openjdk team mailing list archive

Thread
Date

[Bug 920758] Re: DigiNotar Root CA still present in ca-certificates-java

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Mon, 19 Mar 2012 15:36:23 -0000
Reply-to: Bug 920758 <920758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Argh, stupid copy & paste...reposting info to get readable layout:

First bug: natty and earlier's ca-certificates-java hook doesn't strip
the right filename extension, so the DigiNotar cert doesn't get removed
from the java store when ca-certificates is upgraded.

Second bug: oneiric and later's hook java script uses full filename as
the alias without stripping the file extension as used in natty and
earlier. In theory, this shouldn't be an issue, as the postinst script
is supposed to re-import all the certificates. Unfortunately, since
natty and earlier had certs that aren't included in later releases, such
as the DigiNotar cert, they will never get removed properly.

Third bug: installing ca-certificates-java after an updated ca-
certificates uses the bundled cert store, which doesn't have the
dangerous cert removed. If the ca-certificates package was upgraded,
cert is added to untrusted list, so ca-certificates-java correctly
removes it from its bundled store. But, if the ca-certificates package
was installed after the cert was removed from the package, it does not
get added to the untrusted list, so installing ca-certificates-java will
not remove it from its bundled store.

Fourth bug: Updating from Natty to Oneiric results in the java store not
being upgraded to the new alias names because of a java issue: "Could
not initialize NSS".

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/920758

Title:
  DigiNotar Root CA still present in ca-certificates-java

Status in “ca-certificates-java” package in Ubuntu:
  New

Bug description:
  Description:	Ubuntu 10.04.3 LTS
  Release:	10.04

  ca-certificates-java:
    Installed: 20100406ubuntu1
    Candidate: 20100406ubuntu1

  The DigiNotar root CA should have been globally purged as part of bug
  #837557. It appears to still be present in this package.

  When running the following command:
      keytool -v -list -alias diginotar_root_ca -keystore /usr/share/ca-certificates-java/cacerts

  The following is returned:
      Alias name: diginotar_root_ca
      Creation date: Apr 11, 2010
      Entry type: trustedCertEntry

      Owner: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar, 
      Issuer: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar
      Serial number: c76da9c910c4e2c9efe15d058933c4c
      Valid from: Wed May 16 10:19:36 PDT 2007 until: Mon Mar 31 11:19:21 PDT
      Certificate fingerprints:
         MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
         SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
         Signature algorithm name: SHA1withRSA
         Version: 3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/920758/+subscriptions

References

[Bug 920758] [NEW] DigiNotar Root CA still present in ca-certificates-java
From: Brandon Gilmore, 2012-01-24