Closed Bug 1636339 Opened 4 years ago Closed 4 years ago

Entrust: Failure to revoke a certificate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ryan.sleevi, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] [leaf-revocation-delay])

In Bug 1635096, Entrust shared an issue with an invalid encoding in the printable string.

In https://bugzilla.mozilla.org/show_bug.cgi?id=1635096#c1 , and subsequently in https://bugzilla.mozilla.org/show_bug.cgi?id=1635096#c4 , it was confirmed that Entrust will not be capable of indicating the certificate is revoked via OCSP within the time defined by the Baseline Requirements.

As this effectively means the certificate is not revoked, this represents a failure to revoke in a timely fashion.

When testing to obtain a response, the response I receive is "unauthorized (6)", indicating that the server is not capable of responding authoritatively. As this is an unsigned response, attaching proof isn't very useful.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On 30 April March 2020, Entrust Datacard compliance team discovered that an SSL certificate was issued with quotation marks in the printable string format in the Organization field of the Subject DN. The OCSP software rejected the certificate due to the error, so an OCSP status was not provided.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

30 April 2020, 04:13 UTC - An SSL Certificate was issued with printable string in the Organization field.
30 April 2020, 04:13 UTC - Certificate failed with OCSP and was blocked by OCSP responder.
30 April 2020, 05:31 UTC - Posting linting check provided notice, " Constraint failure in X520OrganizationName: ASN.1 constraint check failed: PrintableString: constraint failed"
1 May 2020, 18:27 UTC - Certificate was revoked on CRL
28 May 2020 - Patch to the OCSP software was implemented
28 May 2020, 20:00 UTC - Certificate was revoked on OCSP

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

The OCSP software was ungraded and rejects bad certificates. The older CA software may still issue bad certificates. The CA software will be changed to not issue certificates with the printableString error. The problem is currently being mitigated through verification practices.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

One SSL certificate was issued with printableString encoded in the Organization field. This data should have been UTF-8 encoded. There were no other certificates issued with this error.

  1. The complete certificate data for the problematic certificates.

https://crt.sh/?id=2746128448

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

This CA error was unknown as quotation marks are not a character that is typically used in the Organization field. The OCSP software rejected the certificate by design.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The CA will be migrated to a more modern software which does not have the bug. The more modern CA software performs the same checks as the updated OCSP software.

The OCSP software has been patched to allow a certificate serial number to be uploaded. If a serial number is uploaded, the certificate will be revoked by default.

This error and similar errors will further be mitigated by upgrading the CA software and the pre-issuance linting software.

(In reply to Bruce Morton from comment #1)

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

The CA will be migrated to a more modern software which does not have the bug. The more modern CA software performs the same checks as the updated OCSP software.

The OCSP software has been patched to allow a certificate serial number to be uploaded. If a serial number is uploaded, the certificate will be revoked by default.

This error and similar errors will further be mitigated by upgrading the CA software and the pre-issuance linting software.

This seems to leave out the "timeline" part of the response?

The subordinate CA was migrated to the new software on 9 June 2020, which has resolved the printable string bug with this CA. This software is being migrated to all subordinate CAs which can issue SSL certificates.

Bruce,
Could you provide a little more explanation of the delayed revocation? What was the cause of the delay in revocation and what steps are being implemented to ensure timely revocation of certificates under similar scenarios in the future?
Thanks,
Ben

(In reply to Ben Wilson from comment #4)

Bruce,
Could you provide a little more explanation of the delayed revocation? What was the cause of the delay in revocation and what steps are being implemented to ensure timely revocation of certificates under similar scenarios in the future?
Thanks,
Ben

The certificate was revoked within the 5 day per CRL. However, the new OCSP system rejected the certificate as it was incorrect per incident https://bugzilla.mozilla.org/show_bug.cgi?id=1636339, so there was no revoked OCSP response. In addition, to prevent an attack of false certificate status, the OCSP system would not allow a certificate serial number to be uploaded. The OCSP system was patched to allow a certificate serial number to be uploaded, but only in a revoked status.

The CA has been migrated, which will prevent the same error in the future. The OCSP system has been upgraded to allow a rejected certificate to be uploaded as revoked.

Unless there are additional questions or issues, I intend to close this bug on or after 7-August 2020.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] [delayed-revocation-leaf] → [ca-compliance] [leaf-revocation-delay]
You need to log in before you can comment on or make changes to this bug.