The tbs_certificate in the MerkleTreeLeaf of entry 65051339 in Nessie


2024 does not match the pre_certificate of the PrecertChainEntry.


Removing the signature and poison extension from the precertificate


yields a TBSCertificate which differs by one bit from the


tbs_certificate in the MerkleTreeLeaf.

The flipped bit is in the SubjectPublicKeyInfo. Here’s the


SubjectPublicKeyInfo from the MerkleTreeLeaf, where byte 0x32 is 0x92:

00000000: 3059 3013 0607 2a86 48ce 3d02 0106 082a 0Y0…*.H.=….*


00000010: 8648 ce3d 0301 0703 4200 0439 db62 c459 .H.=….B..9.b.Y


00000020: 9765 e13b 799d c2fa 4239 b910 eafc e8e4 .e.;y…B9……


00000030: 9126 9284 546f 555c 0ba6 6d3b 5f1e 923b .&..ToU..m;_..;


00000040: 908d 0b42 53c1 0d1a 2347 7e2b acf9 a764 …BS…#G~+…d


00000050: 7a76 edc3 2f4c aef0 66c3 72 zv../L..f.r

Here’s the SubjectPublicKeyInfo from the PrecertChainEntry, where byte


0x32 is 0x93:

00000000: 3059 3013 0607 2a86 48ce 3d02 0106 082a 0Y0…*.H.=….*


00000010: 8648 ce3d 0301 0703 4200 0439 db62 c459 .H.=….B..9.b.Y


00000020: 9765 e13b 799d c2fa 4239 b910 eafc e8e4 .e.;y…B9……


00000030: 9126 9384 546f 555c 0ba6 6d3b 5f1e 923b .&..ToU..m;_..;


00000040: 908d 0b42 53c1 0d1a 2347 7e2b acf9 a764 …BS…#G~+…d


00000050: 7a76 edc3 2f4c aef0 66c3 72 zv../L..f.r

Unfortunately, it is not possible for the log to recover from this.


Modifying the MerkleTreeLeaf to match the PrecertChainEntry would


result in a different tree head that wouldn’t match already-signed


STHs. Modifying the PrecertChainEntry to match the MerkleTreeLeaf


would render the PrecertChainEntry invalid because the


precertificate_chain would no longer certify the precertificate.

Regards,


Andrew

Read More