openjdk team mailing list archive

Thread
Date

[Bug 920758] Re: DigiNotar Root CA still present in ca-certificates-java

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Mon, 19 Mar 2012 15:32:16 -0000
Reply-to: Bug 920758 <920758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Testing has revealed a whole slew of issues with the way the debian
packaging attemps to update the java cert store:

bug #1: natty and earlier's ca-certificates-java hook doesn't strip the right filename extension,
        so the DigiNotar cert doesn't get removed from the java store when ca-certificates is
        upgraded.

bug #2: oneiric and later's hook java script uses full filename as the alias without stripping
        the file extension as used in natty and earlier. In theory, this shouldn't be an issue, as
        the postinst script is supposed to re-import all the certificates. Unfortunately, since
        natty and earlier had certs that aren't included in later releases, such as the DigiNotar
        cert, they will never get removed properly.

bug #3: installing ca-certificates-java after an updated ca-certificates uses the bundled cert
        store, which doesn't have the dangerous cert removed. If the ca-certificates package
        was upgraded, cert is added to untrusted list, so ca-certificates-java correctly removes
        it from its bundled store. But, if the ca-certificates package was installed after the cert
        was removed from the package, it does not get added to the untrusted list, so installing
        ca-certificates-java will not remove it from its bundled store.

bug #4: Updating from Natty to Oneiric results in the java store not being upgraded to the new
        alias names because of a java issue: "Could not initialize NSS".

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/920758

Title:
  DigiNotar Root CA still present in ca-certificates-java

Status in “ca-certificates-java” package in Ubuntu:
  New

Bug description:
  Description:	Ubuntu 10.04.3 LTS
  Release:	10.04

  ca-certificates-java:
    Installed: 20100406ubuntu1
    Candidate: 20100406ubuntu1

  The DigiNotar root CA should have been globally purged as part of bug
  #837557. It appears to still be present in this package.

  When running the following command:
      keytool -v -list -alias diginotar_root_ca -keystore /usr/share/ca-certificates-java/cacerts

  The following is returned:
      Alias name: diginotar_root_ca
      Creation date: Apr 11, 2010
      Entry type: trustedCertEntry

      Owner: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar, 
      Issuer: EMAILADDRESS=info@xxxxxxxxxxxx, CN=DigiNotar Root CA, O=DigiNotar
      Serial number: c76da9c910c4e2c9efe15d058933c4c
      Valid from: Wed May 16 10:19:36 PDT 2007 until: Mon Mar 31 11:19:21 PDT
      Certificate fingerprints:
         MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
         SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
         Signature algorithm name: SHA1withRSA
         Version: 3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/920758/+subscriptions

References

[Bug 920758] [NEW] DigiNotar Root CA still present in ca-certificates-java
From: Brandon Gilmore, 2012-01-24