CFCA: EV certificate with wrong PostalCode&Street
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: gaofei, Assigned: gaofei)
Details
(Whiteboard: [ca-compliance] [ev-misissuance])
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Steps to reproduce:
CFCA reviewed the historically issued certificates by using custom lint,and finds that the following certificates have the error of PostalCode and Street interchange:
1.https://crt.sh/?id=7626154014
2.https://crt.sh/?id=5680629132
3.https://crt.sh/?id=5680721951
4.https://crt.sh/?id=2746294331
5.https://crt.sh/?id=691507285
Of these certificates,https://crt.sh/?id=2746294331 and https://crt.sh/?id=691507285 have been revoked.
We are in urgent consultation with customers.The three certificates(https://crt.sh/?id=7626154014,https://crt.sh/?id=5680629132,https://crt.sh/?id=5680721951) will be revoked by December 2.
A full report will be provided on December 2.
|
||
Updated•2 years ago
|
1)How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
2022-11-25,CFCA reviewed the historically issued certificates by using custom lint,and found PostalCode and Street interchange errors in some certificates.
2)A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2018-08-29:CFCA issued a wrong certificate with interchangeable PostalCode and Street(https://crt.sh/?id=691507285)
2020-04-30:CFCA issued a wrong certificate with interchangeable PostalCode and Street(https://crt.sh/?id=2746294331)
2021-11-26:CFCA issued a wrong certificate with interchangeable PostalCode and Street(https://crt.sh/?id=5680721951)
2021-11-26:CFCA issued a wrong certificate with interchangeable PostalCode and Street(https://crt.sh/?id=5680629132)
2022-09-27:CFCA issued a wrong certificate with interchangeable PostalCode and Street(https://crt.sh/?id=7626154014)
2022-10-20:CFCA has completed custom lint deployment.
2022-10-21: CFCA uses custom lint to review the certificates issued in the past. This scan did not achieve the expected effect, and the custom lint upgrade was arranged.
2022-11-25 06:00:00: The CFCA custom lint upgrade is completed, and the historically issued certificates are reviewed.
2022-11-25 08:30:00:Complete the analysis and confirmation of the custom lint detection results.
2022-11-25 09:18:25:CFCA revoked the certificate(https://crt.sh/?id=691507285).
2022-11-25 09:18:34:CFCA revoked the certificate(https://crt.sh/?id=2746294331).
2022-11-30 09:34:31:CFCA revoked the certificate(https://crt.sh/?id=7626154014).
2022-11-30 10:09:50:CFCA revoked the certificate(https://crt.sh/?id=5680721951).
2022-11-30 10:10:11:CFCA revoked the certificate(https://crt.sh/?id=5680629132).
3)Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.
1.CFCA has completed custom lint deployment and supports more than 40 tests, such as: the number of characters in the domain name does not exceed 64, CRL can be accessed normally, the PostalCode uses PrintableString and does not exceed 16 characters, etc., which can avoid issuing wrong certificates with interchangeable PostalCode and Street.
2.2022-11-30,CFCA has completed the revocation of the above wrong certificate.
4)In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
CFCA reviewed the historically issued certificates by using custom lint,and finds that the following certificates have the error of PostalCode and Street interchange:
1.https://crt.sh/?id=7626154014
2.https://crt.sh/?id=5680629132
3.https://crt.sh/?id=5680721951
4.https://crt.sh/?id=2746294331
5.https://crt.sh/?id=691507285
5)In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
CFCA reviewed the historically issued certificates by using custom lint,and finds that the following certificates have the error of PostalCode and Street interchange:
1.https://crt.sh/?id=7626154014
2.https://crt.sh/?id=5680629132
3.https://crt.sh/?id=5680721951
4.https://crt.sh/?id=2746294331
5.https://crt.sh/?id=691507285
6)Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Before the custom lint is deployed, the issuance of certificates mainly relied on the manual processing and inspection of operators and reviewers. Because of their mistakes in work, wrong certificates were issued, and wrong certificates were not found after they were issued.
After the custom lint had been deployed on 2022-10-20, all newly issued certificates will be automatically verified by the system to avoid manual problems.The application and the issuance of the certificate will be rejected whenever an error is found.
In addition, CFCA is advancing the development of CFCA RA/CA Zlint function as planned. It is expected to complete the function test by the end of January 2023, and the deployment will be completed by the end of the first quarter of 2023.
7)List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
(1)2022-10-20,CFCA completes custom lint deployment, which can avoid issuing wrong certificates with interchangeable PostalCode and Street.
(2)Advance CFCA RA/CA Zlint function deployment as planned:
a.2022-11-15,The functional design of CFCA RA/CA Zlint has been completed and submitted to the development department.
b.Complete functional verification in the test environment before 2023-1-30.
c.CFCA RA/CA Zlint will be officially launched before the end of the first quarter of 2023.
|
||
Updated•2 years ago
|
We have completed the functional verification in the test environment before 2023-1-06.It is planned to apply Zlint Service to the production environment by the end of February.After that, all issued certificates will be automatically verified by Zlint.
We have completed the application of ZLint service on February 28. Only after passing the Zlint verification, the certificates are allowed to be issued.
CFCA Work Improvement in the Past Six Months:
1.Since September 2021, the arrangement: Gao Fei, Qiu Dawei, and Li Kairui jointly completed the review and comparison of PKI policies (RFC, BR, EVG, Root policy, CT policy, etc.), Bugzilla case review and reply, CCADB maintenance, CPS revision and audit, etc.
2.From October 2022 to January 2023, we newly formulated and updated and updated the “Risk Event Handling Specification”, “Bugzilla Incident Handling Specification”, “Certificate Operation Management Specification”, “CCADB Management Measures”, “CT Management Specification”, etc.In order to more standardize the implementation of certificate operation and management.
3.In February 2023, we have applied Zlint auto-detection function. All certificates will be tested by Zlint before they are issued. Only certificates that pass the test will be allowed to be issued to avoid wrong certificates.
CFCA’s Next Work Plan:
1.Promote comprehensive automation management
(1)Based on ACME to realize automatic certificate application, issuance, installation, update and other functions.
(2)Based on Zlint detection, it realizes the function of email notification of abnormal test results and automatic revocation within 7 days.
2.Strengthen internal audit Invest more manpower and energy to increase the frequency of internal audits and improve the quality of internal audits.
Historically Issued SSL Certificate Zlint Detection:
A total of 11,724 test certificates were issued with 179 wrong certificates. The main problems include the following categories:
(1)Wrong SerialNumber encoding
Quantity: 160
This problem was caused by a bug in the CA system. These wrong certificates were issued before July 2018. The CA system function was updated in August 2018 to fix the problem. After that, this type of error did not occur. Related issues have been previously discussed in the following tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1532559.
(2)Invalid TLD in SAN / invalid dnsNames / Internal iP Address in certificate
Quantity: 8
This problem is caused by the incomplete domain name or IP verification function of the system. These error certificates were issued before February 2019. The RA system function was updated in February 2019 to fix this problem. After that, this type of error did not occur. Related issues have been previously discussed in the following tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1532429
https://bugzilla.mozilla.org/show_bug.cgi?id=1524733
https://bugzilla.mozilla.org/show_bug.cgi?id=1524143
3)Certificate with wrong PostalCode
Quantity: 6
This problem was caused by staff mistakes and the failure of the system to strictly verify the relevant fields. These error certificates were issued before September 2022, and the RA system function was updated in November 2022 to fix this problem. After that, this type of error did not occur. Related issues have been previously discussed in the following tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1771482
https://bugzilla.mozilla.org/show_bug.cgi?id=1802845
(4)Certificate with wrong crlDistributionPoints
Quantity: 3
This problem was caused by the RA system configuration error during the Zlint upgrade function verification process, and Zlint was not enabled. The Zlint upgrade was completed at the end of February 2023. All certificates will be tested by Zlint, and this type of error has not occurred since then. Related issues have been previously discussed in the following tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1809382
(5) organization more than 64 characters
Quantity: 2
This problem is caused by the incomplete organization name verification function of the system. These error certificates were issued before December 2018. The RA system function was updated in February 2019 to fix this problem. After that, this type of error did not occur. Related issues have been previously discussed in the following tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1532113
The above-mentioned problematic certificates have all expired or been revoked. The certificates within the current validity period and in the activated state are all valid after scanning by Zlint.
|
||
Comment 9•2 years ago
|
||
(In reply to Gao Fei from comment #0)
CFCA reviewed the historically issued certificates by using custom lint,and finds that the following certificates have the error of PostalCode and Street interchange:
1.https://crt.sh/?id=7626154014
2.https://crt.sh/?id=5680629132
3.https://crt.sh/?id=5680721951
4.https://crt.sh/?id=2746294331
5.https://crt.sh/?id=691507285
(In reply to Gao Fei from comment #6)
3)Certificate with wrong PostalCode
Quantity: 6
This problem was caused by staff mistakes and the failure of the system to strictly verify the relevant fields. These error certificates were issued before September 2022, and the RA system function was updated in November 2022 to fix this problem.
Can you describe how the lint check for postal code works and how it detects issues caused by staff mistakes? Can it detect if staff mistypes a 2 instead of a 1?
|
Assignee | |
Comment 10•2 years ago
|
||
(In reply to Mathew Hodson from comment #9)
(In reply to Gao Fei from comment #0)
CFCA reviewed the historically issued certificates by using custom lint,and finds that the following certificates have the error of PostalCode and Street interchange:
1.https://crt.sh/?id=7626154014
2.https://crt.sh/?id=5680629132
3.https://crt.sh/?id=5680721951
4.https://crt.sh/?id=2746294331
5.https://crt.sh/?id=691507285(In reply to Gao Fei from comment #6)
3)Certificate with wrong PostalCode
Quantity: 6
This problem was caused by staff mistakes and the failure of the system to strictly verify the relevant fields. These error certificates were issued before September 2022, and the RA system function was updated in November 2022 to fix this problem.Can you describe how the lint check for postal code works and how it detects issues caused by staff mistakes? Can it detect if staff mistypes a 2 instead of a 1?
The postal code identification mechanism is as follows:
- The postal code input is limited to: uppercase and lowercase letters, numbers, horizontal lines and other characters which from PrintabeString, and the number of characters does not exceed 16.
- For postal code input, it will be sent to the "China Postal Code Database" for query. If it is not found, a warning prompt will appear to prevent incorrect input.
|
|
Assignee | |
Comment 11•1 year ago
|
||
In the past year, CFCA has improved its work through the following measures:
- Arrange multiple people to be responsible for PKI policy tracking, Bugzilla incident response and handling, CCADB maintenance, etc.;
- Formulate and update some relevant documents of management norms;
- Use Zlint to automate detection;
- Actively promote ACME automation;
CFCA remains open and transparent, actively faces and solves problems, and will continue to improve our processes and technical means in the future.
This case has been discussed in detail and has been improved. There is no new content recently. Apply to close this case, thanks.
|
|
||
Updated•1 year ago
|
Description
•