2015-11-05 Symantec Log Bug Report

96 views
Skip to first unread message

Rick Andrews

unread,
Nov 5, 2015, 6:43:19 PM11/5/15
to Certificate Transparency Policy

Summary:

On October 19, 2015 Google reported an issue with verification of the signature part of the Signed Certificate Timestamp (SCT) returned by the Certificate Transparency Log Server operated by Symantec. This issue did not affect all SCT signatures, but a small subset.

 

Symantec reviewed the issue and confirmed the issue with Google that same day. Symantec then took steps to identify the root cause and subsequently released a fix on October 27, 2015 for any new SCTs returned.

 

Detailed Description:

The signature part of an SCT is ASN.1 DER-encoded ECC signature structure. Some of the encoded signatures were not in strict compliance with ITU-T Recommendation X.690 § 8.3.2, which states:

If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet:

a) shall not all be ones; and

b) shall not all be zero.

NOTE – These rules ensure that an integer value is always encoded in the smallest possible number of octets.”

 

These signatures were issued in SCTs to certificates as well as pre-certificates logged to Symantec’s Log Server.  Many clients will take the encoded signature and proceed to verification operations. However, some clients such as Chrome and OpenSSL will take the encoded signature, parse it for individual components, and then re-encode it with strict DER compliance to verify if the re-encoded signature matches the original encoded signature. Such comparisons will fail for signatures that are not encoded with strict DER compliance.  If the comparison fails, the client can opt out of proceeding with further signature validation.

 

Root Cause:

Symantec uses a Hardware Security Module (HSM) to sign SCTs. The HSM module generates fixed length integer components for an ECC signature. In certain instances generated integer components were padded with leading zeros. The DER encoding routine did not alter the integers before encoding them into the signature part of the SCT.

 

Remediation:

Symantec has updated its CT Log Server code to prevent issuing signatures that fail to comply strictly with DER encoding rules.

Reply all
Reply to author
Forward
0 new messages