Gary, I couldn't find the rpm binary from the link you provided. Please help to double-check the repository or share me the binary directly. Locally, I created one self-signed cert (using makecert utility) for testing, and the test result looks good under openssl 1.0.2c build.
Bypassing X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT in callback function will bring the security risk: one image signed by the single self-signed certificate will be trusted, even no any matched trusted anchor was found in DB database. For self-signed certificate verification, OpenSSL requires an exact match in trusted store (by comparing memory). I guess the issue in your side may be caused by some inaccuracy when converting certificate format (e.g. PEM <-> DER). Best Regards & Thanks, LONG, Qin -----Original Message----- From: Gary Ching-Pang Lin [mailto:g...@suse.com] Sent: Friday, July 3, 2015 4:40 PM To: edk2-devel@lists.sourceforge.net Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate On Fri, Jul 03, 2015 at 06:05:53AM +0000, Long, Qin wrote: > Hi, Gary, > > Is it one new issue brought by 1.0.2c? > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will also be issued in 0.9.8xx. The > 1.0.2c just add one new function cert_self_signed() to simplify the > self-signed certificate checking (by checking the flag only, instead of > issuer checking). > Yeah, in theory, the behaviors should be the same but actually not. I replaced cert_self_signed(x) in line 293 in crypto/x509/x509_vfy.c with ctx->check_issued(ctx, x, x) (the 0.9.8 style), and X509VerifyCb() never ctx->got X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This patch is actually a quick bandage since I needed the self-signed images from our build service for the autotest. In case you need a sample, you can download the shim-*.rpm from https://build.opensuse.org/package/binaries/devel:openSUSE:Factory/shim?arch=x86_64&repository=standard and unpack the rpm with 'unrpm shim-*.rpm'. The signed EFI files will be in 'usr/lib64/efi/' and the certificate of the sign key is 'usr/lib64/efi/shim-devel.der'. Thanks, Gary Lin > > Best Regards & Thanks, > LONG, Qin > > -----Original Message----- > From: Gary Ching-Pang Lin [mailto:g...@suse.com] > Sent: Friday, July 03, 2015 12:06 PM > To: edk2-devel@lists.sourceforge.net > Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero > self-signed certificate > > On Fri, Jul 03, 2015 at 11:37:22AM +0800, Gary Ching-Pang Lin wrote: > > After updating openssl from 0.9.8zf to 1.0.2c(*), all images with > > the depth zero self-signed certificates were rejected since > > X509_verify_cert() issued this error: > > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in > > X509VerifyCb() to allow the self-signed images pass the verification. > > > > (*) The critical commit in openssl is > > da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 > > https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae > > 27 > > f2463ebe4a50bb840fa5 > Oops, I posted the wrong commit id. > The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e > https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e07 > 7951a9710c33b709e99e > > Please help me correct the id if this patch were going to be checked in. > > Thanks, > > Gary Lin > > > > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> > > --- > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > > index d0b0c83..1145f65 100644 > > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > > @@ -100,7 +100,8 @@ X509VerifyCb ( > > } > > > > if ((Error == X509_V_ERR_CERT_UNTRUSTED) || > > - (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { > > + (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) || > > + (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { > > Status = 1; > > } > > > > -- > > 2.1.4 > > > > > > -------------------------------------------------------------------- > > -- > > -------- Don't Limit Your Business. Reach for the Cloud. > > GigeNET's Cloud Solutions provide you with the tools and support > > that you need to offload your IT needs and focus on growing your business. > > Configured For All Businesses. Start Your Cloud Today. > > https://www.gigenetcloud.com/ > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > > > ---------------------------------------------------------------------- > -------- Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that you > need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > ---------------------------------------------------------------------- > -------- Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
