Closed Bug 1433118 Opened 6 years ago Closed 6 years ago

Asseco DS / Certum: certificate issued by Certum with compromised private key not revoked (windows10.microdone.cn)

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hanno, Assigned: kathleen.a.wilson)

Details

(Whiteboard: [ca-onecrl]) 

This certificate
https://crt.sh/?id=310850864&opt=ocsp
is used by this software
https://user.95516.com/ctrl/UPEditorEdge_1.exe
to open a local HTTPS server. I'm in possession of the private key which is part of the software. (Craig Young assisted me with extracting the key.)

I have reported this as a key compromise to Certum, the certificate authority, on Tuesday, but I received no reply and the certificate hasn't been revoked yet.

As cryptographic proof that I have access to the private key I have signed a message:
596a8fbd909ef3b6e20361205c3b00f2def0c6ce9d1ab93ac52448119dc4
c0ecfb80b38c2f282dcaf3da03f67769c8f6493474ea7e3c3f5056939f4c
c6800fdf0e369860d410b757f1281c65cae3272a3b992483d5e072ce4e02
73d7648f6dd1668dffd4314486ab04a04ecba2b358ca421d191a0accc576
819acc7bbbb5a51fe557be1678a875a132f1e439959a384313664fa653ff
1673cf9425de81b9fc8145c093390e6dd7088a72f566b14b3fda0c7c9eff
f9265bcbe70cad25eedbbd2535abdcf8c91f5a2d7f2489d3e1e01dc720c0
f0d7745ac3ac496cde1c24d7f0644ae5d3f74a33ca712f7073768f06cbbf
508919f2d3b1d36b2b74f6f9a8fcde0d

This is a PKCS #1 1.5 signature over the text "This key is compromised.", as can be verified with openssl:
* Convert hex into signature with xxd -r -p, e.g. to file "sig".
* Get key from cert: curl https://crt.sh/?d=310850864|openssl x509 -noout -pubkey > pubkey.key
* Verify: openssl rsautl -verify -pubin -inkey pubkey.key -in sig
Adding the Certum representative to this bug. I will also send email.

Arkadiusz: will Certum be revoking this cert? Also, please explain why no response was received from the initial problem report.
Flags: needinfo?(arkadiusz.lawniczak)
The bug received. I'm working on that. Respond ASAP
Flags: needinfo?(arkadiusz.lawniczak)
Certificte s/n 54:46:af:d1:44:7e:97:7f:13:a4:a4:d1:8b:bb:12:d6 has just been revoked
Arkadiusz: please explain why the initial problem report went unnoticed.

J.C. - please add this to OneCRL.
Flags: needinfo?(jjones)
(In reply to Hanno Boeck from comment #0)
> This certificate
> https://crt.sh/?id=310850864&opt=ocsp
> is used by this software
> https://user.95516.com/ctrl/UPEditorEdge_1.exe
> to open a local HTTPS server. I'm in possession of the private key which is
> part of the software. (Craig Young assisted me with extracting the key.)
> 
> I have reported this as a key compromise to Certum, the certificate
> authority, on Tuesday, but I received no reply and the certificate hasn't
> been revoked yet.
> 
> As cryptographic proof that I have access to the private key I have signed a
> message:
> 596a8fbd909ef3b6e20361205c3b00f2def0c6ce9d1ab93ac52448119dc4
> c0ecfb80b38c2f282dcaf3da03f67769c8f6493474ea7e3c3f5056939f4c
> c6800fdf0e369860d410b757f1281c65cae3272a3b992483d5e072ce4e02
> 73d7648f6dd1668dffd4314486ab04a04ecba2b358ca421d191a0accc576
> 819acc7bbbb5a51fe557be1678a875a132f1e439959a384313664fa653ff
> 1673cf9425de81b9fc8145c093390e6dd7088a72f566b14b3fda0c7c9eff
> f9265bcbe70cad25eedbbd2535abdcf8c91f5a2d7f2489d3e1e01dc720c0
> f0d7745ac3ac496cde1c24d7f0644ae5d3f74a33ca712f7073768f06cbbf
> 508919f2d3b1d36b2b74f6f9a8fcde0d
> 
> This is a PKCS #1 1.5 signature over the text "This key is compromised.", as
> can be verified with openssl:
> * Convert hex into signature with xxd -r -p, e.g. to file "sig".
> * Get key from cert: curl https://crt.sh/?d=310850864|openssl x509 -noout
> -pubkey > pubkey.key
> * Verify: openssl rsautl -verify -pubin -inkey pubkey.key -in sig

Hello Hanno

Thank you for the report. As you may see certificate for windows10.microdone.cn was revoked just after I receive message from Wayne. However, could I ask you please to provide the contact details you have used to communicate with Certum?
According to this
https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00028
the contact for certum is here:
https://www.certum.eu/certum/cert,contact_contact.xml

The only electronic contact option there is a mail address:
infolinia@certum.pl

Thus that's where I reported it:

From: Hanno Böck <>
To: infolinia@certum.pl
Subject: Certificate + private key embedded in Software
Date: Tue, 23 Jan 2018 17:52:50 +0100
(In reply to Wayne Thayer [:wayne] from comment #4)
> Arkadiusz: please explain why the initial problem report went unnoticed.
> 
> J.C. - please add this to OneCRL.

We are investigating the problem. Kindly request to give us little more time to respond to the question, so that we are sure that our answer will be sufficient. 
For now I can tell that everything indicates that the problem may be in the email forwarding systems. 
However, I will be able to provide the final response as soon as the investigation is finished but no later than Monday.
(In reply to Hanno Boeck from comment #6)
> According to this
> https://ccadb-public.secure.force.com/mozillacommunications/
> CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00028
> the contact for certum is here:
> https://www.certum.eu/certum/cert,contact_contact.xml
> 
> The only electronic contact option there is a mail address:
> infolinia@certum.pl
> 
> Thus that's where I reported it:
> 
> From: Hanno Böck <>
> To: infolinia@certum.pl
> Subject: Certificate + private key embedded in Software
> Date: Tue, 23 Jan 2018 17:52:50 +0100

Thank you

I confirm that your report was received by our system on Tue, 23 Jan 2018.
For now, investigating why it was not noticed.
Hanno: FYI, this report provides up-to-date problem reporting mechanisms for each CA: https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport
(In reply to Wayne Thayer [:wayne] from comment #9)
> Hanno: FYI, this report provides up-to-date problem reporting mechanisms for
> each CA:
> https://ccadb-public.secure.force.com/mozilla/
> ProblemReportingMechanismsReport

Thank you
May I request to change the email to revoke@certum.pl?
(In reply to Arkadiusz Ławniczak from comment #10)
> Thank you
> May I request to change the email to revoke@certum.pl?

I'm not sure if the CCADB allows you to change that field yourself. Please check. If it does not, please email change requests to Kathleen.

Gerv
(In reply to Gervase Markham [:gerv] from comment #11)
> (In reply to Arkadiusz Ławniczak from comment #10)
> > Thank you
> > May I request to change the email to revoke@certum.pl?
> 
I just made this change.

> I'm not sure if the CCADB allows you to change that field yourself. Please
> check. If it does not, please email change requests to Kathleen.
> 
No, I don't believe CCADB allows CAs to change this field.
(In reply to Arkadiusz Ławniczak from comment #7)
> (In reply to Wayne Thayer [:wayne] from comment #4)
> > Arkadiusz: please explain why the initial problem report went unnoticed.
> > 
> > J.C. - please add this to OneCRL.
> 
> We are investigating the problem. Kindly request to give us little more time
> to respond to the question, so that we are sure that our answer will be
> sufficient. 
> For now I can tell that everything indicates that the problem may be in the
> email forwarding systems. 
> However, I will be able to provide the final response as soon as the
> investigation is finished but no later than Monday.

The contact address infolinia@certum.pl provided on our website turned out to be incorrect. This is why the message from Hanno went to the ticket queue for our Helpline, instead of security and vetting team. We are already working on making the website the correct contact address that is: revoke@certum.pl
Handled in Bug 1434354.
Flags: needinfo?(jjones)
(In reply to J.C. Jones [:jcj] from comment #14)
> Handled in Bug 1434354.

Entry has been added to OneCRL.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [ca-onecrl]
Summary: certificate issued by Certum with compromised private key not revoked (windows10.microdone.cn) → Asseco DS / Certum: certificate issued by Certum with compromised private key not revoked (windows10.microdone.cn)
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.