1017544 - GeoTrust: Invalid encoding in certificates

Status: RESOLVED WORKSFORME

(CA Program :: CA Certificate Root Program, task)

Description

[Kurt Roeckx]

I'm seeing certificates with an invalid encoding from the following path:
CN = GeoTrust Primary Certification Authority, O = GeoTrust Inc., C = US
CN = GeoTrust EV SSL CA - G4, O = GeoTrust Inc., C = US

Firefox shows an example certificate as:
L = Düsseldorf
and:
Object Identifier (1 3 6 1 4 1 311 60 2 1 1) = Düsseldorf

The second string is claimed to be a T61String, but the content appears to be  an UTF8String.

Comment 1

[Kathleen Wilson]

Rick, Would you please have someone from Symantec investigate and resolve this bug?

Comment 2

[Rick Andrews]

Hostname, please?

Comment 3

[Kurt Roeckx]

Attachment: invalid_encoding2.pem

Comment 4

[Rick Andrews]

Thanks, we're investigating.

Ironically, I could not open the attachment in Firefox: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." I had to use IE.

Comment 5

[Kaspar]

(In reply to Kurt Roeckx from comment #0)
> The second string is claimed to be a T61String, but the content appears to
> be  an UTF8String.

FWIW, that's actually a long-standing issue with Verisign/Thawte/Geotrust certs, see e.g. bug 443830 comment 4 and bug 458745.

Comment 6

[Gervase Markham [:gerv]]

Rick: any news?

Gerv

Comment 7

[Rick Andrews]

This is essentially a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1017550. We addressed the root cause in our 12/9/2015 release. The behavior was triggered when certain manual edits were performed on the certificate order before issuance. This has been addressed, so there should be no case in which we use the T61String type.