On Fri, 16 Feb 2018 11:28:41 +0000 Arkadiusz Ławniczak via dev-security-policy <[email protected]> wrote:
> The issue was caused by incorrect calculation of the SHA1 > fingerprint of public key. Public keys hashes stored in Certum's > database was calculated from the Modulo key value with the Modulus > prefix and a line ending character while the value of public > key from CSR was calculated and returned without these additional > characters. So, this is the reason why the calculated fingerprint did > not match the value from Certum's database. Weak keys verification > is tested each time before the new version of the software is > deployed and also periodically as part of the test schedule. > Unfortunately, the database of weak keys that served the tests > contained keys hashes in incorrect formats, the parsed key was also > in an incorrect format. Therefore we could not recognize weak > key in its "original" OpenSSL form. So each test returned false > positives. Thanks for your report Arkadiusz, This is a reminder that just because your unit tests pass, doesn't mean your larger system behaves how you think the unit tests mean it does. If you want to be sure how the whole _system_ behaves (and for a CA we certainly do want that) you're going to need to explicitly test that whole system even if your unit tests are green. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
