Closed Bug 1459557 Opened Last year Closed 11 months ago

SwissSign: Certificate issue with Signature

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: reinhard.dietrich, Assigned: Juerg.Eiholzer)

Details

(Whiteboard: [ca-compliance] - Next Update - 01-August 2018)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180206200532

Steps to reproduce:

SwissSign has to report that they have issued certificates with signature issues. 

As soon we have done  the analysis we will provide the incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Topic 1: How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Answer to Topic 1:
Mai 7th 2018 02:01 UTC our post-issue compliance system alerted us to this problem as reported by cablint.

Topic 2: A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Answer to Topic 2:
2018-05-05 12:00 UTC We finished the installation of the new software release version 4.11
2018-05-07 02:01 UTC Our post-issue compliance system alerted us to this problem as reported by cablint
2018-05-07 07:00 UTC We started the investigation 
2018-05-07 08:00 UTC We stopped issuing any certificates
2018-05-07 13:45 UTC We released a fix to this problem and started to issue certificates again 
2018-05-07 14:00 UTC We started to in
form the customers about the incident and to exchange the affected certificates
2018-05-09 We 

Topic  3: Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
 
Answer to Topic 3:
Between the time we first became aware of the problem and the time we put a fix live we stopped issuing any certificates at all.  After the problem was fixed we started issuing certificates again.

Topic 4: A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Answer to Topic 4:
Issue:
CABLINT ISSUE:          ERROR: RSA signatures must have a parameter specified 
Number of certs:           19
First issue:                    2018-05-05 09:25:45 GMT
Last issue:                    2018-05-07 06:55:57 GMT

Topic 5: The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

Answer to Topic 5:
crt id	subject_name	not_before
442095530	OU=Domain Validated Only, CN=joskoe.ch	05.05.2018 09:25
442218153	OU=Domain Validated Only, CN=joskoe.ch	05.05.2018 10:36
442261285	OU=Domain Validated Only, CN=joskoe.ch	05.05.2018 10:54
442283367	OU=Domain Validated Only, CN=joskoe.ch	05.05.2018 11:02
442519810	C=CH, ST=ZH, L=Glattbrugg, O=Xerox AG, CN=www.che-xeroxprintportal.ch	05.05.2018 13:49
444974067	CN=as2.dhag.com	06.05.2018 19:43
445839911	C=DE, L=Hannover, O=ivv-Informationsverarbeitung fuer Versicherungen GmbH, CN=karriere-blog.vgh.de	07.05.2018 05:27
445841894	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=mail.nemo-t.ch	07.05.2018 05:31
445851526	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=mail.nemo-i.ch	07.05.2018 05:45
445863086	OU=Domain Validated Only, CN=www.gesundheitstv.at	07.05.2018 05:57
445875443	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=wskuba.sbb.ch	07.05.2018 06:04
445895176	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=www.sbbcargo.com	07.05.2018 06:12
445917215	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=nova-ws.sbb.ch	07.05.2018 06:21
445941664	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=dax.sbb.ch	07.05.2018 06:35
445970483	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=b2p.sbb.ch	07.05.2018 06:37
445970863	C=CH, ST=BS, L=Basel, O=Manor AG, OU=EDI, CN=edicom.manor.ch	07.05.2018 06:38
445974903	OU=Domain Validated Only, CN=vsts01.wirz-partner.ch	07.05.2018 06:43
445989680	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=nova.sbb.ch	07.05.2018 06:49
445989707	C=CH, ST=Bern, L=Bern, O=Schweizerische Bundesbahnen SBB, OU=IT, CN=sapgt100.sbb.ch	07.05.2018 06:55


Topic 6: Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Answer to Topic 6:

Release 4.11 of our CA software introduced a change in the way in which certificates are created - specifically to the ASN1 generation. Certificates generated with the new release did not have an RSA signature parameter leading to an error reported from cablint "ERROR: RSA signatures must have a parameter specified".  Previously, the signature parameter was explicitly NULL.

This mistake was not flagged as an error in our E2E test tools (e.g. Firefox 59, Chromium 65, Edge v41, IE11, Safari 11.1), and neither zlint nor x509lint shows this to be a problem, but cablint correctly notices the mistake.

The problem was not detected until now because it only showed up when a live certificate made its way into crt.sh to be tested with cablint.  At this point, our automated post-issue compliance check noticed the problem. 

Topic 7: List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
 
Answer to Topic 7:
We are in the process of developing a pre-issue compliance system which will test a TBS certificate before it is signed. However a TBS certificate alone would not have shown this problem. To catch this problem it is necessary to test an issued certificate from our staging environment. This functionality will be built into the compliance system too so that such problems can be detected before going live in production. This compliance system is scheduled to go live this summer.
Whiteboard: [ca-compliance]
Reinhard: thank you for this incident report. Please update this bug when your staging environment compliance system is live.
Summary: certificate issue with Signature → SwissSign: Certificate issue with Signature
Whiteboard: [ca-compliance] → [ca-compliance] - Next Update - 01-August 2018
2018-05-09 12:00 UTC: All affected certificates are now revocked
Assignee: wthayer → reinhard.dietrich
We will have our internal Pre-Issue linting System in Place by end of June and we plan to start use it in the beginning of July. The goal is to use it for all public trusted SSL Certificates by end of July.
Assignee: reinhard.dietrich → Juerg.Eiholzer
Flags: needinfo?(Juerg.Eiholzer)
In response to the change of assignee for this item to Juerg.Eiholzer@SwissSign.com: The pre-issuance linting for the SwissSign’s newly produced certificates was established and activated in September 2018. Hence the present item - issued certificate with signature issue - can be resolved.

Although the item has been solved since quite a period of time, there was a lack of notification to Bugzilla. This is especially due to the exchange of responsible persons within the organization (see also Wayne's change of assignee some days ago).
Flags: needinfo?(Juerg.Eiholzer)
Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.