Closed Bug 1908130 Opened 1 year ago Closed 1 year ago

NAVER Cloud Trust Services: Incorrect keyUsage for ECC certificate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hogeun.yoo, Assigned: hogeun.yoo)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Preliminary Incident Report

On July 16, 2024, NAVER Cloud Trust Services G1 ECC CA1, an intermediate CA of NAVER Cloud Trust Services ECC Root G1 added to the Microsoft root program on May 28, issued certificates for the test websites.

Three certificates were issued with keyEncipherment in keyUsage. This is a violation of BR's "7.1.2.7.11 Subscriber Certificate Key Usage" and as soon as we became aware of it, all three affected certificates were revoked within 30 minutes.
One of these certificates is being monitored by sslmate OCSP WATCH due to the incorrect OCSP URI in AIA, with the issue “error parsing OCSP response: bad OCSP signature: x509: ECDSA verification failure”. This issue will be addressed in bug 1908128.

In the initial investigation, we confirmed that RFC5480 and RFC8813 were excluded from the pre-lints path, and this is considered to be the reason that the affected certificates were passed.

We are currently suspending certificate issuance pending further investigation and will provide a full incident report no later than July 23, 2024.

Assignee: nobody → hogeun.yoo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [ov-misissuance]

Incident Report

Summary

2024-07-16 UTC, NAVER Cloud Trust Services issued three ECDSA certificates that included keyEncipherment in keyUsage. This violated the Baseline Requirements (BR) section "7.1.2.7.11 Subscriber Certificate Key Usage." Within 30 minutes of discovering this issue, the certificates were promptly revoked.
The root cause of this mis-issuance was identified as the manual creation process of certificate profiles and the exclusion of lint sources (RFC 5480, RFC 8813) during pre-linting.

Impact

Three ECDSA certificates were incorrectly issued by the NCTS CA team for test websites and were discovered before being used. NAVER Cloud Trust Services identified the mis-issuance and immediately suspended certificate issuance to prevent any further issues.

Time

All times are UTC.
2024-07-16:

  • 06:10 NCTS CA team created and issued ECDSA certificate profile in a development environment before issuing certificates in the production environment. The certificate profile was created by modifying the existing RSA certificate profile. The certificates passed linting and were issued in a development environment.
  • 07:00 NCTS CA System created a certificate profile for DV certificates using the ECDSA algorithm in the production environment. The certificate profile was created by modifying the existing RSA profile.
  • 07:20NCTS CA Team issued three ECDSA DV certificates with this profile for the CA's test websites.
  • 07:30 NCTS CA Team linted the certificates using an external linting tool and found that certificates had been issued with the keyEncipherment in the keyUsage extension field of ECDSA certificates.
  • 07:44 NCTS CA has revoked three certificates and suspended the issuing system.
  • 07:45 Investigation started
  • 09:00 In the initial investigation, we confirmed that the profile that was created for ECDSA DV certificate has keyEncipherment value in the keyUsage extension field and passed pre-lint.
  • 13:34 Posted a preliminary report on Bugzilla

2024-07-19:

  • 11:30 NCTS CA team investigated the pre-lint configuration file and confirmed that the LintSources of RFC 5480 and RFC 8813 were missing from the linting scope. After adding these two LintSources in the development environment and conducting certificate issuance tests, they verified that the pre-lint prevents incorrect certificate issuance.
  • 12:30 The NCTS CA team deployed the configuration file with the added LintSources for RFC 5480 and RFC 8813 to the production environment.

Root Cause Analysis

  • In the certificate issuance system, the certificate profile was modified from the existing RSA algorithm to be used for the ECC algorithm.
  • The RFC 5480 and RFC 8813 were missing from the pre-lint scope settings. As a result, even though the Key Usage included keyEncipherment, it was not linted.
  • The test results in the test environment were considered normal, and the certificate profile was deployed to the production environment and issuance proceeded.

Lessons Learned

What went well

N/A

What didn't go well

  • The lint results were trusted without reviewing the pre-lint scope settings.
  • There was no cross-verification with external lint tools. Manual reviews were not sufficiently performed. In other words, there was a high reliance on lint results, and the lint scope was not properly reviewed in advance.
  • There should have been a pre-set restriction for certificate profile input values by encryption algorithm in the issuance system. There is a risk of human error in areas where inputs or selections are made manually.

Where we got lucky

The issue occurred before the certificates were supplied to external customers and were identified before being used in the actual web service.

Action Items

Action Item Kind Due Date
(Completed) Added ECDSA lint source to the pre-lint system. Mitigate and Prevent 2024-07-19
(Testing In-progress) Additional cases that pass the lint check will be investigated and addressed. Prevent 2024-08-02
(Design In-progress) Improving the certificate issuance system to minimize manual settings during certificate profile creation and modification: (1) Removed key sizes or hash algorithm that violate BR from the selection menu (2) Improved to allow only BR-compliant keyUsage values for specific Key Algorithms (3) Change the process to select and input Certificate Policies OID values by pre-assigning them as constants. Prevent TBD
(Design In-progress) When creating or modifying a certificate profile, it is mandatory to generate the certificate in the test environment CA and complete the external lint validation before applying it to the production environment. Prevent TBD

Appendix

Details of affected certificates

No. Precertificate Certificate
1 https://crt.sh/?id=13759476583 https://crt.sh/?id=13759477023
2 https://crt.sh/?id=13759475243 https://crt.sh/?id=13759475244
3 https://crt.sh/?id=13759404944 https://crt.sh/?id=13759405073

This is an update to Comment #1, refreshing the status of action items.

Action Items

Action Item Kind Due Date
(Completed) Added ECDSA lint source to the pre-lint system. Mitigate and Prevent 2024-07-19
(Completed) Additional cases that pass the lint check will be investigated and addressed. Prevent 2024-08-02
(Implementation In-progress) Improving the certificate issuance system to minimize manual settings during certificate profile creation and modification: (1) Removed key sizes or hash algorithm that violate BR from the selection menu (2) Improved to allow only BR-compliant keyUsage values for specific Key Algorithms (3) Change the process to select and input Certificate Policies OID values by pre-assigning them as constants. Prevent 2024-08-16
(Implementation In-progress) When creating or modifying a certificate profile, it is mandatory to generate the certificate in the test environment CA and complete the external lint validation before applying it to the production environment. Prevent 2024-08-16

This is an update to Comment #2, refreshing the status of action items.

Action Items

Action Item Kind Due Date
(Completed) Added ECDSA lint source to the pre-lint system. Mitigate and Prevent 2024-07-19
(Completed) Additional cases that pass the lint check will be investigated and addressed. Prevent 2024-08-02
(Completed) Improving the certificate issuance system to minimize manual settings during certificate profile creation and modification: (1) Removed key sizes or hash algorithm that violate BR from the selection menu (2) Improved to allow only BR-compliant keyUsage values for specific Key Algorithms (3) Change the process to select and input Certificate Policies OID values by pre-assigning them as constants. Prevent 2024-08-16
(Completed) When creating or modifying a certificate profile, it is mandatory to generate the certificate in the test environment CA and complete the external lint validation before applying it to the production environment. Prevent 2024-08-16

On behalf of Naver Cloud Trust Services, we believe that all analysis and actions have been completed. There is no new information in this bug since comment3.

I will look at closing this next Wednesday, 28-Aug-2024.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.