Lucid openjdk cannot verify applet signature (certificate chain not rebuilt)

Bug #566317 reported by Uwe Geuder on 2010-04-18
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Iced Tea
New
Undecided
Unassigned
ca-certificates-java (Ubuntu)
Undecided
Unassigned
icedtea-web (Ubuntu)
Undecided
Unassigned
openjdk-6 (Ubuntu)
Undecided
Unassigned

Bug Description

1.) $ lsb_release -rd
Description: Ubuntu lucid (development branch)
Release: 10.04

2.) $ apt-cache policy openjdk-6-jre
openjdk-6-jre:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy openjdk-6-jre-headless
openjdk-6-jre-headless:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy openjdk-6-jre-lib
openjdk-6-jre-lib:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy icedtea6-plugin
icedtea6-plugin:
  Installed: 6b18-1.8-0ubuntu1
  Candidate: 6b18-1.8-0ubuntu1
  Version table:
 *** 6b18-1.8-0ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
$ apt-cache policy firefox
firefox:
  Installed: 3.6.3+nobinonly-0ubuntu3
  Candidate: 3.6.3+nobinonly-0ubuntu3
  Version table:
 *** 3.6.3+nobinonly-0ubuntu3 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

3.) What I expected

     a.) Go to https://www.sampopankki.fi in Firefox
     b.) Click on Union Jack to change language (optional, same problem occurs also in Finnish)
     c.) Click on "Log on to eBanking"
     d.) a warning appears and states that the applet signature has been verified (Verisign Class 3 Code signing certificate should be built in and trusted)

This works as expected with sun-jre in both intrepid and jaunty (don't have karmic handy)

4.) What happened

Java dialog appears "The application signature cannot be verified."

The certificate is signed by:

Version 3
Serial 134678584529721923331408176609551902556
Signature Algorithm SHA1withRSA
Issuer OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Validity Validity: [From: Thu May 21 03:00:00 EEST 2009,
               To: Tue May 21 02:59:59 EEST 2019]
Subject CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature 0000: 8B 03 C0 DD 94 D8 41 A2 61 69 B0 15 A8 78 C7 30 ......A.ai...x.0
0010: C6 90 3C 7E 42 F7 24 B6 E4 83 73 17 04 7F 04 10 ..<.B.$...s.....
0020: 9C A1 E2 FA 81 2F EB C0 CA 44 E7 72 E0 50 B6 55 ...../...D.r.P.U
0030: 10 20 83 6E 96 92 E4 9A 51 6A B4 37 31 DC A5 2D . .n....Qj.71..-
0040: EB 8C 00 C7 1D 4F E7 4D 32 BA 85 F8 4E BE FA 67 .....O.M2...N..g
0050: 55 65 F0 6A BE 7A CA 64 38 1A 10 10 78 45 76 31 Ue.j.z.d8...xEv1
0060: F3 86 7A 03 0F 60 C2 B3 5D 9D F6 8B 66 76 82 1B ..z..`..]...fv..
0070: 59 E1 83 E5 BD 49 A5 38 56 E5 DE 41 77 0E 58 0F Y....I.8V..Aw.X.

MD5 Fingerprint 56:10:5F:6D:97:18:DE:7F:83:52:1E:3A:40:F8:68:AF
SHA1 Fingerprint 12:D4:87:2B:C3:EF:01:9E:7E:0B:6F:13:24:80:AE:29:DB:5B:1C:A3
---
Architecture: i386
DistroRelease: Ubuntu 10.10
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release Candidate i386 (20100928)
Package: openjdk-6
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Tags: maverick
Uname: Linux 2.6.35-22-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Matthias Klose (doko) wrote :

is the certificate in the certificate store?

Changed in openjdk-6 (Ubuntu):
status: New → Incomplete
Uwe Geuder (ubuntulp-ugeuder) wrote :

As far as I understand Firefox and Java use different certificates. Is that correct?

I know how to list certificates in Firefox, but I don't know how to do so in openjdk,

I found the openjdk policy tool. Is that the right tool to use? Unfortunately I don't seem to be able to use it. It displays only empty lists.

Please advice how to check, whether the certificate is in the certificate store.

Uwe Geuder (ubuntulp-ugeuder) wrote :

Oops, forgot to change the status back to "New". I guess as long the status in "Incomplete" the ball is mine.

Changed in openjdk-6 (Ubuntu):
status: Incomplete → New
Uwe Geuder (ubuntulp-ugeuder) wrote :

CA certificates obviously installed by this package

affects: openjdk-6 (Ubuntu) → ca-certificates-java (Ubuntu)
Uwe Geuder (ubuntulp-ugeuder) wrote :

The CA certificates file exists twice on

 /usr/share/ca-certificates-java/cacerts
 /etc/ssl/certs/java/cacerts

I have not added any certificate in any phase and both files have identical contents.

(There is also a symbolic link /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts)

The contents of the file can be listed using the command

keytool -list -storetype jks -keystore /etc/ssl/certs/java/cacerts -v

The password is "changeit"

And indeed, the VeriSign Class 3 Code Signing 2009-2 CA certificate is not on the list.

The certificate has always been accepted by sun-java (tested with at least hardy, intrepid, jaunty and lucid). So if Sun & Sampopankki have not made a fundamental mistake, it should be safe for OpenJDK to trust that certifcate, too.

Uwe Geuder (ubuntulp-ugeuder) wrote :

Tested today with

$ apt-cache policy ca-certificates-javaca-certificates-java:
  Installed: 20100406ubuntu1
  Candidate: 20100406ubuntu1
  Version table:
 *** 20100406ubuntu1 0
        500 http://fi.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Uwe Geuder (ubuntulp-ugeuder) wrote :

Sorry, my conclusions in #5 was incorrect.

The root certificate is indeed in the certificate store. It is

Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Mon Jan 29 02:00:00 EET 1996 until: Wed Aug 02 02:59:59 EEST 2028
Certificate fingerprints:
         MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
         SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
         Signature algorithm name: MD2withRSA
         Version: 1

The problem is a different one. OpenJDK doesn't build the chain from the intermediate Code Signing certificate to the root certificate. See attached screen shot.

Uwe Geuder (ubuntulp-ugeuder) wrote :

For comparison the certificate chain as built by Sun's Java (also on Lucid) (Sorry, I wasn't able to resize the dialog to show more info)

summary: - Lucid openjdk/icedtea cannot verify applet signature
+ Lucid openjdk cannot verify applet signature (certificate chain not
+ rebuilt)

apport information

tags: added: apport-collected
description: updated
Uwe Geuder (ubuntulp-ugeuder) wrote :

Also Maverick is still affected. (I tried to apport-collect this report but it fails:

> Package openjdk-6 not installed and no hook available, ignoring

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
Changed in openjdk-6 (Ubuntu):
status: New → Confirmed
Tobias Kellner (cybot) wrote :

Still present in Natty.

Tobias Kellner (cybot) wrote :

Also reproducible with a vanilla Oneiric install.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in icedtea-web (Ubuntu):
status: New → Confirmed
Andrey Vihrov (andrey.vihrov) wrote :

This also happens with the TopCoder arena applet (http://community.topcoder.com/contest/arena/ContestAppletProd.jnlp), version 7.0.3. The "VeriSign Class 3 Public Primary Certification Authority - G5" certificate is /etc/ssl/certs/java/cacerts, yet OpenJDK can't verify the applet's signature against it.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers