DigiNotar Root CA still present in ca-certificates-java

Bug #920758 reported by Brandon Gilmore on 2012-01-24
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates-java (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Marc Deslauriers
Natty
Undecided
Unassigned
Oneiric
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers

Bug Description

Description: Ubuntu 10.04.3 LTS
Release: 10.04

ca-certificates-java:
  Installed: 20100406ubuntu1
  Candidate: 20100406ubuntu1

The DigiNotar root CA should have been globally purged as part of bug #837557. It appears to still be present in this package.

When running the following command:
    keytool -v -list -alias diginotar_root_ca -keystore /usr/share/ca-certificates-java/cacerts

The following is returned:
    Alias name: diginotar_root_ca
    Creation date: Apr 11, 2010
    Entry type: trustedCertEntry

    Owner: <email address hidden>, CN=DigiNotar Root CA, O=DigiNotar,
    Issuer: <email address hidden>, CN=DigiNotar Root CA, O=DigiNotar
    Serial number: c76da9c910c4e2c9efe15d058933c4c
    Valid from: Wed May 16 10:19:36 PDT 2007 until: Mon Mar 31 11:19:21 PDT
    Certificate fingerprints:
       MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
       SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
       Signature algorithm name: SHA1withRSA
       Version: 3

description: updated

It appears that the DigiNotar CA cert is still available on precise (package ca-certificates-java 20110912ubuntu4), except the keystore is now in /etc/ssl/certs/java/cacerts:

etienne@curst:~$ keytool -v -list -alias diginotar_root_ca -keystore /etc/ssl/certs/java/cacerts
Enter keystore password:

***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************

Alias name: diginotar_root_ca
Creation date: 11-Apr-2010
Entry type: trustedCertEntry

Owner: <email address hidden>, CN=DigiNotar Root CA, O=DigiNotar, C=NL
Issuer: <email address hidden>, CN=DigiNotar Root CA, O=DigiNotar, C=NL
Serial number: c76da9c910c4e2c9efe15d058933c4c
Valid from: Wed May 16 13:19:36 EDT 2007 until: Mon Mar 31 14:19:21 EDT 2025
Certificate fingerprints:
  MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
  SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
  Signature algorithm name: SHA1withRSA
  Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 88 68 BF E0 8E 35 C4 3B 38 6B 62 F7 28 3B 84 81 .h...5.;8kb.(;..
0010: C8 0C D7 4D ...M
]
]

Changed in ca-certificates-java (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

Testing has revealed a whole slew of issues with the way the debian packaging attemps to update the java cert store:

bug #1: natty and earlier's ca-certificates-java hook doesn't strip the right filename extension,
        so the DigiNotar cert doesn't get removed from the java store when ca-certificates is
        upgraded.

bug #2: oneiric and later's hook java script uses full filename as the alias without stripping
        the file extension as used in natty and earlier. In theory, this shouldn't be an issue, as
        the postinst script is supposed to re-import all the certificates. Unfortunately, since
        natty and earlier had certs that aren't included in later releases, such as the DigiNotar
        cert, they will never get removed properly.

bug #3: installing ca-certificates-java after an updated ca-certificates uses the bundled cert
        store, which doesn't have the dangerous cert removed. If the ca-certificates package
        was upgraded, cert is added to untrusted list, so ca-certificates-java correctly removes
        it from its bundled store. But, if the ca-certificates package was installed after the cert
        was removed from the package, it does not get added to the untrusted list, so installing
        ca-certificates-java will not remove it from its bundled store.

bug #4: Updating from Natty to Oneiric results in the java store not being upgraded to the new
        alias names because of a java issue: "Could not initialize NSS".

Marc Deslauriers (mdeslaur) wrote :

Argh, stupid copy & paste...reposting info to get readable layout:

First bug: natty and earlier's ca-certificates-java hook doesn't strip the right filename extension, so the DigiNotar cert doesn't get removed from the java store when ca-certificates is upgraded.

Second bug: oneiric and later's hook java script uses full filename as the alias without stripping the file extension as used in natty and earlier. In theory, this shouldn't be an issue, as the postinst script is supposed to re-import all the certificates. Unfortunately, since natty and earlier had certs that aren't included in later releases, such as the DigiNotar cert, they will never get removed properly.

Third bug: installing ca-certificates-java after an updated ca-certificates uses the bundled cert store, which doesn't have the dangerous cert removed. If the ca-certificates package was upgraded, cert is added to untrusted list, so ca-certificates-java correctly removes it from its bundled store. But, if the ca-certificates package was installed after the cert was removed from the package, it does not get added to the untrusted list, so installing ca-certificates-java will not remove it from its bundled store.

Fourth bug: Updating from Natty to Oneiric results in the java store not being upgraded to the new alias names because of a java issue: "Could not initialize NSS".

Changed in ca-certificates-java (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates-java (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates-java (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates-java (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates-java (Ubuntu Lucid):
status: New → Confirmed
Changed in ca-certificates-java (Ubuntu Maverick):
status: New → Confirmed
Changed in ca-certificates-java (Ubuntu Natty):
status: New → Confirmed
Changed in ca-certificates-java (Ubuntu Oneiric):
status: New → Confirmed
Changed in ca-certificates-java (Ubuntu Precise):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates-java - 20110912ubuntu5

---------------
ca-certificates-java (20110912ubuntu5) precise; urgency=low

  * debian/preinst, debian/postinst: remove the 20110912ubuntu1 work-around
    since it is no longer needed.
  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
    configuration.
  * debian/postinst: force migration to new alias names again. The
    migration was supposed to occur on upgrades to Oneiric, but failed
    because of an NSS error.
  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
 -- Marc Deslauriers <email address hidden> Thu, 22 Mar 2012 08:59:17 -0400

Changed in ca-certificates-java (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates-java - 20110912ubuntu3.1

---------------
ca-certificates-java (20110912ubuntu3.1) oneiric-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
    configuration.
  * debian/postinst: bump version on upgrade test so we properly update
    natty ca-certificates-java security updates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 10:30:03 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates-java - 20100412ubuntu0.11.04.1

---------------
ca-certificates-java (20100412ubuntu0.11.04.1) natty-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/jks-keystore.hook: properly strip .pem extension from aliases.
    Also, look up and remove old incorrect aliases if necessary.
  * debian/control: bump ca-certificates Build-Depends to latest security
    update to make sure we don't bundle old certificates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 09:51:16 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates-java - 20100412ubuntu0.10.10.1

---------------
ca-certificates-java (20100412ubuntu0.10.10.1) maverick-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/jks-keystore.hook: properly strip .pem extension from aliases.
    Also, look up and remove old incorrect aliases if necessary.
  * debian/control: bump ca-certificates Build-Depends to latest security
    update to make sure we don't bundle old certificates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 09:51:16 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates-java - 20100406ubuntu1.1

---------------
ca-certificates-java (20100406ubuntu1.1) lucid-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/jks-keystore.hook: properly strip .pem extension from aliases.
    Also, look up and remove old incorrect aliases if necessary.
  * debian/control: bump ca-certificates Build-Depends to latest security
    update to make sure we don't bundle old certificates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 08:32:58 -0400

Changed in ca-certificates-java (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in ca-certificates-java (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in ca-certificates-java (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in ca-certificates-java (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in ca-certificates-java (Ubuntu Natty):
assignee: Marc Deslauriers (mdeslaur) → nobody
assignee: nobody → martincloutier (martincloutier)
assignee: martincloutier (martincloutier) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers