Closed Bug 1528259 Opened 7 months ago Closed Last month

Telia: misissued certificate - FQDN value incorrectly in SAN rfc822 field

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: pekka.lahtiharju, Assigned: pekka.lahtiharju)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299

Steps to reproduce:

Telia did mass zlint scan to find all invalid Telia certificates

Actual results:

Telia find 9 invalid certificates

Telia did mass lint scan to all its SSL certificates on Friday, February 8, 2019 to find all old certificates that are invalid. This mass scan revealed 9 previously unknown invalid certificates in 6 different error categories:

a) 2 CN IP value incorrectly in SAN DNS field (e_dnsname_not_valid_tld)(created in 2016)
b) 1 FQDN value incorrectly in SAN rfc822 field (e_ext_san_rfc822_name_present,e_subject_common_name_not_from_san)(created in 2016)
c) 1 CN SAN had leading space (e_dnsname_bad_character_in_label,e_subject_common_name_not_from_sa)(created in 2016)
d) 1 CN FQDN without domain part (e_dnsname_not_valid_tld)(created in 1Q2017)
e) 1 invalid wildcard format (e_dnsname_left_label_wildcard_correct)(created in 1Q2018)
f) 3 invalid OU value "-" (e_subject_contains_noninformational_value)(created in 2017-2Q2018)

Category b) incident report is in this bz. Others are in other incident reports created by Telia.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Telia did mass lint scan to all its SSL certificates on Friday, February 8, 2019.

  1. A timeline of the actions your CA took in response.

Friday, February 8, 2019: Discovery by Telia itself
Friday, February 8, 2019: Preliminary analysis of the issue by Telia Security Board (e_ext_san_rfc822_name_present,e_subject_common_name_not_from_san). Not critical but invalid according to BR 4.9.1.1, rule7 thus decision was: "Should be revoked within 24 hours and MUST revoke a Certificate within 5 days"
Friday, February 8, 2019: Revoked by Telia CA
Monday, February 11, 2019: Quick analysis that confirmed that similar error can't happen in current Telia systems.
February 11-15: Root cause analysis: This certificate was internal Telia CA certificate. It was exceptionally created by one of the administrators using CA console which had complex GUI at the time (Sep 2016). Administrator has manually selected an incorrect field when performing CN to SAN copy because of human mistake.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Telia has completely stopped using the console GUI in early 2018 that caused the issue. Also the issuer creating these kind of technical certificates has been closed in 2018 (TeliaSonera Gateway CA v2). Now certificate profiles prevent from using other than SAN DNS or SAN IP field.

  1. A summary of the problematic certificates.
  2. The complete certificate data for the problematic certificates.

Only one of this kind exists. Affected certificate has CN value "puolukka.cover.sonera.net" and has serial 66429e46fea54a99d27a0858c0794768 and was created September 26, 2016 for three years. It can't be found from CT logs but Telia can give details of it if asked.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Check root cause analysis above why this happened. This wasn't detected before by Telia, browsers, auditors or community because a) it caused no problems, b) it was used by ldap server only, c) it wasn't logged to CT, d) creation method was exceptional, e) Telia didn't do lint check for old certificates before now. If similar problem would happen now the issue would be detected because of regular lint checks by Telia.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Telia has already resolved this like described above.

Assignee: wthayer → pekka.lahtiharju
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

PEM of this problem is this:

-----BEGIN CERTIFICATE-----
MIIGiDCCBHCgAwIBAgIQZkKeRv6lSpnSeghYwHlHaDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJGSTEUMBIGA1UECgwLVGVsaWFTb25lcmExIjAgBgNVBAMMGVRl
bGlhU29uZXJhIEdhdGV3YXkgQ0EgdjIwHhcNMTYwOTI2MTIxMTEwWhcNMTkwOTI2
MTIxMTEwWjBmMQswCQYDVQQGEwJGSTERMA8GA1UEBwwISGVsc2lua2kxIDAeBgNV
BAoMF1RlbGlhU29uZXJhIEZpbmxhbmQgT3lqMSIwIAYDVQQDDBlwdW9sdWtrYS5j
b3Zlci5zb25lcmEubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
wEurtGp17iDMDO5m0zW20lI93SpzH7vWhOXvUNp5DNAdbK1oSCmWpWmnfuYPnB3e
UKwp3rfWnyIjOr6nGfUiWO9OQgG8FOTpkXIimWGGGMpMUjWs+tv6LRdE02rrK5fd
O4xb4ssG/uWp6YbnogcUJj+2aIXU1Sq+NmuAP+yjs4GFnWbBa4Bt0px/fWZeSoXG
2bRx7m5zmxfAqpXrRBrQaOWd3L65bqX95SGc57TMswkmGnl1zh5VgiZDW1I6lm6f
ElVmPS0zZ72/EFFwaYsC5OiZX7z1CdWJq6aNhRgP8Z4DRygr97zu5d/lLuo031T1
8hYh7hHsNAFJDdiToaGDvwIDAQABo4ICTzCCAkswJAYDVR0RBB0wG4EZcHVvbHVr
a2EuY292ZXIuc29uZXJhLm5ldDCBjgYIKwYBBQUHAQEEgYEwfzAtBggrBgEFBQcw
AYYhaHR0cDovL29jc3AudHJ1c3QudGVsaWFzb25lcmEuY29tME4GCCsGAQUFBzAC
hkJodHRwOi8vcmVwb3NpdG9yeS50cnVzdC50ZWxpYXNvbmVyYS5jb20vdGVsaWFz
b25lcmFnYXRld2F5Y2F2Mi5jZXIwHwYDVR0jBBgwFoAUh6rjExKfEYvKaM0eLcQp
qPoQGsswVAYDVR0gBE0wSzBJBgwrBgEEAYIPAgMBARAwOTA3BggrBgEFBQcCARYr
aHR0cDovL3JlcG9zaXRvcnkudHJ1c3QudGVsaWFzb25lcmEuY29tL0NQUzCBzAYD
VR0fBIHEMIHBMEOgQaA/hj1odHRwOi8vY3JsLTMudHJ1c3QudGVsaWFzb25lcmEu
Y29tL3RlbGlhc29uZXJhZ2F0ZXdheWNhdjIuY3JsMHqgeKB2hnRsZGFwOi8vY3Js
LTEudHJ1c3QudGVsaWFzb25lcmEuY29tL2NuPVRlbGlhU29uZXJhJTIwR2F0ZXdh
eSUyMENBJTIwdjIsbz1UZWxpYVNvbmVyYT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25s
aXN0O2JpbmFyeTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0P
AQH/BAQDAgSwMB0GA1UdDgQWBBTKylco08/hhenWt5Bv3Krg9xrP3jANBgkqhkiG
9w0BAQsFAAOCAgEAF3o/bKEFKetyLu2jhEMCSDmLcwtzfYFNylSdlrRLNXJIPFpj
sxiP5+5kENiqF+atr7Z5VrBJ1m5VEN7HddIN2s3DL8qWhgwYDDaDJf7o13jox3gI
8IuRAHmsiP+KyjF+7KechZ7LTysjeCZ7P0BFkbamhSBnPjbD4bpGr7cG06IJOz11
xoVEoOD58iEh3Xk6mlqPmUX2RMXMtcPLwn1Qq8vHgllTKHHwC96/PpOViauA/gX0
mQbQaX9o6yX0C8QQXJTnGNDnq+wTAs42xK8vv+uwMcxpRjVBdCoWtIT5goQEA5YW
YbiubASQV/2Vjww/lHMtAt3hzCEizDstKeq5ymtZUq7DN8Dwf00SKlgeCF7gJzqN
nlH7kRjgY/4nA0woUHKYqchxtpN7IkornBNf4VJQ84O/MJlwAlYEn5s6ylnCddgH
wJH5DUfLLpM5gqS0aLGoSuLzvUSUsAQG5u9aT/TbFxIOJDATffq1vNVcsssfTKvb
LP+YBOfdKCJKGH7rVvLddFR+7i7xbScPShNYMI5RES8jAIVz9e2bxUgart0Z1f6g
uMzcmZM8HqX71ccpvk9pw1vOxkTo+PVtvdJ9Za1FVeTTkSblmfBpJiELIs/G5Cn3
/I0/coa0T2Wj8z56+yUg2AJRgyBLZx8D85pYKfBbINm1DuqeH6bC7CowwzQ=
-----END CERTIFICATE-----

QA Contact: kwilson → wthayer

Correcting bug type to task.

Type: defect → task
Flags: needinfo?(wthayer)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: Last month
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.