Open Bug 2033412 Opened 2 months ago Updated 3 days ago

CFCA: CRL signatureAlgorithm Missing NULL Parameter (RFC 4055 Section 5)

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: songxinlei, Assigned: songxinlei)

Details

(Whiteboard: [close on 2026-06-23] [ca-compliance] [crl-failure])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36

Steps to reproduce:

Preliminary Incident Report

Summary

  • Incident description: CFCA EV RCA CRL signatureAlgorithm field is missing required NULL parameter for RSA algorithm (RFC 4055 Section 5 / RFC 5280 Section 4.1.2.3); CFCA internal verification confirmed 4 CRLs (EV RCA + EV/OV/DV OCA) have the same issue.
  • Relevant policies:
    • RFC 4055 Section 5
    • RFC 5280 Section 4.1.2.3
  • Source of incident disclosure: Third-party Reported by xipki.
Assignee: nobody → songxinlei
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [crl-failure]

Hi, we're preparing the Full Incident Report, no furthur updated yet.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000272
  • Incident description: CFCA CRL signatureAlgorithm field is missing required NULL parameter for RSA algorithm (RFC 4055 Section 5). Additionally, DVOCA CRL contains empty revokedCertificates field when no certificates are revoked (RFC 5280 Section 5.1.2.6).
  • Timeline summary:
    • Non-compliance start date: 2012-08-08 (estimated based on root certificate generation date) for signatureAlgorithm issue
    • Non-compliance identified date: 2026-04-07
    • Non-compliance end date: 2026-06-10 (pending CRL regeneration)
  • Relevant policies:
    • RFC 4055 Section 5 (RSA signature algorithms: sha256WithRSAEncryption, sha384WithRSAEncryption, sha512WithRSAEncryption require NULL parameter in AlgorithmIdentifier)
    • RFC 5280 Section 5.1.2.6 (revokedCertificates list - MUST be absent when empty)
  • Source of incident disclosure: Third Party Reported by XiPKI

Impact

Timeline

All times are in Beijing Time (CST, UTC+8) unless otherwise specified.

  • 2012-08-08 - CABatch CRL generation software deployed (estimated based on root certificate generation date); ASN.1 encoding deficiency introduced (signatureAlgorithm missing NULL parameter for RSA)
  • 2026-04-03 23:43 CET (UTC+1) - Security researcher sent follow-up email to cps@cfca.com.cn, adding CRL signatureAlgorithm encoding issue (original email sent 2026-04-02 CET reporting OCSP issues)
  • 2026-04-07 18:02 - CFCA employees Received forwarded emails
  • 2026-04-09 03:31:54 UTC - Researcher submitted report via CFCA CPR platform (https://cloudpki.cfca.com.cn/cpr)
  • 2026-04-13 ~09:00 - Compliance team discovered forwarded email and began incident response
  • 2026-04-14 - CFCA filed Bug 2031281 covering both OCSP and CRL issues with Preliminary Report
  • 2026-04-14 - Mozilla CA Program suggested separating bugs by root cause (Bug 2031281 Comment #2)
  • 2026-04-15 - CFCA manual verification confirmed all 4 CRLs (EV RCA + EV/OV/DV OCA) have signatureAlgorithm encoding issue
  • 2026-04-15 - DVOCA CRL revokedCertificates field issue self-discovered during internal investigation
  • 2026-04-20 - CFCA created Bug 2033412 for CRL issues (separated from Bug 2031281)

Related Incidents

Bug Date Description
2007217 2025 GoDaddy: Partitioned CRL files missing Issuing Distribution Point.
2007105 2025 Asseco DS / Certum: CRL URLs disclosed in CCADB do not match certificates.
2007066 2025 Disig: Missing CA Disig R2I2 Certification Service Full CRL URLs in CCADB.
2002402 2025 GoDaddy: Missing R1 Intermediate Full CRL URLs in CCADB.
1970703 2025 Mozilla: Fix parsing of CRL Reason Code in CRL Verification Tool.
1914383 2024 Telekom Security: CRL-Entries with wrong CRL Reason Codes.
1913310 2024 D-Trust: CRL-Entries without required CRL Reason Code.
1843173 2023 NETLOCK: CRL Error on CRL Watch.

Root Cause Analysis

Contributing Factor #1: CRL Generation Software ASN.1 Encoding Deficiency

  • Description: The CABatch CRL generation module contains a software defect that produces incorrect ASN.1 encoding for the signatureAlgorithm field. When generating CRLs signed with RSA algorithms, the software omits the required NULL parameter in the AlgorithmIdentifier, resulting in non-conformant DER encoding that violates X.509 ASN.1 specifications. This encoding deficiency has existed in the software since its initial deployment and affects all CRLs generated by the system.

  • Timeline:

    • 2012-08-08: CABatch module deployed (estimated based on root certificate generation date); ASN.1 encoding deficiency existed since deployment
    • Note: Due to the age of this issue (14 years), detailed investigation of historical circumstances is not feasible
    • 2026-04-07: External researcher discovered issue
    • 2026-04-15: CFCA verified all 4 CRLs affected

  • Detection:

    • External security researcher reported via CPR platform
    • Manual ASN.1 verification confirmed all 4 CRLs affected

  • Interaction with other factors:

    • Factor #3 (lack of validation mechanism) enabled this issue to persist undetected for approximately 14 years

  • Root Cause Analysis methodology used: 5-Whys

Contributing Factor #2: DVOCA CRL RevokedCertificates Field Handling

  • Description: The DVOCA CRL generation logic contains a coding defect that incorrectly handles the revokedCertificates field when no certificates are revoked. Instead of omitting the field entirely as required by X.509 CRL ASN.1 structure, the software retains an empty SEQUENCE. This defect exists in the CRL generation logic for all OCA certificate types (EV OCA, OV OCA, DVOCA).

  • Timeline:

    • 2012-08-08: OCA CRL generation logic deployed with this deficiency (affects all OCA types)
    • 2026-04-15: Self-discovered during internal investigation

  • Detection:

    • Self-discovered during internal investigation
    • Defect exists in all OCA CRL generation logic, but only manifests in DVOCA due to absence of revoked certificates

  • Interaction with other factors:

    • Discovered as a result of Factor #1 investigation
    • Defect affects all OCA CRL generation logic; DVOCA is the visible manifestation because it has no revoked certificates to mask the defect

  • Root Cause Analysis methodology used: 5-Whys

Contributing Factor #3: Lack of CRL Encoding Validation Mechanism

  • Description: CFCA lacks a systematic validation process for CRL ASN.1 encoding compliance. CRL generation lacks validation checks. No manual verification process was established to review CRL DER encoding against X.509 specifications. This gap in the certificate lifecycle management process allowed encoding defects to persist without detection.

  • Timeline:

    • 2012-08-08: OCA CRL generation logic deployed with this deficiency (affects all OCA types)
    • 2026-04-15: Self-discovered during internal investigation

  • Detection: It was recognized when the signatureAlgorithm encoding issue (Factor #1) was reported externally, during an internal review we identified the absence of CRL encoding validation procedures.

  • Interaction with other factors:

    • Enabled Factor #1 to persist undetected
    • Manual ASN.1 verification process not established

  • Root Cause Analysis methodology used: 5-Whys

Lessons Learned

  • What went well: CFCA did a comprehensive verification of all CRLs (EV RCA + EV/OV/DV OCA) after initial report and discovered of additional issue (revokedCertificates field) during internal investigation.

  • What didn't go well: CRL generation software ASN.1 encoding deficiency persisted since 2012. No manual ASN.1 verification process for CRL encoding.

  • Where we got lucky: No subscriber certificates affected.

  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Fix CRL generation software ASN.1 encoding by adding NULL parameter for RSA signatureAlgorithm Prevent #1, #3 All CRLs pass RFC 4055/RFC 5280 validation 2026-06-10 Ongoing
Regenerate all 4 CRLs (EV RCA + EV/OV/DV OCA) with corrected encoding Prevent #1 All 4 CRLs reissued with correct ASN.1 encoding 2026-06-10 Ongoing
Fix DVOCA CRL revokedCertificates field handling by omitting field when empty Prevent #2 DVOCA CRL correctly omits revokedCertificates when no revocations 2026-06-10 Ongoing
Implement manual verification process for CRL ASN.1 encoding Detect #3 Manual verification process documented and implemented during self audit 2026-04-30 Complete

Appendix

Affected CRLs

CA Type CRL URL Issue
EV RCA (Root CA) http://crl.cfca.com.cn/evrca/RSA/crl1.crl signatureAlgorithm missing NULL
EV OCA (Subordinate CA) http://crl.cfca.com.cn/evoca/RSA/allCRL.crl signatureAlgorithm missing NULL
OV OCA (Subordinate CA) http://crl.cfca.com.cn/OVOCA/RSA/allCRL.crl signatureAlgorithm missing NULL
DV OCA (Subordinate CA) http://crl.cfca.com.cn/DVOCA/RSA/allCRL.crl signatureAlgorithm missing NULL + revokedCertificates field issue

Hi, the action items are going as planned, no other updates yet.

Hi, we're monitoring this bug. No furthur updates yet.

Hi, the action items are progressing as planned, no furthur updates yet.

Hi, the action items are progressing as planned, no furthur updates yet.

Hi, we're monitoring this, no other updates yet.

Hi, the Action Items are going well, no other updates yet.

Hi, we will update the Action Items tomorrow, everything is going well so long.

Hi, all action items for this incident have been completed, here's the updated Action Items table:

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Fix CRL generation software ASN.1 encoding by adding NULL parameter for RSA signatureAlgorithm Prevent #1, #3 All CRLs pass RFC 4055/RFC 5280 validation 2026-06-10 Complete
Regenerate all 4 CRLs (EV RCA + EV/OV/DV OCA) with corrected encoding Prevent #1 All 4 CRLs reissued with correct ASN.1 encoding 2026-06-10 Complete
Fix DVOCA CRL revokedCertificates field handling by omitting field when empty Prevent #2 DVOCA CRL correctly omits revokedCertificates when no revocations 2026-06-10 Complete
Implement manual verification process for CRL ASN.1 encoding Detect #3 Manual verification process documented and implemented during self audit 2026-04-30 Complete

Hi, since all action items are completed, here goes the closure report:

Report Closure Summary

  • Incident description: CFCA CRL signatureAlgorithm field was missing required NULL parameter for RSA algorithm (RFC 4055 Section 5), affecting all 4 CRLs (EV RCA, EV OCA, OV OCA, DV OCA). Additionally, DVOCA CRL contained an empty revokedCertificates field when no certificates were revoked (RFC 5280 Section 5.1.2.6).

  • Incident Root Cause(s):

    1. CRL generation software (CABatch) contained an ASN.1 encoding deficiency since its deployment in 2012, omitting the required NULL parameter in the AlgorithmIdentifier for RSA-based signatureAlgorithm.
    2. The DVOCA CRL generation logic contains a coding defect that incorrectly handles the revokedCertificates field when no certificates are revoked.
    3. No CRL ASN.1 encoding validation mechanism was in place — existing linting tools (PKIMetal, pkilint, zlint) could not detect the signatureAlgorithm encoding issue, and no manual verification process existed.

  • Remediation description: The CRL generation software (CABatch) was fixed to include the NULL parameter for RSA signatureAlgorithm. All 4 affected CRLs (EV RCA, EV OCA, OV OCA, DV OCA) were regenerated with corrected ASN.1 encoding. The DVOCA CRL generation logic was fixed to properly omit the revokedCertificates field when no revocations exist. A manual CRL ASN.1 encoding verification process was documented and implemented as part of quarterly self-audits.

  • Commitment summary: CFCA commits to maintaining the manual CRL ASN.1 encoding verification process during quarterly self-audits until automated linting tools support this check, and to periodically reviewing CRL generation software for RFC compliance.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-06-23.

Whiteboard: [ca-compliance] [crl-failure] → [close on 2026-06-23] [ca-compliance] [crl-failure]
You need to log in before you can comment on or make changes to this bug.