CA Public Key Material

[Tavis Ormandy]

Hello, while working on an unrelated problem, I happened to notice that this
<https://crt.sh/?id=30316154> leaf certificate for DNS:test.wgh.cn and DNS:
test.ydn.cn has the same RSA public key as this trusted root
<https://crt.sh/?id=9329287> (and a few others).

test.wgh.cn no longer resolves, but wgh.cn is the personal blog of a WoSign
employee.

Is it possible key material was accidentally used in a web server and
removed from a HSM? Maybe there's another explanation, but if there was an
accident, I assume the root would need to be revoked.

I'm having trouble finding any observatory/census logs from this time
period to check, can anyone help?

Tavis.

[Rob Stradling]

Hi Tavis.

There are lots of links here: https://scans.io/

I took a brief look at https://scans.io/study/sonar.ssl and did not find
the SHA-1 hash of the test.wgh.cn cert (https://crt.sh/?id=30316154) in
either of the two logs dated soonest after that cert's notBefore date:
https://scans.io/data/rapid7/sonar.ssl/20150209/20150209_hosts.gz
https://scans.io/data/rapid7/sonar.ssl/20150216/20150216_hosts.gz

That cert has been revoked, but the (presumably backdated) revocation
date in the CRL matches the cert's notBefore date:
Serial Number: 6E58BF31CFAD4AB20071C26EA9662DA5
Revocation Date: Feb 4 06:47:22 2015 GMT

BTW, https://crt.sh/?id=9329287 (360 EV Server CA G2) is an intermediate
certificate, not a trusted root.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Andrew Ayer]

On Wed, 14 Dec 2016 18:46:31 -0800
Tavis Ormandy <tav...@google.com> wrote:

> Hello, while working on an unrelated problem, I happened to notice
> that this <https://crt.sh/?id=30316154> leaf certificate for
> DNS:test.wgh.cn and DNS: test.ydn.cn has the same RSA public key as
> this trusted root <https://crt.sh/?id=9329287> (and a few others).
>
> test.wgh.cn no longer resolves, but wgh.cn is the personal blog of a
> WoSign employee.

Do you know if test.wgh.cn ever resolved?

> Is it possible key material was accidentally used in a web server and
> removed from a HSM? Maybe there's another explanation, but if there
> was an accident, I assume the root would need to be revoked.

I was just able to obtain the below certificate
(https://crt.sh/?sha256=9d28d7861ef9a0750f7bb95ee9c765d2610fab41fdd7f2142986d2e8f2a0c7da)
from StartCom for this public key. StartCom evidently does not
validate the CSR self-signature, and I suspect WoSign didn't either,
since they shared so much code and infrastructure. (StartCom appears
to still share infrastructure - the validation email for this
certificate originated from a Chinese IP address.) Validating the CSR
self-signature is not required by the BRs or Mozilla policy.

This is probably more likely than the CA private key being used for a server
cert, although this is WoSign, so who knows?

Regards,
Andrew


-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQIGpPzMoGW7C7rmmIqZ9kQzANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMB4XDTE2MTIxNTE1MDk1OFoXDTE5MTIx
NTE1MDk1OFowKTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEXdvZS5jbG91ZHBvcmsu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTTDNgZURH21N1vn
WHEpbRdNCkWDtwFCNE8WI9+JIHKlloQtKBfClyjH2ELy6OCy5wiF3wOEEDfflhFI
RVebGw1wUuw6201gpgYzdZAYioMs6egpZeNk+C8d1kWW6VMXRnvccOW+KZTDC6ej
aSnv+ETjptpoVNjlieewuvImzh/WF7RPmvk+nccqFA143MISvA9npWj/WUdSNhqX
+VkwUM/q7tsvXnWR6mHkUZeJkXEqhU1gfPI8isM5zdLB8WEQ6tuW/uXswHD6quW4
OS7n12cFMJ0ZfAt9qJ3tFLiGTJzaCFlxdf6K9vT9+OUW2Bv+ePNDDPXKITbX3cXJ
IMIBnwIDAQABo4IDuTCCA7UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDATAJBgNVHRMEAjAAMB0GA1UdDgQWBBRHiQGiQRdFHa3K
azO1h7FawsrcoDAfBgNVHSMEGDAWgBTXkU4BxLC/+Mhnk0Sc5zP6rZMMrzBvBggr
BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv
bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh
LnNlcnZlcjEuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz
c2wuY29tL3NjYS1zZXJ2ZXIxLmNybDAcBgNVHREEFTATghF3b2UuY2xvdWRwb3Jr
LmNvbTAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wUQYDVR0g
BEowSDAIBgZngQwBAgEwPAYLKwYBBAGBtTcBAgUwLTArBggrBgEFBQcCARYfaHR0
cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTCCAfYGCisGAQQB1nkCBAIEggHm
BIIB4gHgAHcANLtq1sPfnAPuqKSZ/3iRSGydXlysktAfe/0bzhnbSO8AAAFZAyfn
LwAABAMASDBGAiEAizl+ig1kxjDMvajjTETY4vZAClhCU8s8Vwg7RmP09TcCIQD8
93dQS2qtmHFvN+NczhmCpc9Z1BUQ4KzvZ3pSzqmb3gB2AO5Lvbd1zmC64UJpH6vh
nmajD35fsHLYgwDEe4l6qP3LAAABWQMn73kAAAQDAEcwRQIhANqqZfMY4/vYgzvs
tLNdod0VDvlX9h1ODY2o1pvIdligAiAzBYPkftUXDewZrk9Gy8GVl7tARutil7gx
QRuXvIc1FgB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABWQMn
69AAAAQDAEcwRQIhAKcvpQBHAQDeuPYBbMdrm8CN7Lr/1IWADMxTePAj7F7VAiAD
ZSI6dWiW5urbb1kJ9Yt4Zmk14KVh79r+3xDaeKNZkQB1AEGy3C6J5jzkrxunuym/
aMbe5vnxzAR+MN/647O6JZJjAAABWQMn1kcAAAQDAEYwRAIgKPwcdwjwuJG42GCL
4jJgx31aIrSEz1Mud5a6fwf2a/MCIGRwKTEAoUXV26Q7zgmpoGQsTnlxzUGEdntv
XFz2wpqjMA0GCSqGSIb3DQEBCwUAA4IBAQDMIEYvBw98C3t29ds5prOqaox59PC+
izVi2Ih3PttGtI+NhpnBPQKPoJoUTlshHW4dGo+F8tQScEW1DqjUtmP3vAIfsR5/
hghT+NTBc7rgvG/5xLd/KWZ27zjiZFbZKCL25s6BJLARZnWDoS45cXWMoVc7oZrW
AsYsNld1NiScjUvHzbwqTZvFqx3C+Q4jrXsRgavT6oNpz3frBJROcXADiNoSpuTS
n75BDqk2w3aUZXgrUOCpKGjU/7SELJ6J7U7kXvBJvnGd2d3UpCFZznnDzVs6mO0V
BuP/ZTikYP9KkyhJ17uXJHPeQPyPwGTi3FhrO5dpj7/pey73OJuO7Tp6
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF5TCCA82gAwIBAgIQal3D5TtOT9B7aR6l/OxkazANBgkqhkiG9w0BAQsFADB9
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN
MzAxMjE2MDEwMDA1WjB4MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g
THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
JjAkBgNVBAMTHVN0YXJ0Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uz0qohni7BLYmaWv8lEaObCK0ygM86s
eeN2w9FW4HWvQbQKRYDvy43kFuMmFD4RHkHn1Mk7sijXkJ/F8NH+5Tjbins7tFIC
ZXd+Qe2ODCMcWbOLoYB54sM514tsZk6m3M4lZi3gmT7ISFiNdKpf/C3dZwasWea+
dbLpwQWZEcM6oCXmW/6L3kwQAhC0GhJm2rBVrYEDvZq1EK3Bv+g5gAW8DVfusUai
oyW0wfQdnKtOLv1M4rtezrKtE8T5tjyeKvFqMX93+LYVlT8Vs+sD12s3ncldqEDL
U89IiBjg6FsbLfM2Ket/3RbfvggfQMPQshipdhrZL8q10jibTlViGQIDAQABo4IB
ZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
BQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRaMFgwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYk
aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBTX
kU4BxLC/+Mhnk0Sc5zP6rZMMrzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD
0EGu8jA/BgNVHSAEODA2MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4ICAQCO5z+95Eu6
gog9K9e7DatQXfeUL8zq1Ycj0HKo3ZvFhRjULAVrMj7JrURtfoZziTDl39gvMDhL
voN5EFEYQWyre5ySsFgGeZQHIC0zhETILSyAE7JCKaEJ//APnkcQfx458GOuJvi+
p2JpRxa8Sc/HVJ9HqA687QbbJFFZlUP5IqLtCb8yZVBURd4Nm/+01DXBzomoQPwA
K3cYl9br6Q+eKmCKPKN6X4IT1gwtwXuca1f3OpZTbUFPdPz1KvP1qCFt+rNieSmO
BN76Xa9ffzoBByzVdnvk2OHuopmJq/eHF+E3s+GFYT6Oxjrez/lEbBvgEmGyXZOZ
aj6XeDnBxOIYRODfnZG99cy2q5WtDLHKuiMogJGO89PWaI2jK1Aq5sa0j55jp2Je
FXbRieKw5CKreCIiNR9MpaffieLgbTcK1BSKjxUZtd7BqJ3x1lvD2jbe7WKqzusZ
btPhFgrDDsgdw27zQokNYBZZaa1LwYZGZgddiAcLcYkilGobA2wLKk6eYz6VnatD
dI4aQx6FkHWvKU0e7s/cUym6Px3vXrC4z6woAztC98XaorPO0pkL73P4dKSjnKYY
rYsqe7BnBGtANf1XaG5Pm8BUWJ9WZAWin6KsJXTo8Nj0G4CRq7dq17LBnCbi9Qmp
Szc2kuPNbrV8PvbTLIXupfZFFj0d9mpaFg==
-----END CERTIFICATE-----

[Richard Wang]

You are right, you have done the test same as my test, this don't mean you own our intermediate CA root key.

For CSR, yes, our system doesn't validate the CSR self-signature. We think it is better to validate it, so we will update our system to validate it soon.

For this test certificate revocation time, yes, it is same as the issuance time.
Our PKI system can let the Revocation Office to choose the revocation time: (1) same as the issuance time; (2) the current time. Option (1) is designed for invaliding the malware signing code signing certificate instantly if the malware signed with timestamp. If we revoke the malware signing code signing certificate using Option (2) (the current time), then the signed malware with timestamp is still valid even the certificate is revoked. Sure, we can use Option (1) to revoke SSL certificate like my test certificate to let nobody have the chance to use this test certificate.

Thank you.

Best Regards,

Richard

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy