openjdk team mailing list archive

Thread
Date

[Bug 920758] Re: DigiNotar Root CA still present in ca-certificates-java

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Etienne Goyer <etienne.goyer@xxxxxxxxxxxxx>
Date: Tue, 13 Mar 2012 20:31:36 -0000
Reply-to: Bug 920758 <920758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It appears that the DigiNotar CA cert is still available on precise
(package ca-certificates-java 20110912ubuntu4), except the keystore is
now in /etc/ssl/certs/java/cacerts:


etienne@curst:~$ keytool -v -list -alias diginotar_root_ca -keystore /etc/ssl/certs/java/cacerts
Enter keystore password:  

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Alias name: diginotar_root_ca
Creation date: 11-Apr-2010
Entry type: trustedCertEntry

Owner: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar, C=NL
Issuer: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar, C=NL
Serial number: c76da9c910c4e2c9efe15d058933c4c
Valid from: Wed May 16 13:19:36 EDT 2007 until: Mon Mar 31 14:19:21 EDT 2025
Certificate fingerprints:
	 MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
	 SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 88 68 BF E0 8E 35 C4 3B   38 6B 62 F7 28 3B 84 81  .h...5.;8kb.(;..
0010: C8 0C D7 4D                                        ...M
]
]

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/920758

Title:
  DigiNotar Root CA still present in ca-certificates-java

Status in “ca-certificates-java” package in Ubuntu:
  New

Bug description:
  Description:	Ubuntu 10.04.3 LTS
  Release:	10.04

  ca-certificates-java:
    Installed: 20100406ubuntu1
    Candidate: 20100406ubuntu1

  The DigiNotar root CA should have been globally purged as part of bug
  #837557. It appears to still be present in this package.

  When running the following command:
      keytool -v -list -alias diginotar_root_ca -keystore /usr/share/ca-certificates-java/cacerts

  The following is returned:
      Alias name: diginotar_root_ca
      Creation date: Apr 11, 2010
      Entry type: trustedCertEntry

      Owner: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar, 
      Issuer: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar
      Serial number: c76da9c910c4e2c9efe15d058933c4c
      Valid from: Wed May 16 10:19:36 PDT 2007 until: Mon Mar 31 11:19:21 PDT
      Certificate fingerprints:
         MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
         SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
         Signature algorithm name: SHA1withRSA
         Version: 3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/920758/+subscriptions

References

[Bug 920758] [NEW] DigiNotar Root CA still present in ca-certificates-java
From: Brandon Gilmore, 2012-01-24