Missing: /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt

Bug #1721712 reported by mrw on 2017-10-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Undecided
Unassigned

Bug Description

Version: ca-certificates 20170717~16.04.1

Please add /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt back again as soon as possible.

File /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt is missing in ca-certificates, even though after everything I found it should be there. AFAIK there is no reason for removing it (and I work for SwissSign, so I should know if it were so).

apt-file search reports that it should be there

$ apt-file search SwissSign
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt

but in fact it is not:

marc@dev0001:~/svn/websites/plugins$ lsb_release -d
Description: Ubuntu 16.04.3 LTS
marc@dev0001:~/svn/websites/plugins$ dpkg -L ca-certificates | grep SwissSign
/usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
marc@dev0001:~/svn/websites/plugins$

in both, Ubuntu 14.04 und 16.04:

$ dpkg -S *SwissSign*
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt

→ Platinum is missing!

Install old version:

sudo apt-get install --reinstall ca-certificates=20130906ubuntu2

$ dpkg -S SwissSign
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-
_G2.crt
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
ca-certificates: /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt

→ Platinum is back again!

mrw (marc-waeckerlin) wrote :
Download full text (5.5 KiB)

According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858064 it has been removed when all 1024-bit root certificates have been removed, but this certificate is 4096bit, so it is obviously a mistake:

$ openssl x509 -in /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:b2:00:67:0c:03:5d:4f
    Signature Algorithm: sha1WithRSAEncryption| grep "RSA Public Key"
        Issuer: C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2
        Validity
            Not Before: Oct 25 08:36:00 2006 GMT
            Not After : Oct 25 08:36:00 2036 GMT
        Subject: C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ca:df:a2:02:e2:da:f8:fc:07:16:b1:de:60:aa:
                    de:96:5c:64:1f:c7:2f:7e:cf:67:fa:44:42:d6:76:
                    63:95:ae:eb:af:72:20:8a:45:47:86:62:78:86:d6:
                    20:39:26:f4:ae:a3:fd:23:e7:a5:9c:b5:22:21:19:
                    b7:37:93:22:c0:50:9c:82:7b:d4:d5:04:44:5c:cb:
                    b4:c2:9f:92:be:24:d8:7b:67:22:e2:69:5f:e5:05:
                    78:d4:87:d9:71:70:33:25:53:b4:87:3b:29:90:28:
                    36:9a:55:44:30:68:a4:83:97:7f:0d:1e:9c:76:ff:
                    15:9d:60:97:00:8d:8a:85:03:ec:80:be:ea:2c:6e:
                    10:51:92:cc:7e:d5:a3:33:d8:d6:49:de:58:2a:af:
                    f6:16:eb:4b:7b:90:32:97:b9:ba:9d:58:f1:f8:57:
                    49:04:1e:a2:5d:06:70:dd:71:db:f9:dd:8b:9a:1b:
                    8c:cf:3d:a3:4d:ce:cb:7c:f6:bb:9c:a0:fa:09:ce:
                    23:62:b2:e9:0d:1f:e2:72:28:8f:9f:ac:68:20:7d:
                    6f:3b:a8:85:31:09:7f:0b:c7:e8:65:e9:e3:78:0e:
                    09:67:30:8b:34:82:fb:5d:e0:cc:9d:81:6d:62:ee:
                    08:1e:04:2c:4e:9b:ec:fe:a9:4f:5f:fd:69:78:ef:
                    09:1f:a1:b4:bf:fa:f3:ef:90:1e:4c:05:8b:1e:ea:
                    7a:91:7a:c3:d7:e5:fb:30:bc:6c:1b:10:58:98:f7:
                    1a:5f:d0:29:32:03:13:46:4d:61:6a:85:4c:52:74:
                    2f:06:1f:7b:11:e2:84:97:c6:99:f3:6d:7f:d7:67:
                    83:7e:13:68:d8:71:28:5a:d8:ce:dd:e8:10:14:9a:
                    fe:6d:23:87:6e:8e:5a:70:3c:d5:8d:09:00:a7:aa:
                    bc:b0:31:37:6d:c8:84:14:1e:5b:bd:45:63:20:6b:
                    4b:74:8c:bd:db:3a:0e:c1:cf:5a:16:8f:a5:98:f2:
                    76:89:b2:13:12:3b:0b:77:77:ac:bb:e5:3c:29:4a:
                    92:72:ca:61:1a:2b:5e:4c:e2:83:74:77:fa:35:48:
                    7a:85:4d:8d:9a:53:c4:df:78:ca:97:91:48:2b:45:
                    2b:01:f7:1c:1a:a2:ed:18:ba:0a:bd:83:fa:6f:bc:
                    8d:57:93:3b:d4:d4:a6:ce:1e:f1:a0:b1:ce:ab:fd:
                    2b:28:9a:4f:1b:d7:c3:72:db:a4:c4:bf:5d:4c:f5:
                    dd:7b:96:69:ee:68:80:e6:e7:98:ba:36:b7:fe:6e:
                    ed:2b:bd:20:f8:65:19:da:55:09:7e:25:dc:fe:61:
                    62:72:f9:7e:18:02:ef:63:b4:d0:fb:af:e5:3b:63:
                    8c:67:8f
                Exponent: 65537 (0x10001)
   ...

Read more...

Marc Deslauriers (mdeslaur) wrote :

Hi,

In the 20170717 package, we no longer ship email signing certificates.

Per Mozilla, "SwissSign Platinum CA - G2" is marked as an email signing certificate only:

CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

This is the Debian bug where email signing certificates were removed:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.