Ubuntu
icedtea-web package

Lucid openjdk cannot verify applet signature (certificate chain not rebuilt)

Bug #566317 reported by Uwe Geuder
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Iced Tea
Invalid
Undecided
Unassigned
ca-certificates-java (Ubuntu)
Invalid
Undecided
Unassigned
icedtea-web (Ubuntu)
Invalid
Undecided
Unassigned
openjdk-6 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

1.) $ lsb_release -rd
Description: Ubuntu lucid (development branch)
Release: 10.04

2.) $ apt-cache policy openjdk-6-jre
openjdk-6-jre:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy openjdk-6-jre-headless
openjdk-6-jre-headless:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy openjdk-6-jre-lib
openjdk-6-jre-lib:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy icedtea6-plugin
icedtea6-plugin:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy firefox
firefox:
  Installed: 3.6.3+nobinonly-0ubuntu3
  Candidate: 3.6.3+nobinonly-0ubuntu3
  Version table:
 *** 3.6.3+nobinonly-0ubuntu3 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

3.) What I expected

     a.) Go to https://www.sampopankki.fi in Firefox
     b.) Click on Union Jack to change language (optional, same problem occurs also in Finnish)
     c.) Click on "Log on to eBanking"
     d.) a warning appears and states that the applet signature has been verified (Verisign Class 3 Code signing certificate should be built in and trusted)

This works as expected with sun-jre in both intrepid and jaunty (don't have karmic handy)

4.) What happened

Java dialog appears "The application signature cannot be verified."

The certificate is signed by:

Version 3
Serial 134678584529721923331408176609551902556
Signature Algorithm SHA1withRSA
Issuer OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Validity Validity: [From: Thu May 21 03:00:00 EEST 2009,
               To: Tue May 21 02:59:59 EEST 2019]
Subject CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature 0000: 8B 03 C0 DD 94 D8 41 A2 61 69 B0 15 A8 78 C7 30 ......A.ai...x.0
0010: C6 90 3C 7E 42 F7 24 B6 E4 83 73 17 04 7F 04 10 ..<.B.$...s.....
0020: 9C A1 E2 FA 81 2F EB C0 CA 44 E7 72 E0 50 B6 55 ...../...D.r.P.U
0030: 10 20 83 6E 96 92 E4 9A 51 6A B4 37 31 DC A5 2D . .n....Qj.71..-
0040: EB 8C 00 C7 1D 4F E7 4D 32 BA 85 F8 4E BE FA 67 .....O.M2...N..g
0050: 55 65 F0 6A BE 7A CA 64 38 1A 10 10 78 45 76 31 Ue.j.z.d8...xEv1
0060: F3 86 7A 03 0F 60 C2 B3 5D 9D F6 8B 66 76 82 1B ..z..`..]...fv..
0070: 59 E1 83 E5 BD 49 A5 38 56 E5 DE 41 77 0E 58 0F Y....I.8V..Aw.X.

MD5 Fingerprint 56:10:5F:6D:97:18:DE:7F:83:52:1E:3A:40:F8:68:AF
SHA1 Fingerprint 12:D4:87:2B:C3:EF:01:9E:7E:0B:6F:13:24:80:AE:29:DB:5B:1C:A3
---
Architecture: i386
DistroRelease: Ubuntu 10.10
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release Candidate i386 (20100928)
Package: openjdk-6
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Tags: maverick
Uname: Linux 2.6.35-22-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

See original description
Revision history for this message
Matthias Klose (doko) wrote :

is the certificate in the certificate store?

Changed in openjdk-6 (Ubuntu):
status: New → Incomplete
Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

As far as I understand Firefox and Java use different certificates. Is that correct?

I know how to list certificates in Firefox, but I don't know how to do so in openjdk,

I found the openjdk policy tool. Is that the right tool to use? Unfortunately I don't seem to be able to use it. It displays only empty lists.

Please advice how to check, whether the certificate is in the certificate store.

Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

Oops, forgot to change the status back to "New". I guess as long the status in "Incomplete" the ball is mine.

Changed in openjdk-6 (Ubuntu):
status: Incomplete → New
Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

CA certificates obviously installed by this package

affects: openjdk-6 (Ubuntu) → ca-certificates-java (Ubuntu)
Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

The CA certificates file exists twice on

 /usr/share/ca-certificates-java/cacerts
 /etc/ssl/certs/java/cacerts

I have not added any certificate in any phase and both files have identical contents.

(There is also a symbolic link /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts)

The contents of the file can be listed using the command

keytool -list -storetype jks -keystore /etc/ssl/certs/java/cacerts -v

The password is "changeit"

And indeed, the VeriSign Class 3 Code Signing 2009-2 CA certificate is not on the list.

The certificate has always been accepted by sun-java (tested with at least hardy, intrepid, jaunty and lucid). So if Sun & Sampopankki have not made a fundamental mistake, it should be safe for OpenJDK to trust that certifcate, too.

Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

Tested today with

$ apt-cache policy ca-certificates-javaca-certificates-java:
  Installed: 20100406ubuntu1
  Candidate: 20100406ubuntu1
  Version table:
 *** 20100406ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

Sorry, my conclusions in #5 was incorrect.

The root certificate is indeed in the certificate store. It is

Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Mon Jan 29 02:00:00 EET 1996 until: Wed Aug 02 02:59:59 EEST 2028
Certificate fingerprints:
         MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
         SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
         Signature algorithm name: MD2withRSA
         Version: 1

The problem is a different one. OpenJDK doesn't build the chain from the intermediate Code Signing certificate to the root certificate. See attached screen shot.

Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

For comparison the certificate chain as built by Sun's Java (also on Lucid) (Sorry, I wasn't able to resize the dialog to show more info)

summary: - Lucid openjdk/icedtea cannot verify applet signature
+ Lucid openjdk cannot verify applet signature (certificate chain not
+ rebuilt)
Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote : Dependencies.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
Uwe Geuder (ubuntulp-ugeuder) wrote :

Also Maverick is still affected. (I tried to apport-collect this report but it fails:

> Package openjdk-6 not installed and no hook available, ignoring

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
Changed in openjdk-6 (Ubuntu):
status: New → Confirmed
Revision history for this message
Tobias Kellner (cybot) wrote :

Still present in Natty.

Revision history for this message
Tobias Kellner (cybot) wrote :

Also reproducible with a vanilla Oneiric install.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in icedtea-web (Ubuntu):
status: New → Confirmed
Revision history for this message
Andrey Vihrov (andrey.vihrov) wrote :

This also happens with the TopCoder arena applet (http://community.topcoder.com/contest/arena/ContestAppletProd.jnlp), version 7.0.3. The "VeriSign Class 3 Public Primary Certification Authority - G5" certificate is /etc/ssl/certs/java/cacerts, yet OpenJDK can't verify the applet's signature against it.

Revision history for this message
Vladimir Petko (vpa1977) wrote (last edit ):

EOL reached for the affected version April 30, 2015.

Closing as Invalid.

Changed in icedtea:
status: New → Invalid
Changed in ca-certificates-java (Ubuntu):
status: Confirmed → Invalid
Changed in icedtea-web (Ubuntu):
status: Confirmed → Invalid
Changed in openjdk-6 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.