0007509: CTT creates Root CA certs with serialnumber 0, not accepted by Windows as valid Root CA - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0007509	Compliance Test Tool (CTT) Unified Architecture	5 - General Problem	public	2021-12-31 17:10	2022-01-29 14:27

Reporter	Martin Regen	Assigned To	Alexander Allmendinger
Priority	normal	Severity	block	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.04.09.398
Fixed in Version	1.03.341.401

Summary	0007509: CTT creates Root CA certs with serialnumber 0, not accepted by Windows as valid Root CA
Description	The CTT creates root CA and Sub CA certificates with serialnumber 0. The chain is not accepted by the Windows X509Chain validator, causes e.g. test 02 to fail because of BadCertificateInvalid error. The serialnumber of a certificate shall be a positive number according to RFC 5280. Nowadays a serialnumber of 8 bytes created by a cryptographic secure RNG is required for PKI usage. More info below, the serialnumber is used as entropy source to secure certificate hash, so the CTT should asap use proper serial numbers. https://cabforum.org/2016/03/31/ballot-164/ some explanation here: https://www.microsec.hu/en/pki-blog/serial-number-entropy-certificates
Steps To Reproduce	Load cert chain with 3 members in windows user store, e.g. as in the picture below . Check the cert chain. Root cert is disconnected from sub. With the simple fix in the script, all is good. Fix in the script: Replace all occurrences of echo 00 >"%G_CA_SERIAL_NUMBER_LOCATION%" with openssl rand -hex 16 > "%G_CA_SERIAL_NUMBER_LOCATION%"
Additional Information	see picture of cert chain before and after
Tags	No tags attached.
Attached Files	image.png (56,332 bytes) image.png (56,332 bytes) image-2.png (164,462 bytes) image-2.png (164,462 bytes)

Files Affected

Alexander Allmendinger 2022-01-03 11:23 developer ~0015656 Last edited: 2022-01-29 14:26	Verified requirements for the serial number in the certificates which are correct. Proposed fix looks good and works fine. Therefore fixed as suggested.

Paul Hunkar 2022-01-29 14:27 administrator ~0015891	reviewed uin extra call, agreed and closed

Date Modified	Username	Field	Change
2021-12-31 17:10	Martin Regen	New Issue
2021-12-31 17:10	Martin Regen	File Added: image.png
2021-12-31 17:10	Martin Regen	File Added: image-2.png
2022-01-03 11:23	Alexander Allmendinger	Assigned To	=> Alexander Allmendinger
2022-01-03 11:23	Alexander Allmendinger	Status	new => resolved
2022-01-03 11:23	Alexander Allmendinger	Resolution	open => fixed
2022-01-03 11:23	Alexander Allmendinger	Fixed in Version	=> 1.03.341.401
2022-01-03 11:23	Alexander Allmendinger	Note Added: 0015656
2022-01-04 06:28	Paul Hunkar	Description Updated
2022-01-04 06:28	Paul Hunkar	Steps to Reproduce Updated
2022-01-29 14:26	Paul Hunkar	Note Edited: 0015656
2022-01-29 14:27	Paul Hunkar	Status	resolved => closed
2022-01-29 14:27	Paul Hunkar	Note Added: 0015891