Bitflip in Nessie 2024 entry 65051339

[Andrew Ayer]

The tbs_certificate in the MerkleTreeLeaf of entry 65051339 in Nessie
2024 does not match the pre_certificate of the PrecertChainEntry.
Removing the signature and poison extension from the precertificate
yields a TBSCertificate which differs by one bit from the
tbs_certificate in the MerkleTreeLeaf.

The flipped bit is in the SubjectPublicKeyInfo. Here's the
SubjectPublicKeyInfo from the MerkleTreeLeaf, where byte 0x32 is 0x92:

00000000: 3059 3013 0607 2a86 48ce 3d02 0106 082a 0Y0...*.H.=....*
00000010: 8648 ce3d 0301 0703 4200 0439 db62 c459 .H.=....B..9.b.Y
00000020: 9765 e13b 799d c2fa 4239 b910 eafc e8e4 .e.;y...B9......
00000030: 9126 9284 546f 555c 0ba6 6d3b 5f1e 923b .&..ToU\..m;_..;
00000040: 908d 0b42 53c1 0d1a 2347 7e2b acf9 a764 ...BS...#G~+...d
00000050: 7a76 edc3 2f4c aef0 66c3 72 zv../L..f.r

Here's the SubjectPublicKeyInfo from the PrecertChainEntry, where byte
0x32 is 0x93:

00000000: 3059 3013 0607 2a86 48ce 3d02 0106 082a 0Y0...*.H.=....*
00000010: 8648 ce3d 0301 0703 4200 0439 db62 c459 .H.=....B..9.b.Y
00000020: 9765 e13b 799d c2fa 4239 b910 eafc e8e4 .e.;y...B9......
00000030: 9126 9384 546f 555c 0ba6 6d3b 5f1e 923b .&..ToU\..m;_..;
00000040: 908d 0b42 53c1 0d1a 2347 7e2b acf9 a764 ...BS...#G~+...d
00000050: 7a76 edc3 2f4c aef0 66c3 72 zv../L..f.r

Unfortunately, it is not possible for the log to recover from this.
Modifying the MerkleTreeLeaf to match the PrecertChainEntry would
result in a different tree head that wouldn't match already-signed
STHs. Modifying the PrecertChainEntry to match the MerkleTreeLeaf
would render the PrecertChainEntry invalid because the
precertificate_chain would no longer certify the precertificate.

Regards,
Andrew

[Rob Stradling]

Nessie 2024 seems to have stopped producing STHs a few days ago.  Did I miss a retirement announcement?

---

From: ct-p...@chromium.org <ct-p...@chromium.org> on behalf of Andrew Ayer <ag...@andrewayer.name>
Sent: 09 May 2023 21:15
To: ct-p...@chromium.org <ct-p...@chromium.org>; ct...@digicert.com <ct...@digicert.com>
Subject: [ct-policy] Bitflip in Nessie 2024 entry 65051339

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fchromium.org%2Fd%2Fmsgid%2Fct-policy%2F20230509161546.9083a817b15536109e2e8a67%2540andrewayer.name&data=05%7C01%7Crob%40comodoca.com%7C8674ade3126e4897650c08db50ca303c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638192601573281874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TW10%2FMyJmMRAf0N%2F6xja7IWjGI5ip5FlMjpJqkZJF3Q%3D&reserved=0.

[Jeremy Rowley]

Wes shut it off for new issuance per the instructions from Google to stop accepting STHs because of the bit-flipping issue. We're still investigating the root cause

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/MW4PR17MB472995F0500A35C51648BD33AA789%40MW4PR17MB4729.namprd17.prod.outlook.com.

[Rob Stradling]

> per the instructions from Google

Presumably that was a private communication from Google to DigiCert, since nobody from Google has commented on this list thread yet.

> to stop accepting STHs because of the bit-flipping issue

Logs don't accept STHs.  They produce them.  I can believe that Google would ask you to stop accepting (pre)certificate submissions, but I would be extremely surprised if you were asked to stop producing STHs.