Certificate signature integrity check

[voodoodiver]

Hi there,

I just came across this thought experiment, and could not find an answer on it in the EJBCA docs, so I hope somebody here could shed some light on it.

When EJBCA has generated a certificate and has signed it using a private key on an HSM, does it do a final integrity check on the signaature (using its issuer's public key) before issuance?

This would be a check against the extremely low probability of 1. a bit flip in a public key in transit from the HSM (after key pair generation), 2. a bit flip of a private key on the HSM, or 3. a bit flip in a signature in transit from the HSM.

Best regards,
Patrick

[mike-agrenius-kushner]

Hi Patrick,

Honestly not sure and I'd have to dig through a ton of code to check – but the scenario is unlikely because:

1. If you can't send a public key to the HSM for signature securely you're in deep crap
2. If something can flip bits in your HSM, then dito
3. Flipping any bit in this scenario would just render the results into garbage.

Cheers,
Mike

[voodoodiver]

Hi Mike,

It is indeed a very unlikely scenario. When building an off-line top-level hierarchy, chances are errors are not immediately noticed. This may even be after a couple of lengthy and costly ceremonies. When doing a risk analysis of this whole process, we came up with this scenario. Remediating this "black swan" risk is very simple of course, so I was curious if any of you ever considered this. If you are not sure, then maybe we should build in a manual check in the ceremony itself.

Best regards,
Patrick

[primetomas]

Here is the code that verifies the cert with the public key before returning it.
https://github.com/Keyfactor/ejbca-ce/blob/main/modules/cesecore-x509ca/src/org/cesecore/certificates/ca/X509CAImpl.java#L1724

[primetomas]

And for the record, it actually has happened once, it was >10 years ago but anyhow. A memory bug in the PKCS#11 driver of one specific HSM caused random (say 1 in 20) ECDSA signatures to return the wrong value. It's very unlikely to happen again, but it has happened.

A benefit of removing the check is of course that it would improve performance slightly, as all signature verifications take some time.

[voodoodiver]

Thanks a ton Tomas for looking into this!

Best regards,
Patrick