Ubuntu
eclipse package

Eclipse Foundation Code-signing certificate chain not trusted

Bug #655833 reported by TJ
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Eclipse
Unknown
Unknown
eclipse (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: eclipse

apt-cache policy eclipse-jdt
eclipse-jdt:
  Installed: 3.5.2-2ubuntu4.2
  Candidate: 3.5.2-2ubuntu4.2
  Version table:
 *** 3.5.2-2ubuntu4.2 0
        500 http://gb.archive.ubuntu.com/ubuntu/ lucid-updates/universe Packages
        100 /var/lib/dpkg/status
     3.5.2-2ubuntu4 0
        500 http://gb.archive.ubuntu.com/ubuntu/ lucid/universe Packages

When attempting to install updates via Eclipse's Help>Check for Updates the user is prompted to accept a code-signing certificate used by the Eclipse Foundation with a Verisign Class 3 Public Primary Certification Authority root that has an MD2withRSA signing algorithm.

In my case one of the updates causing the issue is the Eclipse CDT.

The certificate should already be trusted via the public root CA certificates in the package ca-certificates that are written into "/etc/ssl/certs/java/cacerts" when ca-certificates-java is installed.

The problem is caused by the Eclipse Foundation's certificate chain in the JAR file's META_INF/ECLIPSEF.RSA originating from a Verisign code-signing root certificate ("Class 3 Public Primary Certification Authority") that used the MD2withRSA signing algorithm.

Although the package "ca-certificates" contains the Verisign root CA ("/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt") signed using MD2withRSA Eclipse refuses to trust the Eclipse Foundation code-signing certificate.

If the user ticks the checkbox next to the certificate Eclipse tries and fails to install this certificate into the keystore with the error "keystore is read-only". Even changing the permissions on the keystore doesn't solve that.

However, the certificate ought to be accepted so adding it is not the correct solution.

The problem is that both Sun Java and OpenJDK both disabled trust in certificates signed using MD2withRSA in November 2009. It is this that is causing Eclipse to ask about trusting the Eclipse Foundation certificate.

There is a solution in the Eclipse head (eclipse bug # 309059 "Eclipse foundation certificate not trusted by latest Oracle VMs"). I am investigating whether this can be cherry-picked and used against 3.5.2 in Ubuntu.

Here are the notes from my investigation of the issue.

--------
I investigated the Ubuntu and Debian packages "ca-certificates" and "ca-certificates-java". The former contains the collection of trusted public roots installed to "/usr/share/ca-certificates/", the latter generates "/etc/ssl/certs/java/cacerts" (when update-ca-certificates -f is run) that is symbolic-linked to by the Sun and OpenJDK versions of Java.

In Eclipse, when updating CDT for example, the user is offered a list of certificates which aren't trusted via the installed roots. In this case:

"Eclipse.org Foundation, Inc; Digital Class 3 - Java Object Signing..."

The certificate chain presented is:

"Eclipse.org Foundation, Inc; Digital Class 3 - Java Object Signing..."
> "Eclipse.org Foundation, Inc; Digital Class 3 - Java Object Signing..."
>> "Verisign Class 3 Code Signing 2004 CA; ..."
>>> "null; Class 3 Public Primary Certification Authority; Verisign\, Inc."

When examining the details of each certificate in the chain I noticed that the signing algorithm for the first 3 is "SHA1withRSA".

*HOWEVER*, the signing algorithm for "null; Class 3 Public Primary Certification Authority; Verisign\, Inc." is MD2withRSA.

MD2 with RSA was shown to be insecure some time ago (see CVE-2009-2409) and Verisign withdrew this certificate and replaced it with one using SHA1withRSA ("Root 2" downloadable from the Verisign web-site at https://www.verisign.com/support/roots.html) but said that it is acceptable to continue trusting previously issued certificates that have this in their chain of trust (https://press.verisign.com/easyir/customrel.do?easyirid=AFC0FF0DB5C560D3&version=live&prid=523818&releasejsp=custom_97).

The Debian and Ubuntu "ca-certificates" package contains the MD2withRSA certificate in the "mozilla/" sub-directory, which infers to me that it has come from the Mozilla collection of trusted roots.

---
openssl x509 -text -noout -issuer -issuer_hash -in /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
        Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug 1 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
---
I couldn't find the SHA1withRSA version so I downloaded it

---
wget https://www.verisign.com/repository/roots/root-certificates/PCA-3.pem -O Verisign_Class_3_Public_Primary_Certification_Authority.crt
openssl x509 -text -noout -in Verisign_Class_3_Public_Primary_Certification_Authority.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug 2 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
---

 and replaced the existing file and re-generated the "/etc/ssl/certs/java/cacerts" file using "sudo update-ca-certificates -f -v".

At this point I expected Eclipse to treat the updates as trusted and not prompt, but I was disappointed. Eclipse offered the same certificate chain described above.

When I looked at the "null; Class 3 Public Primary Certification Authority; Verisign\, Inc." details I noticed the signing algorithm *IS STILL* MD2withRSA.

Earlier I had thought the certificate details had come from the Java keystore, but this made me think it may be coming from the JAR file's "META_INF/ECLIPSEF.RSA".

I ran jarsigner on "org.eclipse.cdt_6.0.2.201002161416.jar" and examined the results (edited for brevity here):

jarsigner -certs -verify -verbose -keystore /etc/ssl/certs/java/cacerts /home/tj/.eclipse/org.eclipse.platform_3.5.0_155965261/plugins/org.eclipse.cdt_6.0.2.201002161416.jar

        1760 Tue Feb 16 14:52:22 GMT 2010 META-INF/MANIFEST.MF
        1554 Tue Feb 16 14:52:24 GMT 2010 META-INF/ECLIPSEF.SF
        5638 Tue Feb 16 14:52:24 GMT 2010 META-INF/ECLIPSEF.RSA
           0 Tue Feb 16 14:33:48 GMT 2010 META-INF/
sm 76 Tue Feb 16 14:52:18 GMT 2010 META-INF/eclipse.inf

      [entry was signed on 16/02/10 19:52]
      X.509, CN="Eclipse.org Foundation, Inc", OU=Digital ID Class 3 - Java Object Signing, O="Eclipse.org Foundation, Inc", L=Ottawa, ST=Ontario, C=CA
      [certificate is valid from 30/01/09 00:00 to 14/04/12 00:59]
      X.509, CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 16/07/04 01:00 to 16/07/14 00:59]
      [KeyUsage, NetscapeCertType extension does not support code signing]
      X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US (verisign_class_3_public_primary_certification_authority)
      [certificate is valid from 29/01/96 00:00 to 02/08/28 00:59]

Although jarsigner doesn't report the signing algorithm it does show whether any of the certificates are in the system's keystore using the "k" flag against a file, but in this case the only flags are "sm", and the command was run after the new SHA1withRSA certificate had been installed.
Also, in this case we are fortunate that the two versions of the certificate issued by Verisign have different expiry dates:

MD2withRSA: Aug 1 23:59:59 2028 GMT
SHA1withRSA: Aug 2 23:59:59 2028 GMT

jarsigner shows the certificate chain uses the one with expiry date "02/08/28 00:59" which is in fact "Aug 1 23:59:59 2028 GMT" since I am currently in the GMT+1 time-zone.

So the certificate chain Eclipse is taking exception to appears to be derived from the updates ("META-INF/ECLIPSEF.RSA"), not the host system.

I did further investigations on the MD2withRSA issue and discovered that the algorithm was disabled beginning with Sun Java 6 build 1.6.0_17. See http://java.sun.com/javase/6/webnotes/6u17.html and bug 6861062 "Disable MD2 in certificate chain validation" (not publically viewable!).

This arrived in Debian and Ubuntu with the package:

sun-java6 (6-17-1)

  * QA upload.
  * New upstream version. (Closes: #558173)
    Release notes at http://java.sun.com/javase/6/webnotes/6u17.html

 -- Giuseppe Iuculano <email address hidden> Sat, 28 Nov 2009 19:02:56 +0100

In OpenJDK MD2withRSA was also disabled and arrived in Ubuntu with the package:

openjdk-6 (6b17~pre2-0ubuntu3)

  * Security updates:
...
    - (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062).
...

 -- Matthias Klose <email address hidden> Mon, 09 Nov 2009 17:48:43 +0100

I suspect this is the crux of the issue. MD2withRSA is not supported by these recent versions of the JRE/JDKs, but the Eclipse Foundation is/has been signing JARs with a certificate that has the MD2withRSA root in its chain.

The solution would seem to be for the updated Verisign "Class 3 Public Primary Certification Authority" to be installed on the Eclipse Foundation's signing server so that when jarsigner runs it uses the SHA1withRSA signed certificate.

However, this doesn't help already existing signed plug-in bundles.

In Eclipse bug #309059 "Eclipse foundation certificate not trusted by latest Oracle VMs" a patch was added to KeyStoreTrustEngine.java to ignore the root CA in signed JARs and find it in the "cacerts" file.

See original description
TJ (tj)
description: updated
TJ (tj)
Changed in eclipse (Ubuntu):
assignee: nobody → TJ (intuitivenipple)
importance: Undecided → Medium
TJ (tj)
Changed in eclipse (Ubuntu):
status: New → In Progress
Revision history for this message
TJ (tj) wrote :
Changed in eclipse (Ubuntu):
assignee: TJ (intuitivenipple) → nobody
Revision history for this message
TJ (tj) wrote :

The patch I've attached has been tested by building in a local pbuilder for lucid, installing the updated packages, then running Eclipse and successfully updating without any certificate prompts from Eclipse.

Revision history for this message
Benjamin Drung (bdrung) wrote :

We need to fix it in maverick first. Can you prepare a debdiff for maverick, too?

Revision history for this message
TJ (tj) wrote :

I can prepare a patch for Maverick and build-test in a pbuilder but I can't user-test it because I'm staying with LTS.

TJ (tj)
Changed in eclipse (Ubuntu):
assignee: nobody → TJ (intuitivenipple)
Revision history for this message
TJ (tj) wrote :

The patch applied without any fuzzing to the Maverick source tree. Build test was successful in a Maverick pbuilder.

A user-test would be useful although the source has changed so little compared to 10.04 LTS I can't see anything that would change the behaviour.

I am attaching a debdiff for Maverick.

Changed in eclipse (Ubuntu):
assignee: TJ (intuitivenipple) → nobody
Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Niels Thykier (niels-thykier) wrote :

Hi

We have imported this on the Debian side to version 3.5.2-8 (not uploaded yet). Nevertheless next time Ubuntu merges with Debian, this patch will be included.

Thanks for a detailed report and finding the patch,
~Niels

Revision history for this message
Benjamin Drung (bdrung) wrote :

This bug was fixed in the package eclipse - 3.5.2-8ubuntu1

---------------
eclipse (3.5.2-8ubuntu1) natty; urgency=low

  * Do not symlink ant-trax.jar, because ant 1.8.1-1 does not ship it any more.

 -- Benjamin Drung <email address hidden> Tue, 19 Oct 2010 11:57:41 +0200

eclipse (3.5.2-8) unstable; urgency=low

  [ Niels Thykier ]
  * Imported debdiffs from TJ and Didier Roche (see below).

  [ TJ ]
  * Backported fix for finding root CA in keystore rather than from
    JAR. (LP: #655833)

  [ Didier Roche ]
  * debian/extra/eclipse:
    - no appmenu for eclipse (thanks bratsche) (LP: #613119)

 -- Benjamin Drung <email address hidden> Tue, 19 Oct 2010 11:55:12 +0200

eclipse (3.5.2-7) unstable; urgency=low

  * Install the NEWS file in eclipse-platform instead of eclipse,
    where it belongs.
  * Added NEWS entry about how to workaround #587657.
  * Made (Build)-Depends on lucene2 and sat4j stricter.
  * Removed Adrian Perez from uploaders.

 -- Niels Thykier <email address hidden> Mon, 13 Sep 2010 20:23:51 +0200

Changed in eclipse (Ubuntu):
status: In Progress → Fix Released
Benjamin Drung (bdrung)
Changed in eclipse (Ubuntu Lucid):
status: New → Fix Committed
Revision history for this message
Benjamin Drung (bdrung) wrote :

uploaded the fix to lucid-proposed and maverick-proposed.

Changed in eclipse (Ubuntu Maverick):
status: New → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted eclipse into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted eclipse into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Could anybody with this issue try the package in lucid and maverick -proposed and report here ? Thanks in advance.

Revision history for this message
Adal Alom Rodríguez (arpia49) wrote :

Tried maverick-proposed and then removing ~/.eclipse and worked ok.

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Thanks for testing. v-done in maverick, v-needed in lucid

tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eclipse - 3.5.2-6ubuntu1.1

---------------
eclipse (3.5.2-6ubuntu1.1) maverick-proposed; urgency=low

  [ Thomas Watson ]
  * Backported fix for finding root CA in keystore rather than from JAR.
    (LP: #655833)

  [ Benjamin Drung ]
  * Added NEWS entry about how to workaround #587657.
 -- Benjamin Drung <email address hidden> Wed, 20 Oct 2010 01:15:47 +0200

Changed in eclipse (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Setting back to v-needed for lucid.

tags: removed: verification-done
Revision history for this message
Steve Beattie (sbeattie) wrote :

Unfortunately, the amd64 build for lucid FTBFS, the log is at http://launchpadlibrarian.net/57930338/buildlog_ubuntu-lucid-amd64.eclipse_3.5.2-2ubuntu4.3_FAILEDTOBUILD.txt.gz . Looking at where it failed, it's not obvious to me what went wrong on amd64:

     [copy] Copying 1971 files to /build/buildd/eclipse-3.5.2/build/eclipse-3.5.2-src/plugins/org.eclipse.swt.gtk.linux.x86_64/src

BUILD FAILED
/build/buildd/eclipse-3.5.2/build.xml:89: The following error occurred while executing this line:
/build/buildd/eclipse-3.5.2/pdebuild.xml:203: The following error occurred while executing this line:
/build/buildd/eclipse-3.5.2/build/eclipse-3.5.2-src/plugins/org.eclipse.swt.gtk.linux.x86_64/build.xml:148: The following error occurred while executing this line:
/build/buildd/eclipse-3.5.2/build/eclipse-3.5.2-src/plugins/org.eclipse.swt.gtk.linux.x86_64/build.xml:162: java.lang.StringIndexOutOfBoundsException: start > length()

Marking verification-failed.

tags: added: verification-failed
removed: verification-needed
Revision history for this message
Benjamin Drung (bdrung) wrote :

I retried the build and 3.5.2-2ubuntu4.3 builds on amd64. Setting back to verification-needed.

tags: added: verification-needed
removed: verification-failed
Revision history for this message
Martin Pitt (pitti) wrote :

Any testers of the lucid update in -proposed?

Revision history for this message
Patrick Wright (patrickmwright) wrote :

on lucid:
installed eclipse and installed an old version of CDT (6.0.0) via archive

after updating eclipse to 3.5.2-2ubuntu4.3 and selecting Help -> Check for Updates there were not cert prompts.

Update was successful.

marking v-done for lucid

Brian Murray (brian-murray)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eclipse - 3.5.2-2ubuntu4.3

---------------
eclipse (3.5.2-2ubuntu4.3) lucid-proposed; urgency=low

  * Backported fix for finding root CA in keystore rather than from JAR.
    (LP: #655833)
 -- Thomas Watson <email address hidden> Wed, 20 Oct 2010 00:58:03 +0200

Changed in eclipse (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.