On Wed, 14 Dec 2016 18:46:31 -0800 Tavis Ormandy <[email protected]> wrote:
> Hello, while working on an unrelated problem, I happened to notice > that this <https://crt.sh/?id=30316154> leaf certificate for > DNS:test.wgh.cn and DNS: test.ydn.cn has the same RSA public key as > this trusted root <https://crt.sh/?id=9329287> (and a few others). > > test.wgh.cn no longer resolves, but wgh.cn is the personal blog of a > WoSign employee. Do you know if test.wgh.cn ever resolved? > Is it possible key material was accidentally used in a web server and > removed from a HSM? Maybe there's another explanation, but if there > was an accident, I assume the root would need to be revoked. I was just able to obtain the below certificate (https://crt.sh/?sha256=9d28d7861ef9a0750f7bb95ee9c765d2610fab41fdd7f2142986d2e8f2a0c7da) from StartCom for this public key. StartCom evidently does not validate the CSR self-signature, and I suspect WoSign didn't either, since they shared so much code and infrastructure. (StartCom appears to still share infrastructure - the validation email for this certificate originated from a Chinese IP address.) Validating the CSR self-signature is not required by the BRs or Mozilla policy. This is probably more likely than the CA private key being used for a server cert, although this is WoSign, so who knows? Regards, Andrew -----BEGIN CERTIFICATE----- MIIG5jCCBc6gAwIBAgIQIGpPzMoGW7C7rmmIqZ9kQzANBgkqhkiG9w0BAQsFADB4 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0 Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMB4XDTE2MTIxNTE1MDk1OFoXDTE5MTIx NTE1MDk1OFowKTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEXdvZS5jbG91ZHBvcmsu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTTDNgZURH21N1vn WHEpbRdNCkWDtwFCNE8WI9+JIHKlloQtKBfClyjH2ELy6OCy5wiF3wOEEDfflhFI RVebGw1wUuw6201gpgYzdZAYioMs6egpZeNk+C8d1kWW6VMXRnvccOW+KZTDC6ej aSnv+ETjptpoVNjlieewuvImzh/WF7RPmvk+nccqFA143MISvA9npWj/WUdSNhqX +VkwUM/q7tsvXnWR6mHkUZeJkXEqhU1gfPI8isM5zdLB8WEQ6tuW/uXswHD6quW4 OS7n12cFMJ0ZfAt9qJ3tFLiGTJzaCFlxdf6K9vT9+OUW2Bv+ePNDDPXKITbX3cXJ IMIBnwIDAQABo4IDuTCCA7UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMCBggrBgEFBQcDATAJBgNVHRMEAjAAMB0GA1UdDgQWBBRHiQGiQRdFHa3K azO1h7FawsrcoDAfBgNVHSMEGDAWgBTXkU4BxLC/+Mhnk0Sc5zP6rZMMrzBvBggr BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh LnNlcnZlcjEuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL3NjYS1zZXJ2ZXIxLmNybDAcBgNVHREEFTATghF3b2UuY2xvdWRwb3Jr LmNvbTAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wUQYDVR0g BEowSDAIBgZngQwBAgEwPAYLKwYBBAGBtTcBAgUwLTArBggrBgEFBQcCARYfaHR0 cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTCCAfYGCisGAQQB1nkCBAIEggHm BIIB4gHgAHcANLtq1sPfnAPuqKSZ/3iRSGydXlysktAfe/0bzhnbSO8AAAFZAyfn LwAABAMASDBGAiEAizl+ig1kxjDMvajjTETY4vZAClhCU8s8Vwg7RmP09TcCIQD8 93dQS2qtmHFvN+NczhmCpc9Z1BUQ4KzvZ3pSzqmb3gB2AO5Lvbd1zmC64UJpH6vh nmajD35fsHLYgwDEe4l6qP3LAAABWQMn73kAAAQDAEcwRQIhANqqZfMY4/vYgzvs tLNdod0VDvlX9h1ODY2o1pvIdligAiAzBYPkftUXDewZrk9Gy8GVl7tARutil7gx QRuXvIc1FgB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABWQMn 69AAAAQDAEcwRQIhAKcvpQBHAQDeuPYBbMdrm8CN7Lr/1IWADMxTePAj7F7VAiAD ZSI6dWiW5urbb1kJ9Yt4Zmk14KVh79r+3xDaeKNZkQB1AEGy3C6J5jzkrxunuym/ aMbe5vnxzAR+MN/647O6JZJjAAABWQMn1kcAAAQDAEYwRAIgKPwcdwjwuJG42GCL 4jJgx31aIrSEz1Mud5a6fwf2a/MCIGRwKTEAoUXV26Q7zgmpoGQsTnlxzUGEdntv XFz2wpqjMA0GCSqGSIb3DQEBCwUAA4IBAQDMIEYvBw98C3t29ds5prOqaox59PC+ izVi2Ih3PttGtI+NhpnBPQKPoJoUTlshHW4dGo+F8tQScEW1DqjUtmP3vAIfsR5/ hghT+NTBc7rgvG/5xLd/KWZ27zjiZFbZKCL25s6BJLARZnWDoS45cXWMoVc7oZrW AsYsNld1NiScjUvHzbwqTZvFqx3C+Q4jrXsRgavT6oNpz3frBJROcXADiNoSpuTS n75BDqk2w3aUZXgrUOCpKGjU/7SELJ6J7U7kXvBJvnGd2d3UpCFZznnDzVs6mO0V BuP/ZTikYP9KkyhJ17uXJHPeQPyPwGTi3FhrO5dpj7/pey73OJuO7Tp6 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF5TCCA82gAwIBAgIQal3D5TtOT9B7aR6l/OxkazANBgkqhkiG9w0BAQsFADB9 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN MzAxMjE2MDEwMDA1WjB4MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx JjAkBgNVBAMTHVN0YXJ0Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uz0qohni7BLYmaWv8lEaObCK0ygM86s eeN2w9FW4HWvQbQKRYDvy43kFuMmFD4RHkHn1Mk7sijXkJ/F8NH+5Tjbins7tFIC ZXd+Qe2ODCMcWbOLoYB54sM514tsZk6m3M4lZi3gmT7ISFiNdKpf/C3dZwasWea+ dbLpwQWZEcM6oCXmW/6L3kwQAhC0GhJm2rBVrYEDvZq1EK3Bv+g5gAW8DVfusUai oyW0wfQdnKtOLv1M4rtezrKtE8T5tjyeKvFqMX93+LYVlT8Vs+sD12s3ncldqEDL U89IiBjg6FsbLfM2Ket/3RbfvggfQMPQshipdhrZL8q10jibTlViGQIDAQABo4IB ZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF BQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6 Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRaMFgwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYk aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBTX kU4BxLC/+Mhnk0Sc5zP6rZMMrzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD 0EGu8jA/BgNVHSAEODA2MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4ICAQCO5z+95Eu6 gog9K9e7DatQXfeUL8zq1Ycj0HKo3ZvFhRjULAVrMj7JrURtfoZziTDl39gvMDhL voN5EFEYQWyre5ySsFgGeZQHIC0zhETILSyAE7JCKaEJ//APnkcQfx458GOuJvi+ p2JpRxa8Sc/HVJ9HqA687QbbJFFZlUP5IqLtCb8yZVBURd4Nm/+01DXBzomoQPwA K3cYl9br6Q+eKmCKPKN6X4IT1gwtwXuca1f3OpZTbUFPdPz1KvP1qCFt+rNieSmO BN76Xa9ffzoBByzVdnvk2OHuopmJq/eHF+E3s+GFYT6Oxjrez/lEbBvgEmGyXZOZ aj6XeDnBxOIYRODfnZG99cy2q5WtDLHKuiMogJGO89PWaI2jK1Aq5sa0j55jp2Je FXbRieKw5CKreCIiNR9MpaffieLgbTcK1BSKjxUZtd7BqJ3x1lvD2jbe7WKqzusZ btPhFgrDDsgdw27zQokNYBZZaa1LwYZGZgddiAcLcYkilGobA2wLKk6eYz6VnatD dI4aQx6FkHWvKU0e7s/cUym6Px3vXrC4z6woAztC98XaorPO0pkL73P4dKSjnKYY rYsqe7BnBGtANf1XaG5Pm8BUWJ9WZAWin6KsJXTo8Nj0G4CRq7dq17LBnCbi9Qmp Szc2kuPNbrV8PvbTLIXupfZFFj0d9mpaFg== -----END CERTIFICATE----- _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
