Closed Bug 1770020 Opened 2 years ago Closed 2 years ago

Report for EKU OIDs missing an EKU friendly value

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: poonam)

Details

When we made changes to Derived Trust Bits logic we had found that one of the EKUs ('1.2.840.113583.1.1.5' ) used in the database was not being mapped by the custom program. To proactively report on such EKUs, the CCADB Steering Committee asked for a report.

Please add this new "Unmapped EKUs" report to the "Root Store Reports" tab. All root store operators should have access to that tab and the reports therein.

While we're looking at that tab, the following reports have been replaced by the "CA Task List" tab, so should be removed from the "Root Store Reports" tab:

  • Intermediate Certs - Failed ALV Results For Standard and BR
  • Intermediate Certs - Failed ALV Results For EV SSL
  • Intermediate Certs - Failed ALV Results for Code Signing
  • Intermediate Certificates with Missing Full CRL

The 'Unmapped EKUs' report is ready in SBxCCADB sandbox. Please check the link below to view the report.
https://ccadb--sbxccadb--c.visualforce.com/apex/UnmappedEKUs

Note that when PEM is parsed, we store starting 200 characters of Extended Key Usage in CCADB followed by ellipsis. Such EKUs are ignored by the report.

Please filter out revoked and expired certificates from the "Unmapped EKUs" report.

Please also filter out certificates that chain up to root certificates that are not included in any of the participating root stores.

I created a report in CCADB production to list all of the non-revoked, non-expired intermediate certificates that contain "..." in their "Extended Key Usage" field, and the report only found 6 such records. For those six records I looked at the "Extraction Results" field and found that the largest "extendedKeyUsage" has 344 characters.

So let's set the maximum size of the "Extended Key Usage" field to 350 characters.
And upon PEM import, only store the first 345 characters, adding ellipsis when it is longer than 345 characters.

Comment #2 & #3 are complete.

Looks good.

Please change the report description to:
The following table lists the non-revoked and non-expired intermediate certificates that have unmapped EKU OIDs.

And move the changes to production.

Assignee: nobody → poonam
Status: NEW → ASSIGNED
Flags: needinfo?(kwilson)
Severity: -- → S3

The UnmappedEKUs report is deployed in production.

Extended Key Usage field size was increased from 255 to 350 characters. The program which populate this field after parsing PEM is also updated to fill 345 characters followed by ellipses when the data is longer than 345 characters.

The PEM field had to be manually repopulated for 34 intermediate certs so that the parser program repopulates Extended Key Usage.

Two intermediate certs (805A7B80601A6FFB4ABDE635EF47705EAE17620DEF9CFAF61462B62D7C4B886A and A90F97D6B5C7612E020CBBCF0746200C9676E1828C5A850BE6BC888C345FA4B5) with very large PEM were not manually populated. These records have PEM field blank but the Extraction Results field is populated. Would you like me to map the extendedKeyUsage from Extraction Results and copy them to the Extended Key Usage field?

(In reply to Poonam Bhargava from comment #8)

The UnmappedEKUs report is deployed in production.

I couldn't find the report in production.
Anyways, please add a link to it to the "Root Store Reports" tab on Root Store Operator home pages.

Extended Key Usage field size was increased from 255 to 350 characters. The program which populate this field after parsing PEM is also updated to fill 345 characters followed by ellipses when the data is longer than 345 characters.

Thanks!

The PEM field had to be manually repopulated for 34 intermediate certs so that the parser program repopulates Extended Key Usage.

Thanks!

Two intermediate certs (805A7B80601A6FFB4ABDE635EF47705EAE17620DEF9CFAF61462B62D7C4B886A and A90F97D6B5C7612E020CBBCF0746200C9676E1828C5A850BE6BC888C345FA4B5) with very large PEM were not manually populated. These records have PEM field blank but the Extraction Results field is populated. Would you like me to map the extendedKeyUsage from Extraction Results and copy them to the Extended Key Usage field?

I copied the data over for those two.

'Unmapped EKUs Report' has been added to the home pages under 'Root Store Reports' tab for all root stores.

Thanks!

Noticed one minor thing...

1.3.6.1.4.1.311.61.1.1 is listed in the report, but our mapping logic maps this to Microsoft OIDs.
So the report logic should filter out oids that begin with "1.3.6.1.4.1.311."

We don't have mapping for "1.3.6.1.4.1.311" but we have mapping for longer version of this value and they are listed below:

Label EKU Friendly Name
1.3.6.1.4.1.311.10.3.11 Microsoft OIDs
1.3.6.1.4.1.311.10.3.12 Document Signing
1.3.6.1.4.1.311.10.3.4 Encrypting File System
1.3.6.1.4.1.311.2.1.22 Microsoft OIDs
1.3.6.1.4.1.311.20.2.1 Microsoft OIDs
1.3.6.1.4.1.311.20.2.2 Microsoft OIDs
1.3.6.1.4.1.311.21.19 Microsoft OIDs
1.3.6.1.4.1.311.21.5 Microsoft OIDs
1.3.6.1.4.1.311.21.6 Microsoft OIDs
1.3.6.1.4.1.311.67.1.1 Microsoft BitLocker Drive Encryption

Would it be correct to add new mapping entry for "1.3.6.1.4.1.311.61.1.1"?

Maybe we should - it stands for Microsoft "Kernel Mode Code Signing".

Poonam, Please map 1.3.6.1.4.1.311.61.1.1 to Microsoft OIDs

None of us root store operators have CCADB do anything with this oid nor "Kernel Mode Code Signing".

Just FYI: "Kernel Mode Code Signing" has nothing to do with the other references to "Code Signing" in the CCADB, and I don't want to risk having it cause problems with our existing CCADB logic.

Added friendly name for 1.3.6.1.4.1.311.61.1.1 to the mappings in Salesforce.

Also recalculated Derived Trust Bits for 2 intermediate certs which had this EKU value.

Thanks!

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Severity: S3 → --
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.