Bug#589023: iceweasel: SSL/X509 Certificate for 'AddTrust External CA Root' not recognized as valid
Frank Lin PIAT
fpiat at klabs.be
Wed Jul 14 20:43:02 UTC 2010
On Wed, 2010-07-14 at 18:49 +0200, Mike Hommey wrote:
> On Wed, Jul 14, 2010 at 06:17:30PM +0200, Frank Lin PIAT wrote:
> > On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote:
> > > On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> > > >
> > > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
> > > > Error title: "This Connection is Untrusted"
> > > > Error code: sec_error_unknown_issuer
> >
> > > [..] as it works properly here, I suspect something fishy with the
> > > certificate database in your user profile.
> > >
> > > Can you first check if that works better if you try with a new profile
> >
> > The new profile is OK (I should have tested that rather than make wrong
> > assumption).
> >
> > I investigated... In the OK profile, the "AddTrust External CA Root"
> > certificate is selfsigned, whereas the certificates are differents on
> > the KO profile (and they make a loop!):
> >
> > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject
> > > issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> >
> > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject
> > > issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> > > subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> >
> > I wonder where I got those certificates from, and if others could be affected.
> >
> > <me thinking>
> > If I understand how NSS work properly, it means that NSS is "learning"
> > certificates chains (i.e adding certificates to it's database) as it is
> > receiving certificates from visited websites.
> >
> > This fuzzy / unpredictable behavior scares me.
> > </me thinking>
>
> AFAIK, it doesn't.
>
> The "AddTrust External CA Root" certificate is provided by the "builtin
> object token", so it shouldn't have been broken in the first place. Are
> you sure you never imported a broken certificate?
I have no clue how that certificate ended up on my laptop. I am
extremely reluctant to add CA certificate to my laptop, I doubt I ever
did that (and when I see the amount of "Software Security Device", I am
pretty sure I didn't import them all myself :-/ )
The "AddTrust External CA Root" certificate I removed is the one under
"The USERTRUST Network", which type was "Software Security Device":
CN = AddTrust External CA Root
OU = AddTrust External TTP Network
O = AddTrust AB
C = SE
I did *not* remove the certificate "AddTrust External CA Root" filed
under "AddTrust AB", which type was "Builtin Object Token" already.
I have attached both certificates (.pem and .txt)
> > Anyway, I removed the "Software Security Device" entries, and it's now
> > working:
> > UTN - DATACorp SGC
> > `-> AddTrust External CA Root
> > `-> COMODO EV SGC CA
> > `-> www.comodo.com
>
> Do you have a backup of your firefox profile directory? If you don't
> have any private key stored in it, would you mind providing the *.db
> files from there?
I am sending it the .db files privately
Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AddTrustExternalCARoot~AddTrust AB.pem
Type: application/x-x509-ca-cert
Size: 1546 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20100714/4ab8a4de/attachment-0002.crt>
-------------- next part --------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Validity
Not Before: May 30 10:48:38 2000 GMT
Not After : May 30 10:48:38 2020 GMT
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
5a:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
serial:01
Signature Algorithm: sha1WithRSAEncryption
b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
8f:4e:86:04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AddTrustExternalCARoot~The USERTRUST Network.pem
Type: application/x-x509-ca-cert
Size: 1612 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20100714/4ab8a4de/attachment-0003.crt>
-------------- next part --------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:26:0a:93:1c:e2:7f:9c:c3:a5:5f:79:e0:72:ae:82
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
Validity
Not Before: Jun 7 08:09:10 2005 GMT
Not After : Jun 24 19:06:30 2019 GMT
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
5a:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:53:32:D1:B3:CF:7F:FA:E0:F1:A0:5D:85:4E:92:D2:9E:45:1D:B4:4F
X509v3 Subject Key Identifier:
AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
S/MIME CA
X509v3 Extended Key Usage:
Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/UTN-DATACorpSGC.crl
Signature Algorithm: sha1WithRSAEncryption
c6:ee:53:17:68:14:b2:51:22:1e:90:58:0d:94:fd:bd:f1:70:
e5:86:2d:c3:36:31:8f:54:48:46:e7:2d:08:37:bc:6c:0a:60:
e1:0e:ad:51:34:e0:12:93:e9:be:b8:ab:b8:26:b4:e9:96:3d:
28:8f:ae:64:07:fe:e0:01:ec:c5:e3:91:eb:18:a0:f1:75:7e:
db:0a:e6:9f:91:db:af:ae:75:df:23:91:68:dd:17:00:5a:4b:
ff:64:6c:70:eb:01:1a:d0:90:d9:c7:a6:d6:6d:f6:13:e4:ff:
b5:c9:d2:1e:2a:cb:b1:25:43:26:78:d9:30:9b:4e:0d:1e:be:
69:ef:df:ea:fe:2d:b3:cc:f9:b0:dd:b5:14:ca:91:d4:b2:b5:
a5:fb:01:19:a3:47:79:9f:9d:8c:95:87:34:f8:1f:38:92:da:
36:a6:11:fa:6b:eb:6b:e9:dc:45:78:15:39:06:d7:4d:41:e4:
21:c8:dc:2f:87:d1:b7:bf:48:60:75:a5:62:cb:24:de:3b:61:
a0:29:20:a6:be:c5:6c:9c:c4:e9:0a:69:22:ef:91:3a:fa:26:
af:d1:5b:41:a7:3a:e2:f8:38:07:42:ab:c1:5b:f8:ce:6d:ba:
0f:04:3f:32:34:ac:dc:04:28:d7:70:30:14:26:06:c4:e4:9b:
98:d5:cf:78
More information about the pkg-mozilla-maintainers
mailing list