Gary, Could you provide more information about this patch? E.g. What's the real scenario? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will be issued when the image signer is one self-signed certificate, and this cert could not be found at the trusted store. In my opinion, the simple ignore about this X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT check may bring extra risk.
Best Regards & Thanks, LONG, Qin -----Original Message----- From: Long, Qin [mailto:qin.l...@intel.com] Sent: Friday, July 03, 2015 2:06 PM To: edk2-devel@lists.sourceforge.net Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate Hi, Gary, Is it one new issue brought by 1.0.2c? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will also be issued in 0.9.8xx. The 1.0.2c just add one new function cert_self_signed() to simplify the self-signed certificate checking (by checking the flag only, instead of issuer checking). Best Regards & Thanks, LONG, Qin -----Original Message----- From: Gary Ching-Pang Lin [mailto:g...@suse.com] Sent: Friday, July 03, 2015 12:06 PM To: edk2-devel@lists.sourceforge.net Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate On Fri, Jul 03, 2015 at 11:37:22AM +0800, Gary Ching-Pang Lin wrote: > After updating openssl from 0.9.8zf to 1.0.2c(*), all images with the > depth zero self-signed certificates were rejected since > X509_verify_cert() issued this error: > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in > X509VerifyCb() to allow the self-signed images pass the verification. > > (*) The critical commit in openssl is > da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 > https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae27 > f2463ebe4a50bb840fa5 Oops, I posted the wrong commit id. The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e077951a9710c33b709e99e Please help me correct the id if this patch were going to be checked in. Thanks, Gary Lin > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> > --- > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > index d0b0c83..1145f65 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > @@ -100,7 +100,8 @@ X509VerifyCb ( > } > > if ((Error == X509_V_ERR_CERT_UNTRUSTED) || > - (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { > + (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) || > + (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { > Status = 1; > } > > -- > 2.1.4 > > > ---------------------------------------------------------------------- > -------- Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
