Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract edk2/cacerts.bin (RHBZ#1559580) v2 #139

Merged
merged 3 commits into from Mar 30, 2018
Merged

Extract edk2/cacerts.bin (RHBZ#1559580) v2 #139

merged 3 commits into from Mar 30, 2018

Conversation

lersek
Copy link
Contributor

@lersek lersek commented Mar 29, 2018

This is the followup pullreq to #137 (v1). Updates in this version:

  • patch nr.1: no change
  • patch nr.2: replace #pragma pack and the XXX_to_le() converters with buffer_add_XXX() helpers, covering both scalars (with conversion to LE) and structures (which need no packing this way) @ueno
  • patch nr.3: add a unit test that extracts two certificates (new patch) @ueno @nmav

Thanks.

@lersek
trust: introduce the "edk2-cacerts" extractor skeleton
2ad9cb3 
Introduce the p11_extract_edk2_cacerts() skeleton. At the moment it always
fails, silently.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1559580
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
@lersek
trust: implement the "edk2-cacerts" extractor
d8dc09a 
Extract the DER-encoded X.509 certificates in the EFI_SIGNATURE_LIST
format that is

- defined by the UEFI 2.7 spec (using one inner EFI_SIGNATURE_DATA object
  per EFI_SIGNATURE_LIST, as specified for EFI_CERT_X509_GUID),

- and expected by edk2's HttpDxe when it configures the certificate list
  for HTTPS boot from EFI_TLS_CA_CERTIFICATE_VARIABLE (see the
  TlsConfigCertificate() function in "NetworkPkg/HttpDxe/HttpsSupport.c").

The intended command line is

  p11-kit extract \
    --format=edk2-cacerts \
    --filter=ca-anchors \
    --overwrite \
    --purpose=server-auth \
    $DEST/edk2/cacerts.bin

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1559580
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
@lersek
trust: add unit test for the "edk2-cacerts" extractor
8c7b524 
Add a multi-cert test case for the edk2 extractor, heavily based on the
"/openssl/test_file_multiple" test case.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1559580
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
@coveralls
Copy link

Coverage Status

Coverage increased (+0.06%) to 81.237% when pulling 8c7b524 on lersek:extract-edk2-rhbz-1559580-v2 into ba6ebb0 on p11-glue:master.

ueno
ueno approved these changes Mar 30, 2018
View reviewed changes
Copy link
Member

@ueno ueno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, thank you!

@ueno ueno merged commit de963b9 into p11-glue:master Mar 30, 2018
@lersek
Copy link
Contributor Author

lersek commented Mar 30, 2018

Thank you!

@ueno ueno added this to the 0.23.11 milestone May 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ueno ueno ueno approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
0.23.11
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lersek @coveralls @ueno