1732484 - Sectigo: Truncated registration numbers in EV certificates

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Tim Callan]

1. How your CA first became aware of the problem

Upon our review of DigiCert bug 1727963, we looked into our own certificate base to see if we had any instances of the same truncation behavior. Though the root cause is different, we discovered a similar phenomenon with some of our EV certificates, which had subject:serialNumber values truncated to 25 characters.

2. Timeline

August 27, 2021
Bug 1727963 written up by DigiCert.

August 31
Sectigo WebPKI Incident Response (WIR) team discusses this bug in its semi-weekly working meeting and resolves to investigate the Sectigo certificate base for similar behavior.

A preliminary scan the same day shows 54 certificates with possible registration number truncation to 25 characters. Our suspicion is that a 25 character limit exists for the subject:serialNumber field based on the observation that we have no certificates with more characters than that and that a quick review of a few candidates shows values that appear at first glance to be incomplete.

We hypothesize that a 25-character limit may be created by our own systems, with characters beyond that discarded. We create a development ticket.

September 1
A code review reveals that our system truncates subject:serialNumber to 25 characters, discarding the rest.

September 19
A fix is deployed for 25-character truncation. This new code limits the length of the subject:serialNumber field to 64 characters and rejects certificate orders with longer fields, rather than issuing with truncated contents.

September 20
We run a query to produce a list of all certificates with exactly 25 characters in the subject:serialNumber field. Manual review of this list eliminates some false positives where the correct registration number is exactly 25 characters long. We set the remaining certificates for revocation on September 25.

September 25
Scheduled revocation for the certificates listed in point 5.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.

We have corrected this technical problem and no longer truncate registration numbers to 25 characters.

4. Summary of the problematic certificates

38 certificates issued between September 16, 2019 and July 13, 2021.

5. Affected certificates

https://crt.sh/?id=1945747441
https://crt.sh/?id=1954268575
https://crt.sh/?id=1954735825
https://crt.sh/?id=1984300975
https://crt.sh/?id=2001200581
https://crt.sh/?id=1891864356
https://crt.sh/?id=2009867423
https://crt.sh/?id=3458867802
https://crt.sh/?id=2079029702
https://crt.sh/?id=2032254298
https://crt.sh/?id=3705355681
https://crt.sh/?id=3732818864
https://crt.sh/?id=2182523207
https://crt.sh/?id=2204206174
https://crt.sh/?id=2164093638
https://crt.sh/?id=2013307141
https://crt.sh/?id=2250061800
https://crt.sh/?id=2268383295
https://crt.sh/?id=1970425440
https://crt.sh/?id=3877110913
https://crt.sh/?id=2310242704
https://crt.sh/?id=2013597392
https://crt.sh/?id=2398161407
https://crt.sh/?id=2385896455
https://crt.sh/?id=2410475470
https://crt.sh/?id=2524540342
https://crt.sh/?id=2170675467
https://crt.sh/?id=2633763089
https://crt.sh/?id=2707283511
https://crt.sh/?id=2769238672
https://crt.sh/?id=2512462162
https://crt.sh/?id=2535368460
https://crt.sh/?id=2561504079
https://crt.sh/?id=2717469190
https://crt.sh/?id=2625416957
https://crt.sh/?id=4856130447
https://crt.sh/?id=4718433831
https://crt.sh/?id=2725730275

We have not yet completed revocation of these certificates, which is scheduled for Saturday the 25th. We will update this thread to confirm that revocation occurred as planned.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now

Before the initial publication of the EV Guidelines Comodo added the ability to record registration numbers, which it included during validation of OV certificates when using information sources containing this information. At that time the product team gave this record an arbitrary limit of 25 characters. The code silently truncated any characters beyond that limit rather than return an error. This limit was not documented.

We were unaware of this behavior until we looked into this bug. Because it is rare for a registration number to be more than 25 characters long, this error went undetected for a long time. Due to the small number of affected certificates, they never came up in internal or external audit, and we never randomly noticed an instance of this truncation. It was not until we specifically investigated this matter in response to bug 1727963 that we detected it.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future

We have fixed this limitation. Our system now limits this field to 64 characters.

With regard to review of legacy code, see bug 1720744 comment 5 for a discussion of the need for prioritization in these matters. We would like eventually to review, simplify, and document all legacy code. This will be a lengthy process. Our “Guard Rails” project in large part exists to put protections against legacy code errors in place more quickly than we can realistically accomplish thorough code review and simplification.

Comment 1

[Tim Callan]

(In reply to Tim Callan from comment #0)
The scheduled revocation went as expected on Saturday.

Comment 2

[Tim Callan]

We tried to provide the relevant information in our initial writeup. Is there anything we can answer or clarify for the community?

Comment 3

[Tim Callan]

We haven’t had any questions or comments on this bug. As last week was the CA/Browser Forum face-to-face, we appreciate that maybe people in the community have been busy. Are there any questions on this bug?

Comment 4

[Tim Callan]

Ben, there don’t appear to be any questions or comments on this bug. We have performed our full remediation and dealt with all misissued certificates. May we close this bug?

Comment 5

[Ben Wilson]

I'll close this on Wed. 27-October-2021 unless there are additional questions or requests for clarification.