[Bug 742] New: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Fri Jun 3 12:42:53 PDT 2011


           Summary: IcedTea-Web checks certs only upto 1 level deep before
                    declaring them untrusted
           Product: IcedTea-Web
           Version: unspecified
          Platform: all
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: General
        AssignedTo: dbhole at redhat.com
        ReportedBy: dbhole at redhat.com
                CC: unassigned at icedtea.classpath.org


Date: Thu, 02 Jun 2011 20:51:44 +0400
From: Юрий Мироненко <tallman at inbox.ru>
To: discuss at openjdk.java.net
Subject: Wrong applet signature recognition?


I am using bank web application, which uses java-applet for logging in and for
making transaction digital signatures. I am/was especially happy it works ok
with open jdk, so I should not use proprietary SUN solution. Link to login page
of my bank account management application:
* https://retail.payment.ru/n/Auth/LoginCert.aspx

But it looks like some time (at the begiining of the year) they updated
certificate of applet, and I have a problem. Applet still works ok, but OpenJDK
displaying me it's untrusted. While Sun JRE shows everything ok.

I make some efforts to detect the problem...and it looks like OpenJDK for some
reason detects only one level of signing. I.e.:
- applet are signed by Open Joint-Stock Company Promsvyazbank
- Open Joint-Stock Company Promsvyazbank certificate are signed by Thawte Code
Signing CA - G2
- Thawte Code Signing CA - G2 certificate are signed by thawte Primary Root CA
- I have thawte Primary Root CA certificate in list of trusted sertificates
(for both OpenJDK and Sun platforms)

And Sun shows me two levels of signing and result is "trusted", while OpenJDK
shows me only one level of signing, and result is "untrusted".

Maybe my analysis is wrong somehow, I knows a little about OpenJDK signing
before I begins to investigate it. Now I know little more, but, still, it's
only some limited non-professional efforts to understand a problem.

Configure bugmail: http://icedtea.classpath.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the distro-pkg-dev mailing list