Closed Bug 1533899 Opened 5 years ago Closed 5 years ago

Quovadis: Insufficient Serial Number Entropy

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: jeremy.rowley, Assigned: jeremy.rowley)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36

Steps to reproduce:

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

A post about EJCBA and it's default settings caused us to review internally whether we had the same problem. DigiCert uses its own, home-grown CA software so was not impacted. Quovadis, which is currently undergoing integration with legacy DigiCert, used EJCBA. Although all TLS certs are issued without the default setting and are complaint, we found one HSM used to issue s/MIME certs that used the default setting. We found this out on March 7, 2019. Note that s/MIME certificates are not subject to the BRs. However, section 5.2 of the Mozilla policy incorporates s/MIME certs into the requirement.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

March 6 - Requested information from Quovadis about s/MIME certificate entropy
March 7 - received a report from Quovadis on the s/MIME certs with low entropy

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
    Yes - this last server was changed to use 128 bits of entropy

  2. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

There are 118 total s/MIME certificates.
00d4b8b2512e4597206c3422fd93083bdc62d1d2
03ca1e874eee8cefae384691f41e8b0a337f18a2
07be020f2dab2fa30fbf2ce1cbd5925ba7468db1
087cdd629a7a7218242f6baf1d0d355746fc91c9
0a46daf27017a73c0a426c01fe83fca545566010
0aeae38ff431d031d9ac6c136fa028567d1a6e50
0def75aa5967b62cb88ae5f0b592913c2c02f5f6
0eef63996a4e05b5fe9b39d2e0cc25c618245cb1
1443e6396736a31aeca0ca5807c31712c5e56b5e
14f10b883179fcc911dcf4159fb17ea2f9420696
15853d4199f4c5826c1d3383526780018f7a8e54
1589bb1cb4621d79a3fbb653114aabd5ee08827a
20932a09506ef124eef49023837add8e731ff624
232b57018602a1bd6baf061f283d4a474f5ba945
2335ed2102ff1b53b45fc64cf503adb414eae716
248d17995a9b784643b45f80b938493c461e7d02
26a794184fac7785a4f63cba4032d884e7438133
26c3bb1e392b93839c8d3f74f190108aae157f46
2dbcc45af20c4fa8edfcb8b822dbe2c7cab76906
2e5c7b2f780bcfea28887eba4ede7a5dc080ff77
32ffeee173a8bb567fcd88de4d36e3bc105a7176
3bf63d7f5faf716e50096e5be7c506fbdcfe62fd
3cf14a82fac55a5beec2e0df260b45f9851a62e6
3e2e99aca6a6c4975b5a6be633ba8921831c258c
45d51a014641bc6399420627e14bd33eb50926f9
477c0336a52e21d9b96e36f2281686b3f2864645
479bd6f10b85a343078c0c30c57240d313d0f859
4aa92c451cd3927f768dd28017d730197ca92e45
4ac53cf9f6d5f3a07210b6092265bbb0fd1f59f1
4e5b3f12e570f846be97a1f20cedc15110ea16e3
50f198434cd6ab6f8d268503a8eb788eb0ee8fd3
52a04e3689c07b03385ff2792506634c713135f7
5c3fc07ead98806de91d89f7fcaa0b17582675ca
5c41b69ae03ffe6e8a485a1bf0a0440e1ba8ef28
5ebcd8fcec4e983b304ac6a41e99c17c44765a11
5f0dc434dbd94a532bd7150724eb4213b78c2bec
62653129a802b9602913470635bbeec4fcc91e2e
638a352156f1f2919044700e573c72c49b9f5a62
662298df357e3a69d804e2d318f163f39d24c6d4
669718b8dc59119a84b2fdda18bfc86899635df0
674c6dd43403b967470e83ec801e7ca1be142a65
67b47a54ba931b2f2c882597ea69dc7cd79ffa2b
6a4460443fccccdcfe9627ad8a0734635a7d268f
6e6ca379bcc7d07b008c3a65d16819957b579a21
71238dce154418ee414a911ea967c0a6d3e8affc
712e9481b07e63fb55adceeabeec710f100b09c2
7421db1da1b258e81132175c07fb0318c91b8fef
746e0ed9cf850f63dc8aa5b5e3ca753fd1003414
7489e50cf78524b941bf2946d5d827685c17c8cc
75ff76c2b0ca512296643d37e15d02be4b67a705
77d51fd80371c96fea22911ac3675dc36b29f815
77e1a009b2dbe808be27c83c85ff8806a272abaf
791989bb80dac29bd169b7689d8ef0b948f928a5
7985b88733abe1c4d044b90fef43983146e6c7e4
7c65e548b147c2b723f2b9e1b880dae00e18952b
7cfd5c9ca0f7b3ca29f2f078c452102de8a7e3cc
7e1aa550faf119798fff596907f62e0588960a29
7e3a6c62ce21190742e62ce4aa734b5daf66c3c2
7fc5c5ca6d066e6f8a7de8a7c5e0bc54fc155f65
85c172968029a43ca2dad484cbc06de63da2fb25
86358d356281d3d1cc430a7ef6f87778c21b2c33
868c7fb40b765c0ac7544cbbce0c471670c4e234
8715a970780a340b5cec51724d27a8f3563636e4
87530b3da18f948a25d56f32eb3cd109fe24a986
89a6e92bf6b85f966afaea8adf8501e09fe475f2
8af909676f31f7a7c11be0be75e8c4439b7407ea
8ca01d607f6d414db24ebb548b9b7d3f897e0de1
8fc8d26cc08680c94cc11bc17c90ce42a7e6218b
901e0e2babd3046c083cba1e9a4d8df9a27aa6e0
90955e022eba4324ab6bc67dfb715721ee90b246
9523e0e54dd92b2e81e4692dd3865169bd3217f1
95b4b7e7af3953e6353442284d19dee745f72e9e
968ec90ffab4bd1e0c6a2d288627755aed7569b6
9967b09dce95f93831b8b9f89c82b1e0e0bffe37
9b2362e605dbe43bda532032e0175b35d504f244
9e6c6dad700ee40fa0e5784469ecde6729f3bb0b
9e6e33127c8131a8b197b416cbada6c0d804b08d
9e963eba989a9c0ce304d585cdb05ae8ff11e4ec
a3893efdb1461d42937ad68f5165591ac3c950be
a8cfa985c5ac2209e8ef159f65c8b7c15817ce94
aa92789d07d7ab478a40e9a8c4e893c5d63f85c4
ab4f9168fbdea2dc469224e5fd420a35430406a1
af72bfca8a6ed6d0909ab61511a86fe2c6e47e1e
b02b1bf312494888aa181c04357c7d7256083f05
b0870ca2c40c1cf9589929430b0021b92d2774ea
b51b352a39906bf21a36eb58acff149b03f41804
b57bf3f9897137ed38ea2a9d03951dcbc00ccc0a
b7127cf2f6f9fb8b6c7f0915a40c3ac129460a17
bafa8ce726812fceaf8af5dd3fd8e15ebfe13680
bb1a7ae3691a12b91c8c25f1575150f62058893d
bb71447c6b55009acca80430ee0a1696001d084d
bf488aada7c10a8f74fccbd6d48948a2d569c17a
c174d04edc46e503972cb93e0d03c0a9060d18de
c199d612a32e220dc03f555654469b3501cdbd95
c310b0cf39e89191db0e364ad84c7e53ecf491e0
c375f45222972ef05008064c678a14ea52b0478f
c6fd5b02ab052cac1dd58b0f9709ef7cddc08ee4
cb8f8cec34cd01266cffe5b6afea2bbe5b14e820
cbd8870d7d6cffbdf5bc671d241d05b91060e522
d1223ea57fb97a5fd9636d07f8fbe4fdbdd21ae2
d69b75c505fbe8d12d54d95536793330efbae2ad
d7b759bc5a2478c68b0a1d6551b3608a20947cfd
d8553cd1497c6b523a962677374674dbf25c533b
da148ae2e481ac7901c710e6f2dda7b20ee81892
db81741bacd96b67ce26d92edcd644c3eaef27ce
dc0bdcddb0aa0a2ef6bcdf60ac70c6bc42f611da
dc4f8bb65218626ab41bd87309b29bcd35b15207
dca4ec05f998da2f2251d475f728a5a973bc2a31
e2aa087644fee2c0e24df990481bf41d51c5153f
e511f3834b1b7928060daa96934e0a31a32960ee
e6a9d4ce0d9512ab9a5d080e9ed7585b6458d291
f13ab5e326284e259af4114f5d29b39e4d2b1fc5
f1b470e01204329fb4f0efc9584f32c13ffbe849
f53c69f5639006df027cb31d3f1880eb28bf5b0d
f7ab844aec3431380e8600c7ae752333352eacf3
f84530f21bacc6678e248de4e9c070adfb6cea9c
fa27b3b8391acffd12bab7dd4edab77601cf4537
fee18b39121bd05aac4489360c457ee4255c76aa

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    See above. They are all s/MIME so no CT sadly.

  2. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

A platform was using EJBCA out of the box for s/MIME.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
    Integration with DigiCert's systems. We'll eventually move their CA to our own software.

Jeremy: the serial number entropy requirement is from the BRs. Do these certificates lack an EKU or otherwise fall within the Mozilla policy requirements for BR compliance?

Assignee: wthayer → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(jeremy.rowley)
Summary: Quovadis → Quovadis: Insufficient Serial Number Entropy
Whiteboard: [ca-compliance]

No - the certs are properly constrained. However, this language is in Mozilla policy section 5.2:

"CAs MUST maintain current best practices to prevent algorithm attacks against certificates. As such, all new certificates MUST have a serial number greater than zero, containing at least 64 bits of output from a CSPRNG."

The scope of the 64 bit requirement in the Mozilla policy is not limited to TLS certs so we figured we may as well disclose. Not sure if others using EJBCA are looking at sMIME certs as well as TLS.

Flags: needinfo?(jeremy.rowley)

Thanks for pointing that out - you are correct.

Jeremy,

When do you expect to have an updated answer to #7, such as concrete actions and timeline?

Flags: needinfo?(jeremy.rowley)

Integration is happening this year. We're hoping to call into the DigiCert CA by June, but my guess is full migration won't happen until near December. Concrete actions are:

  1. Migrate validation system to DigiCert's new validation system (in June)
  2. Migrate CA compliance check to DigiCert's CA compliance system (in June, but depends on ETSI auditor information)
  3. Integrate into Digicert's CA issuance system (around Dec)

As far as fixing the system, we already changed the entropy on the system to 124 bits. Since they are s/MIME only, we didn't plan on revoking or replacing the certs.

Flags: needinfo?(jeremy.rowley)

Investigating this more, it turns out the certs have emails but are not enabled for s/MIME. There was a mis-communication in the request/response. Sorry about that. Want to close this bug? Everything trusted in Mozilla has >= 64 bits of entropy.

Per comment 6, resolving as invalid.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.