On Sun, 18 May 2025 11:21:38 +0200 Hanno Böck <[email protected]> wrote:
> Hi, > > I noticed an odd certificate in the CT logs: > https://crt.sh/?id=18465123083 > > This certificate just expired (May 17), and was issued in 2015. > It showed in in a CT logs (Google's argon2025h1) yesterday. > > I noticed that this certificate could not be parsed with Python > Cryptography (ValueError: error parsing asn1 value: ParseError { kind: > ExtraData, location: ["Certificate::signature_alg"] }). > zlint complains about e_cert_sig_alg_not_match_tbs_sig_alg. > Lookint at the asn1 data with der2ascii, it looks there's some value > behind the signature algorithm OID where there should just be a NULL: > SEQUENCE { > # sha384WithRSAEncryption > OBJECT_IDENTIFIER { 1.2.840.113549.1.1.12 } > `00132c000000020000000000000000000000000000` > } > > This certificate appears to be largely identical to this one > https://crt.sh/?q=821cc55ce7ec5c74febb42f624eb6a36c478215a31ed67e3cf723a67e8c75eba > just with some encoding errors. > > I don't really know what happened here, and whether it is something to > worry about. It looks like possibly a data corruption issue Hi Hanno, The TBSCertificate portion of this certificate is identical to the other one you found. Someone (not necessarily the CA) changed the unsigned signatureAlgorithm field such that it no longer matches the signatureAlgorithm in the TBSCertificate. It was accepted by the CT log due to a bug in Trillian which I reported nearly 5 years ago <https://github.com/google/certificate-transparency-go/issues/699>. Inexplicably, the bug remains unfixed, despite this being a trivial spam vector and a patch being available. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250518080231.303f485d8e52590908314d5d%40andrewayer.name.
