[edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Discussion:

Gary Ching-Pang Lin

2015-07-03 03:37:22 UTC

After updating openssl from 0.9.8zf to 1.0.2c(*), all images with the depth
zero self-signed certificates were rejected since X509_verify_cert() issued
this error: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the
check in X509VerifyCb() to allow the self-signed images pass the verification.

(*) The critical commit in openssl is da084a5ec6cebd67ae27f2463ebe4a50bb840fa5
https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae27f2463ebe4a50bb840fa5

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Ching-Pang Lin <***@suse.com>
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}

if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}

--
2.1.4

Gary Ching-Pang Lin

2015-07-03 04:06:15 UTC

Permalink

Post by Gary Ching-Pang Lin
After updating openssl from 0.9.8zf to 1.0.2c(*), all images with the depth
zero self-signed certificates were rejected since X509_verify_cert() issued
this error: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the
check in X509VerifyCb() to allow the self-signed images pass the verification.
(*) The critical commit in openssl is da084a5ec6cebd67ae27f2463ebe4a50bb840fa5
https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae27f2463ebe4a50bb840fa5

Oops, I posted the wrong commit id.
The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e
https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e077951a9710c33b709e99e

Please help me correct the id if this patch were going to be checked in.

Thanks,

Gary Lin

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Long, Qin

2015-07-03 06:05:53 UTC

Permalink

Hi, Gary,

Is it one new issue brought by 1.0.2c?
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will also be issued in 0.9.8xx. The 1.0.2c just add one new function cert_self_signed() to simplify the self-signed certificate checking (by checking the flag only, instead of issuer checking).

Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Gary Ching-Pang Lin [mailto:***@suse.com]
Sent: Friday, July 03, 2015 12:06 PM
To: edk2-***@lists.sourceforge.net
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Post by Gary Ching-Pang Lin
After updating openssl from 0.9.8zf to 1.0.2c(*), all images with the
depth zero self-signed certificates were rejected since
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in X509VerifyCb() to allow the self-signed images pass the verification.
(*) The critical commit in openssl is
da084a5ec6cebd67ae27f2463ebe4a50bb840fa5
https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae27
f2463ebe4a50bb840fa5

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Long, Qin

2015-07-03 08:16:32 UTC

Permalink

Gary,

Could you provide more information about this patch? E.g. What's the real scenario?
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will be issued when the image signer is one self-signed certificate, and this cert could not be found at the trusted store.
In my opinion, the simple ignore about this X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT check may bring extra risk.

Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Long, Qin [mailto:***@intel.com]
Sent: Friday, July 03, 2015 2:06 PM
To: edk2-***@lists.sourceforge.net
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Hi, Gary,

Is it one new issue brought by 1.0.2c?
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will also be issued in 0.9.8xx. The 1.0.2c just add one new function cert_self_signed() to simplify the self-signed certificate checking (by checking the flag only, instead of issuer checking).

Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Gary Ching-Pang Lin [mailto:***@suse.com]
Sent: Friday, July 03, 2015 12:06 PM
To: edk2-***@lists.sourceforge.net
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
edk2-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
edk2-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Gary Ching-Pang Lin

2015-07-03 08:39:38 UTC

Permalink

Post by Long, Qin
Hi, Gary,
Is it one new issue brought by 1.0.2c?
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT will also be issued in 0.9.8xx. The 1.0.2c just add one new function cert_self_signed() to simplify the self-signed certificate checking (by checking the flag only, instead of issuer checking).

Yeah, in theory, the behaviors should be the same but actually not.

I replaced cert_self_signed(x) in line 293 in crypto/x509/x509_vfy.c with
ctx->check_issued(ctx, x, x) (the 0.9.8 style), and X509VerifyCb() never got
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This patch is actually a quick
bandage since I needed the self-signed images from our build service for the
autotest.

In case you need a sample, you can download the shim-*.rpm from
https://build.opensuse.org/package/binaries/devel:openSUSE:Factory/shim?arch=x86_64&repository=standard
and unpack the rpm with 'unrpm shim-*.rpm'. The signed EFI files will
be in 'usr/lib64/efi/' and the certificate of the sign key is
'usr/lib64/efi/shim-devel.der'.

Thanks,

Gary Lin

Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Friday, July 03, 2015 12:06 PM
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Oops, I posted the wrong commit id.
The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e
https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e077951a9710c33b709e99e
Please help me correct the id if this patch were going to be checked in.
Thanks,
Gary Lin

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Long, Qin

2015-07-03 18:17:52 UTC

Permalink

Gary,

I couldn't find the rpm binary from the link you provided. Please help to double-check the repository or share me the binary directly.
Locally, I created one self-signed cert (using makecert utility) for testing, and the test result looks good under openssl 1.0.2c build.

Bypassing X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT in callback function will bring the security risk: one image signed by the single self-signed certificate will be trusted, even no any matched trusted anchor was found in DB database.

For self-signed certificate verification, OpenSSL requires an exact match in trusted store (by comparing memory). I guess the issue in your side may be caused by some inaccuracy when converting certificate format (e.g. PEM <-> DER).

Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: Gary Ching-Pang Lin [mailto:***@suse.com]
Sent: Friday, July 3, 2015 4:40 PM
To: edk2-***@lists.sourceforge.net
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Yeah, in theory, the behaviors should be the same but actually not.

I replaced cert_self_signed(x) in line 293 in crypto/x509/x509_vfy.c with
ctx->check_issued(ctx, x, x) (the 0.9.8 style), and X509VerifyCb() never
ctx->got
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This patch is actually a quick bandage since I needed the self-signed images from our build service for the autotest.

In case you need a sample, you can download the shim-*.rpm from https://build.opensuse.org/package/binaries/devel:openSUSE:Factory/shim?arch=x86_64&repository=standard
and unpack the rpm with 'unrpm shim-*.rpm'. The signed EFI files will be in 'usr/lib64/efi/' and the certificate of the sign key is 'usr/lib64/efi/shim-devel.der'.

Thanks,

Gary Lin

Post by Gary Ching-Pang Lin
After updating openssl from 0.9.8zf to 1.0.2c(*), all images with
the depth zero self-signed certificates were rejected since
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in X509VerifyCb() to allow the self-signed images pass the verification.
(*) The critical commit in openssl is
da084a5ec6cebd67ae27f2463ebe4a50bb840fa5
https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae
27
f2463ebe4a50bb840fa5

Oops, I posted the wrong commit id.
The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e
https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e07
7951a9710c33b709e99e
Please help me correct the id if this patch were going to be checked in.
Thanks,
Gary Lin

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
--------------------------------------------------------------------
--
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support
that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Gary Ching-Pang Lin

2015-07-06 04:08:50 UTC

Permalink

Post by Long, Qin
Gary,
I couldn't find the rpm binary from the link you provided. Please help to double-check the repository or share me the binary directly.

Sorry, I found the publish flag of the previous repo wasn't checked and only
login users can access the file. I created another repo in my branch for the
public access.

http://download.opensuse.org/repositories/home:/gary_lin:/branches:/devel:/openSUSE:/Factory/standard/x86_64/

Post by Long, Qin
Locally, I created one self-signed cert (using makecert utility) for testing, and the test result looks good under openssl 1.0.2c build.

OK, I'll check makecert.

Post by Long, Qin
Bypassing X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT in callback function will bring the security risk: one image signed by the single self-signed certificate will be trusted, even no any matched trusted anchor was found in DB database.

Indeed, it compromised the image verification, not a good idea.

Post by Long, Qin
For self-signed certificate verification, OpenSSL requires an exact match in trusted store (by comparing memory). I guess the issue in your side may be caused by some inaccuracy when converting certificate format (e.g. PEM <-> DER).

All those conversions were done by openssl or nss. I'll check the image
signing and verification process to find more clues.

Thanks,

Gary Lin

Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Friday, July 3, 2015 4:40 PM
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Yeah, in theory, the behaviors should be the same but actually not.
I replaced cert_self_signed(x) in line 293 in crypto/x509/x509_vfy.c with
ctx->check_issued(ctx, x, x) (the 0.9.8 style), and X509VerifyCb() never
ctx->got
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This patch is actually a quick bandage since I needed the self-signed images from our build service for the autotest.
In case you need a sample, you can download the shim-*.rpm from https://build.opensuse.org/package/binaries/devel:openSUSE:Factory/shim?arch=x86_64&repository=standard
and unpack the rpm with 'unrpm shim-*.rpm'. The signed EFI files will be in 'usr/lib64/efi/' and the certificate of the sign key is 'usr/lib64/efi/shim-devel.der'.
Thanks,
Gary Lin

Post by Gary Ching-Pang Lin
After updating openssl from 0.9.8zf to 1.0.2c(*), all images with
the depth zero self-signed certificates were rejected since
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in X509VerifyCb() to allow the self-signed images pass the verification.
(*) The critical commit in openssl is
da084a5ec6cebd67ae27f2463ebe4a50bb840fa5
https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae
27
f2463ebe4a50bb840fa5

Oops, I posted the wrong commit id.
The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e
https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e07
7951a9710c33b709e99e
Please help me correct the id if this patch were going to be checked in.
Thanks,
Gary Lin

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
--------------------------------------------------------------------
--
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support
that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Gary Ching-Pang Lin

2015-07-07 09:51:04 UTC

Permalink

Post by Long, Qin
Gary,
I couldn't find the rpm binary from the link you provided. Please help to double-check the repository or share me the binary directly.
Locally, I created one self-signed cert (using makecert utility) for testing, and the test result looks good under openssl 1.0.2c build.
Bypassing X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT in callback function will bring the security risk: one image signed by the single self-signed certificate will be trusted, even no any matched trusted anchor was found in DB database.
For self-signed certificate verification, OpenSSL requires an exact match in trusted store (by comparing memory). I guess the issue in your side may be caused by some inaccuracy when converting certificate format (e.g. PEM <-> DER).

I found the root cause of the verification failure. It's the key usage.
The key usage of our self-signed cert only contains "Digital Signature".
However, X509_check_issued() looks for "Certificate Sign" in the issuer,
so X509_STORE_CTX_get1_issuer() returned 0 and X509_verify_cert() reported
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT to X509VerifyCb().

In 0.9.8zf, it uses X509_check_issued() instead of cert_self_signed() to
identify the self-signed cert and accidentally allows the self-signed cert
without CERTSIGN to skip the further check. So 1.0.2c just revealed a fault
in our certs.

Sorry for the noise.

Gary Lin

Post by Long, Qin
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
Sent: Friday, July 3, 2015 4:40 PM
Subject: Re: [edk2] [PATCH] CryptoPkg: Allow the depth zero self-signed certificate

Yeah, in theory, the behaviors should be the same but actually not.
I replaced cert_self_signed(x) in line 293 in crypto/x509/x509_vfy.c with
ctx->check_issued(ctx, x, x) (the 0.9.8 style), and X509VerifyCb() never
ctx->got
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This patch is actually a quick bandage since I needed the self-signed images from our build service for the autotest.
In case you need a sample, you can download the shim-*.rpm from https://build.opensuse.org/package/binaries/devel:openSUSE:Factory/shim?arch=x86_64&repository=standard
and unpack the rpm with 'unrpm shim-*.rpm'. The signed EFI files will be in 'usr/lib64/efi/' and the certificate of the sign key is 'usr/lib64/efi/shim-devel.der'.
Thanks,
Gary Lin

Post by Gary Ching-Pang Lin
After updating openssl from 0.9.8zf to 1.0.2c(*), all images with
the depth zero self-signed certificates were rejected since
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in X509VerifyCb() to allow the self-signed images pass the verification.
(*) The critical commit in openssl is
da084a5ec6cebd67ae27f2463ebe4a50bb840fa5
https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae
27
f2463ebe4a50bb840fa5

Oops, I posted the wrong commit id.
The correct id is ced6dc5cefca57b08e077951a9710c33b709e99e
https://git.openssl.org/?p=openssl.git;a=commit;h=ced6dc5cefca57b08e07
7951a9710c33b709e99e
Please help me correct the id if this patch were going to be checked in.
Thanks,
Gary Lin

Post by Gary Ching-Pang Lin
Contributed-under: TianoCore Contribution Agreement 1.0
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c83..1145f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -100,7 +100,8 @@ X509VerifyCb (
}
if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
+ (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
+ (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
Status = 1;
}
--
2.1.4
--------------------------------------------------------------------
--
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support
that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
----------------------------------------------------------------------
-------- Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-devel mailing list
https://lists.sourceforge.net/lists/listinfo/edk2-devel