[tallman at inbox.ru: Wrong applet signature recognition?]

Dr Andrew John Hughes ahughes at redhat.com
Thu Jun 2 12:29:58 PDT 2011


Forwarding your mail to the distro-pkg-dev list which discusses IcedTea-Web and its Free Java applet
implementation.  There is no browser plugin support as part of OpenJDK.

----- Forwarded message from Юрий Мироненко <tallman at inbox.ru> -----

Date: Thu, 02 Jun 2011 20:51:44 +0400
From: Юрий Мироненко <tallman at inbox.ru>
To: discuss at openjdk.java.net
Subject: Wrong applet signature recognition?

Hello.

I am using bank web application, which uses java-applet for logging in and for making transaction digital signatures. I am/was especially happy it works ok with open jdk, so I should not use proprietary SUN solution. Link to login page of my bank account management application:
* https://retail.payment.ru/n/Auth/LoginCert.aspx

But it looks like some time (at the begiining of the year) they updated certificate of applet, and I have a problem. Applet still works ok, but OpenJDK displaying me it's untrusted. While Sun JRE shows everything ok.

I make some efforts to detect the problem...and it looks like OpenJDK for some reason detects only one level of signing. I.e.:
- applet are signed by Open Joint-Stock Company Promsvyazbank
- Open Joint-Stock Company Promsvyazbank certificate are signed by Thawte Code Signing CA - G2
- Thawte Code Signing CA - G2 certificate are signed by thawte Primary Root CA
- I have thawte Primary Root CA certificate in list of trusted sertificates (for both OpenJDK and Sun platforms)

And Sun shows me two levels of signing and result is "trusted", while OpenJDK shows me only one level of signing, and result is "untrusted".

Maybe my analysis is wrong somehow, I knows a little about OpenJDK signing before I begins to investigate it. Now I know little more, but, still, it's only some limited non-professional efforts to understand a problem.

----- End forwarded message -----

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37



More information about the distro-pkg-dev mailing list