Closed Bug 1900492 Opened 1 year ago Closed 1 year ago

IdenTrust: Invalid OrganizationIdentifier in S/MIME certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roots, Assigned: roots)

Details

(Whiteboard: [ca-compliance] [smime-misissuance])

Incident Report

Summary

During pre-deployment testing of a new PKI linting tool on May 29th, 2024, an issue was uncovered regarding the organizationIdentifier validation scheme for GOVUS entities. Upon further analysis, it was discovered that the validation logic within our internal software was incorrect, and therefore, it allowed issuance of S/MIME certificates with the wrong organization validation scheme.

We found only one active certificate with this issue. The certificate was revoked within 24 hours.

Impact

S/MIME Sponsor-Validated and Organization-Validated certificates

Timeline

2024-05-29:

QA operator who was testing the new S/MIME linter tool in the test environment received an unexpected error report for organizationIdentifier.

After an in-depth examination, it was determined that the expected organization identifier scheme for GOVUS entities was not properly coded.

Run a script to detect certificates with the same ‘wrong’ validation scheme and found one active certificate with the issue.

Contacted affected customer requesting prompt revocation.

2024-05-30:
Revoked the affected certificate

2024-06-01:
Deployed the new S/MIME linting tool.

Root Cause Analysis

The internal application allowed an incorrect scheme for GOVUS entities and the new S/MIME linting tool was not yet in place when this certificate was issued.

Lessons Learned

We need to review the internal application validating the Organization Identifier schemes to ensure the correct validation syntax is in place.

What went well

What didn't go well

Where we got lucky

Only one active certificate had this issue and was revoked within 24 hours of discovery

Action Items

Action Item Kind Due Date
Deploy S/MIME Linting tool Prevent Completed on 2024-06-01
Review and update the validation scheme logic for Organization Identifier Prevent 2024-09-30

Appendix

Details of affected certificates

PEM of the affected certificate:

-----BEGIN CERTIFICATE-----
MIIGQTCCBCmgAwIBAgIQQAGLSKfBqOvaYH5Fnl77hDANBgkqhkiG9w0BAQsFADA6
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVz
dElEIENBIEExNDAeFw0yMzEwMTkxNTU3MTVaFw0yNDEwMTgxNTU2MTVaMIHWMSgw
JgYDVQQFEx9BMDE0MTBEMDAwMDAxOEI0OEE3QzE4OTAwMDMyRjgxMRwwGgYDVQRh
ExNHT1ZVUytGTC0yNi00MDQyMjc5MRswGQYDVQQKExJDQVlNQU4gRU5HSU5FRVJJ
TkcxGDAWBgNVBAMTD0FkYW0gTSBGZXJndXNvbjERMA8GA1UEBBMIRmVyZ3Vzb24x
DTALBgNVBCoTBEFkYW0xJjAkBgkqhkiG9w0BCQEWF2FmZXJndXNvbkBjYXltYW5l
bmcuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALdqibqNkh2fwKvRNRgI0rFfHwNrpBMYT4pKT69FiRnYG/A7SGBhIn2/xYup
dEaZLKqnNtImHKb1DusZ0W/I9UvUcnARsz5EpCosWGjZCdd6SSZM55uPxM1E3TIH
H/AY1BKdrcNoc8T1Z6sHWUkrEHfonWVg0HPv1l3FIAKgaijbmLEl1zj3JcfntLgD
lksrxWaC8LuhoSVRtNSbA3AqD648t45qbwOW3ZPLnS+jA0Ck4+YDOSZwahIPrUz7
/WNtby4+PpJZ0vM2OyXS+lTFVNT3QuHic09zfpYEIMKTZIOzPPVdybbPAMLU7HND
u6Dk43zcqiadn5tzsigeziCQZ+kCAwEAAaOCAaQwggGgMAwGA1UdEwEB/wQCMAAw
DgYDVR0PAQH/BAQDAgTwMIGEBggrBgEFBQcBAQR4MHYwMAYIKwYBBQUHMAGGJGh0
dHA6Ly9jb21tZXJjaWFsLm9jc3AuaWRlbnRydXN0LmNvbTBCBggrBgEFBQcwAoY2
aHR0cDovL3ZhbGlkYXRpb24uaWRlbnRydXN0LmNvbS9jZXJ0cy90cnVzdGlkY2Fh
MTQucDdjMB8GA1UdIwQYMBaAFMLURJmgcc9IVr4Mjmg4XKe390W8MCMGA1UdIAQc
MBowCQYHZ4EMAQUDAjANBgtghkgBhvkvAAYCATBFBgNVHR8EPjA8MDqgOKA2hjRo
dHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTQu
Y3JsMCIGA1UdEQQbMBmBF2FmZXJndXNvbkBjYXltYW5lbmcuY29tMB0GA1UdDgQW
BBT0x1F30IyQLcdZMEeX1Q0mKyUAuTApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYB
BQUHAwQGCisGAQQBgjcKAwwwDQYJKoZIhvcNAQELBQADggIBAAif348gIxf4FmUe
drLP7Piipv0m1eKG41hwlLS0YgpVItjAimrfIgKh4DHhQhGJ8olKJ6D63Ubu1ygE
0uMPHSpX9NoQ9xzzuIPuJJcILvYVcqt0yN5lVl2ijRfZ/Pcxr7ZzNJtQKpGvDPE5
STsjOeGf/AG3RhxN8ymqDOx+cfWtNGljy2ttg6RseoSZve5rpb2+q6rGatvmNks9
ykqVof28ANXppmjZxmcGbss7JbB7tY3kUFGOaMVnuhk568UPx2dn0QViVjzpAV/2
D4SBjhtG2Lz6+Zg5yHqtR4jjxFtHpuOvbcVgH4XlvQlFbzs/eu4/YMKFaWV+k7eo
nmoOrpPLXwiFjxaJ77pQFk9MCpa6XAiUtbd7PEEDUiri2RbgH3g2sxgxA8qdfc7o
iz5RXFmD4JEbUPtssrxNUSzb/UgAojv9hX2I3uA9cOTP5zsqdtPw3aKRRZErj2/6
r9yCpdmckrNEmcUSoiCAHzLzAFwNE2EvaHVaKiFR7xUOKxhMPhjqnwgaZjkNsk6c
qFmzkgRN58UJEqjEgdmin/vGnVAeddDPyDddCSHvXhggWQJyQTUf7Uhh9gBFRgAU
gDL5rNZr8QYva2KsmNlICEfXdjjI9Lqy0R5ILgZjX+ci+fWX30HcOmblQk3ryCGR
AljeHxnXjDnuki3RuZSIXKW5Ara4
-----END CERTIFICATE-----

Please make sure that the timeline in incident reports contain all relevant events from the past. The one is missing when the certificate was issued. This is spelled out on https://www.ccadb.org/cas/incident-report#incident-reports

The Timeline section must include a detailed timeline of all events and actions leading up to and taken during and after the incident. The timeline must include not just the actual discovery of the incident and subsequent events, but also relevant events occuring beforehand (e.g. something changed or was introduced).

(In reply to IdenTrust from comment #0)

Root Cause Analysis

The internal application allowed an incorrect scheme for GOVUS entities and the new S/MIME linting tool was not yet in place when this certificate was issued.

What is the correct scheme that should have been used instead? What was different with the process for this one certificate that it was impacted but no others were?

(In reply to Mathew Hodson from comment #1)

Please make sure that the timeline in incident reports contain all relevant events from the past. The one is missing when the certificate was issued. This is spelled out on https://www.ccadb.org/cas/incident-report#incident-reports

Here is an updated timeline with the events that took place before discovering the issue:

Timeline

2023-09-30:

Deploy Organization Validation Scheme per the S/MIME BR

2023-10-19:

Issued S/MIME certificate with invalid registration scheme identifier

2024-05-29:

QA operator who was testing the new S/MIME linter tool in the test environment received an unexpected error report for OrgIdentifier.

After an in-depth examination, it was determined that the expected organization identifier scheme for GOVUS entities was not properly coded.

Run a script to detect certificates with the same ‘wrong’ validation scheme and found one active certificate with the issue.

Contacted affected customer requesting prompt revocation.

2024-05-30:
Revoked the affected certificate

2024-06-01:
Deployed the new S/MIME linting tool.

(In reply to IdenTrust from comment #0)

Root Cause Analysis

The internal application allowed an incorrect scheme for GOVUS entities and the new S/MIME linting tool was not yet in place when this certificate was issued.

What is the correct scheme that should have been used instead?

The correct scheme for this certificate should have been NTR

What was different with the process for this one certificate that it was impacted but no others were?

IdenTrust supports multiple Registration Schemes for the organizationIdentifier field as allowed in the S/MIME BR. As a part of the organization identity vetting process, the registration agent capturing this field selected “GOVUS”’ as the prefix, instead, of “NTR”. Currently, there is no check in place to alert the registration agent that the scheme is invalid, only for ”GOVUS.

The internal application allowed an incorrect scheme for GOVUS entities and the new S/MIME linting tool was not yet in place when this certificate was issued.
To avoid recurrence of this issue:

  1. We have implemented S/MIME pre-certificate issuance linting as of 6-1-2024
  2. We have included new test cases for government entities Registration Scheme as part of the regression test suite. This is how we detected the issue.
  3. We will update the code in the application to alert the registration agent in case an invalid Registration Scheme is selected by 9-30-2024
Assignee: nobody → roots
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [smime-misissuance]

The validation scheme logic for Organization Identifiers has been successfully corrected and incorporated into our software change control process as of June 1, 2024. This update addresses all previously identified issues related to Organization Identifier validation. We have no remaining outstanding items or concerns regarding this matter.

What about "We will update the code in the application to alert the registration agent in case an invalid Registration Scheme is selected by 9-30-2024"?

Flags: needinfo?(roots)

(In reply to Ben Wilson from comment #4)

What about "We will update the code in the application to alert the registration agent in case an invalid Registration Scheme is selected by 9-30-2024"?
On June 1, 2024, a code fix was deployed that introduced a change in how organizational identifiers are handled. This update no longer accepts the 'GOV' scheme when the organizational ID contains a hyphen followed by a 8-digit number (e.g., '-xxxxxxx').

Thanks. I intend to close this next week sometime (June 17-21).

Flags: needinfo?(roots) → needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.