function implements a loop
over the EFI_TLS_CA_CERTIFICATE_VARIABLE contents.
Is there natural-language documentation available about the internal
structure of EFI_TLS_CA_CERTIFICATE_VARIABLE?
Because, OVMF should avoid taking one format of CA Cert list from QEMU
(i.e. from the virtualization host) and converting it to the format
expected by TlsConfigCertificate(). Instead, the "update-ca-trust"
command should be taught (on the host system) to generate a binary
certificate list file (somewhere under "/etc/pki/ca-trust/extracted", I
believe) such that the file can be used directly for setting
EFI_TLS_CA_CERTIFICATE_VARIABLE in the guest.
In order to write such an extractor for "update-ca-trust", the format of
EFI_TLS_CA_CERTIFICATE_VARIABLE should be publicly documented. Also, a
promise of stability wouldn't hurt. :)
(To refer back to the cipher suite list discussion
<https://lists.01.org/pipermail/edk2-devel/2018-February/020944.html>,
this stability / public documentation goal was guaranteed there, due to
EFI_TLS_CIPHER being specified publicly.)
Thanks!
Laszlo
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
