openjdk team mailing list archive

Thread
Date
[Bug 566317] Re: Lucid openjdk cannot verify applet signature (certificate chain not rebuilt)

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Andrey Vihrov <566317@xxxxxxxxxxxxxxxxxx>
Date: Sat, 13 Apr 2013 15:46:27 -0000
Reply-to: Bug 566317 <566317@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This also happens with the TopCoder arena applet
(http://community.topcoder.com/contest/arena/ContestAppletProd.jnlp),
version 7.0.3. The "VeriSign Class 3 Public Primary Certification
Authority - G5" certificate is /etc/ssl/certs/java/cacerts, yet OpenJDK
can't verify the applet's signature against it.

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/566317

Title:
  Lucid openjdk cannot verify applet signature (certificate chain not
  rebuilt)

Status in Iced Tea:
  New
Status in “ca-certificates-java” package in Ubuntu:
  Confirmed
Status in “icedtea-web” package in Ubuntu:
  Confirmed
Status in “openjdk-6” package in Ubuntu:
  Confirmed

Bug description:
  1.) $ lsb_release -rd
  Description:    Ubuntu lucid (development branch)
  Release:        10.04

  
  2.) $ apt-cache policy openjdk-6-jre
  openjdk-6-jre:
    Installed: 6b18-1.8-0ubuntu1
    Candidate: 6b18-1.8-0ubuntu1
    Version table:
   *** 6b18-1.8-0ubuntu1 0
          500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status
  $ apt-cache policy openjdk-6-jre-headless
  openjdk-6-jre-headless:
    Installed: 6b18-1.8-0ubuntu1
    Candidate: 6b18-1.8-0ubuntu1
    Version table:
   *** 6b18-1.8-0ubuntu1 0
          500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status
  $ apt-cache policy openjdk-6-jre-lib
  openjdk-6-jre-lib:
    Installed: 6b18-1.8-0ubuntu1
    Candidate: 6b18-1.8-0ubuntu1
    Version table:
   *** 6b18-1.8-0ubuntu1 0
          500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status
  $ apt-cache policy icedtea6-plugin
  icedtea6-plugin:
    Installed: 6b18-1.8-0ubuntu1
    Candidate: 6b18-1.8-0ubuntu1
    Version table:
   *** 6b18-1.8-0ubuntu1 0
          500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status
  $ apt-cache policy firefox
  firefox:
    Installed: 3.6.3+nobinonly-0ubuntu3
    Candidate: 3.6.3+nobinonly-0ubuntu3
    Version table:
   *** 3.6.3+nobinonly-0ubuntu3 0
          500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status

  3.) What I expected

       a.) Go to https://www.sampopankki.fi in Firefox
       b.) Click on Union Jack to change language (optional, same problem occurs also in Finnish)
       c.) Click on "Log on to eBanking" 
       d.) a warning appears and states that the applet signature has been verified (Verisign Class 3 Code signing certificate should be built in and trusted)

  This works as expected with sun-jre in both intrepid and jaunty (don't
  have karmic handy)

  
  4.) What happened 

  Java dialog appears "The application signature cannot be verified."

  The certificate is signed by:

  Version 3 
  Serial 134678584529721923331408176609551902556 
  Signature Algorithm SHA1withRSA 
  Issuer OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US 
  Validity Validity: [From: Thu May 21 03:00:00 EEST 2009,
                 To: Tue May 21 02:59:59 EEST 2019] 
  Subject CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
  Signature 0000: 8B 03 C0 DD 94 D8 41 A2   61 69 B0 15 A8 78 C7 30  ......A.ai...x.0
  0010: C6 90 3C 7E 42 F7 24 B6   E4 83 73 17 04 7F 04 10  ..<.B.$...s.....
  0020: 9C A1 E2 FA 81 2F EB C0   CA 44 E7 72 E0 50 B6 55  ...../...D.r.P.U
  0030: 10 20 83 6E 96 92 E4 9A   51 6A B4 37 31 DC A5 2D  . .n....Qj.71..-
  0040: EB 8C 00 C7 1D 4F E7 4D   32 BA 85 F8 4E BE FA 67  .....O.M2...N..g
  0050: 55 65 F0 6A BE 7A CA 64   38 1A 10 10 78 45 76 31  Ue.j.z.d8...xEv1
  0060: F3 86 7A 03 0F 60 C2 B3   5D 9D F6 8B 66 76 82 1B  ..z..`..]...fv..
  0070: 59 E1 83 E5 BD 49 A5 38   56 E5 DE 41 77 0E 58 0F  Y....I.8V..Aw.X.
   
  MD5 Fingerprint 56:10:5F:6D:97:18:DE:7F:83:52:1E:3A:40:F8:68:AF 
  SHA1 Fingerprint 12:D4:87:2B:C3:EF:01:9E:7E:0B:6F:13:24:80:AE:29:DB:5B:1C:A3
  --- 
  Architecture: i386
  DistroRelease: Ubuntu 10.10
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release Candidate i386 (20100928)
  Package: openjdk-6
  PackageArchitecture: all
  ProcEnviron:
   LANG=en_US.utf8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
  Tags: maverick
  Uname: Linux 2.6.35-22-generic i686
  UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

To manage notifications about this bug go to:
https://bugs.launchpad.net/icedtea/+bug/566317/+subscriptions
References

[Bug 566317] [NEW] Lucid openjdk/icedtea cannot verify applet signature
From: Uwe Geuder, 2010-04-18