openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #07696
[Bug 920758] Re: DigiNotar Root CA still present in ca-certificates-java
Argh, stupid copy & paste...reposting info to get readable layout:
First bug: natty and earlier's ca-certificates-java hook doesn't strip
the right filename extension, so the DigiNotar cert doesn't get removed
from the java store when ca-certificates is upgraded.
Second bug: oneiric and later's hook java script uses full filename as
the alias without stripping the file extension as used in natty and
earlier. In theory, this shouldn't be an issue, as the postinst script
is supposed to re-import all the certificates. Unfortunately, since
natty and earlier had certs that aren't included in later releases, such
as the DigiNotar cert, they will never get removed properly.
Third bug: installing ca-certificates-java after an updated ca-
certificates uses the bundled cert store, which doesn't have the
dangerous cert removed. If the ca-certificates package was upgraded,
cert is added to untrusted list, so ca-certificates-java correctly
removes it from its bundled store. But, if the ca-certificates package
was installed after the cert was removed from the package, it does not
get added to the untrusted list, so installing ca-certificates-java will
not remove it from its bundled store.
Fourth bug: Updating from Natty to Oneiric results in the java store not
being upgraded to the new alias names because of a java issue: "Could
not initialize NSS".
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/920758
Title:
DigiNotar Root CA still present in ca-certificates-java
Status in “ca-certificates-java” package in Ubuntu:
New
Bug description:
Description: Ubuntu 10.04.3 LTS
Release: 10.04
ca-certificates-java:
Installed: 20100406ubuntu1
Candidate: 20100406ubuntu1
The DigiNotar root CA should have been globally purged as part of bug
#837557. It appears to still be present in this package.
When running the following command:
keytool -v -list -alias diginotar_root_ca -keystore /usr/share/ca-certificates-java/cacerts
The following is returned:
Alias name: diginotar_root_ca
Creation date: Apr 11, 2010
Entry type: trustedCertEntry
Owner: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar,
Issuer: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar
Serial number: c76da9c910c4e2c9efe15d058933c4c
Valid from: Wed May 16 10:19:36 PDT 2007 until: Mon Mar 31 11:19:21 PDT
Certificate fingerprints:
MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
Signature algorithm name: SHA1withRSA
Version: 3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/920758/+subscriptions
References