Closed Bug 1431164 Opened 6 years ago Closed 6 years ago

Camerfirma: Non-BR-Compliant Issuance - Non-printable characters in OU field

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: martin_ja)

Details

(Whiteboard: [ca-compliance] [ov-misissuance]) 

Juan Angel Martin reported the following:

>I have to inform you about a SSL certificate misissued. OU contains non-printable control characters.

>https://crt.sh/?id=305441195

>It has already been revoked.

Please provide an incident report in this bug and on the mozilla.dev.security.policy forum, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Assignee: kwilson → martin_ja
Flags: needinfo?(martin_ja)
Whiteboard: [ca-compliance]
Hello,

We've been aware of this misissue via our daily crt.sh check 2018/01/17 08:51 (UTC)

2018/01/17 09:00 (UTC) I contacted the team that manages website certificate's to correct this errors.
2018/01/17 09:44 (UTC) The certificate was revoked.

Our platform allows to include the problematic character in the certificate. There're no more certificates of this profile affected by this issue.

We have stopped issuing certificates of this profile till a technical control will be deployed.

The technical team will introduce a technical control to prevent it by the end of this week.

Regards

Juan Ángel
Flags: needinfo?(martin_ja)
Hello,

the technical control was deployed at 7:31 (UTC)

Regards 
Juan Angel
Juan Angel: Thank you for the update. Please provide a full incident report as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report I am most interested in your response to questions 6 and 7 - why did this happen, why did you not detect it, and how will you prevent similar issues in the future?
Flags: needinfo?(martin_ja)
Changing QA contact per https://bugzilla.mozilla.org/show_bug.cgi?id=1438254
QA Contact: gerv → wthayer
Hello,

This error was due to the fact that in one of the methods of entry of certificate requests, load of batch of requests, in our platform, some of the fields that were later included in the subject of the certificate were allowed to include the detected problematic character.

This certificate was detected in the control mechanism that we had in which we analyzed the certificates after their issuance using crt.sh.

On February the 14th we deployed a cablint and x509lint technical control. Since then, we analyze the pre-certificates, we always issue pre-certificates for a website cert request. In case of a FATAL or ERROR message we don't issue the certificate.

Best Regards
Juan ANgel
Flags: needinfo?(martin_ja)
Juan Angel: Have you scanned all active certificates issued by your CA for this error? If so, what was found?
Hello,

link to the results analysis: 
https://groups.google.com/d/msg/mozilla.dev.security.policy/Bdphix4tNrA/wxDBDRryBgAJ

Best Regards
Juan Angel
Thank you Juan. Have all of the misissued certificates identified in your analysis been revoked?
==================
Copying the report from the link above for reference:

We've done an automated analysis on 2018-03-13 of TSL/SSL certificates that have been issued by our CAs:
- Camerfirma Corporate Server II - 2015
- Camerfirma Corporate Server - 2009
- AC CAMERFIRMA AAPP

We discovered 81 certificates that we didn't discover in our previous manual analyzes of crt.sh. These misissued certificates were due to the fact that we had incorrect implementations of TSL/SSL certificates, each of the errors was previously corrected.

The reasons why they are incorrect are:
- (3) cablint ERROR commonNames in BR certificates must be from SAN entries
- (1) cablint ERROR DNSName is not FQDN
- (1) cablint ERROR DNSName is not in preferred syntax
- (11) cablint ERROR Incorrectly encoded TeletexString in Certificate
- (15) cablint FATAL ASN.1 Error in X520countryName: BER decoding failed at octet 0: Parse error
- (30) cablint ERROR BR certificates must not contain directoryName type alternative name
- (18) x509lint ERROR organizationName too long
- (2) x509lint ERROR The string contains non-printable control characters

For all of these certificates, the registration process of the domains and organizations included in them was carried out correctly.

>From the moment they were detected, we began the process of replacing them.

There're 4 that have already expired.

We've revoked 44 of the aforementioned certificates and we are in contact with the rest of the subscribing organizations to proceed with their substitution, given that most of them are Spanish public administration bodies that offer public services and they are unable to replace them in an agile way.

All of these certificates are issued prior to the implementation of technical controls that eliminate the possibility of repeating the issuance of erroneous certificate with these errors.

We've implemented at 2018-02-14 a technical control that prevents the issuance of a TSL/SSL certificate in case cablint or x509lint show an error of type 'FATAL' or 'ERROR' so it is expected that there are no new certificates with these errors issued by 'Camerfirma Corporate Server II - 2015'. 'AC CAMERFIRMA AAPP' & 'Camerfirma Corporate Server - 2009' are disabled for the issuance of certificates in our system.

A report with the detected certificates is avaliable at: https://bugzilla.mozilla.org/attachment.cgi?id=8962396
Flags: needinfo?(martin_ja)
Hello Wayne,

Yes, all of the misissued certificates identified in our analysis have been revoked.

I'm sorry. I should have updated the info in this bug.

It was updated only at https://bugzilla.mozilla.org/show_bug.cgi?id=1443857#c5

Best Regards
Juan Angel
Flags: needinfo?(martin_ja)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.