Bug#552723: marked as done (ca-certificates: invalid subject public-key info for COMODO_ECC_Certification_Authority.crt)

Debian Bug Tracking System Wed, 14 Dec 2011 22:36:20 -0800

Your message dated Thu, 15 Dec 2011 00:33:41 -0600
with message-id <[email protected]>
and subject line Re: Bug#552723: ca-certificates: invalid subject public-key 
info, for  COMODO_ECC_Certification_Authority.crt
has caused the Debian Bug report #552723,
regarding ca-certificates: invalid subject public-key info for 
COMODO_ECC_Certification_Authority.crt
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
552723: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552723
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: ca-certificates
Version: 20090814
Severity: important

For some time I've seen these messages in the syslog:
    gnome-keyring-daemon: couldn't parse certificate(s): 
/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem: 2 Time(s)
    gnome-keyring-daemon: couldn't parse certificate(s): 
/etc/ssl/certs/ca-certificates.crt: 1 Time(s)
    gnome-keyring-daemon: invalid subject public-key info: 2 Time(s)
    gnome-keyring-daemon: unsupported key algorithm in certificate: 
1.2.840.10045.2.1: 2 Time(s)

Because of one corrupted certificate the automatically generated file
'ca-certificates.crt' which contain all CAs is also invalid. This affects
several packages configured to use this file.

I've checked the file with certtool and reports the same:
$ certtool --certificate-info --infile 
/usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
|<1>| _gnutls_x509_get_pk_algorithm: unhandled algorithm 0
|<1>| Unknown SIGN OID: '1.2.840.10045.4.3.3'
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 1f47afaa62007050544c019e9b63992a
        Issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA 
Limited,CN=COMODO ECC Certification Authority
        Validity:
                Not Before: Thu Mar 06 00:00:00 UTC 2008
                Not After: Mon Jan 18 23:59:59 UTC 2038
        Subject: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA 
Limited,CN=COMODO ECC Certification Authority
        Subject Public Key Algorithm: unknown
        Extensions:
                Subject Key Identifier (not critical):
                        7571a7194819bc9d9dea4147df94c4487799d379
                Key Usage (critical):
                        Certificate signing.
                        CRL signing.
                Basic Constraints (critical):
                        Certificate Authority (CA): TRUE
        Signature Algorithm: unknown
        Signature:
                30:65:02:31:00:ef:03:5b:7a:ac:b7:78:0a:72:b7:88
                df:ff:b5:46:14:09:0a:fa:a0:e6:7d:08:c6:1a:87:bd
                18:a8:73:bd:26:ca:60:0c:9d:ce:99:9f:cf:5c:0f:30
                e1:be:14:31:ea:02:30:14:f4:93:3c:49:a7:33:7a:90
                46:47:b3:63:7d:13:9b:4e:b7:6f:18:37:80:53:fe:dd
                20:e0:35:9a:36:d1:c7:01:b9:e6:dc:dd:f3:ff:1d:2c
                3a:16:57:d9:92:39:d6
Other Information:
        MD5 fingerprint:
                7c62ff749d31535e684ad578aa1ebf23
        SHA-1 fingerprint:
                9f744e9f2b4dbaec0f312c50b6563b8e2d93c311
        Public Key Id:
                f7f3019450ba3e69ec9a50f502d13845cc931372

Please include the correct CA file or remove the broken one.

Thanks


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  openssl                       0.9.8k-5   Secure Socket Layer (SSL) binary a

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
  ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt, 
cacert.org/cacert.org.crt, debconf.org/ca.crt, gouv.fr/cert_igca_dsa.crt, 
gouv.fr/cert_igca_rsa.crt, 
mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, 
mozilla/AddTrust_External_Root.crt, 
mozilla/AddTrust_Low-Value_Services_Root.crt, 
mozilla/AddTrust_Public_Services_Root.crt, 
mozilla/AddTrust_Qualified_Certificates_Root.crt, 
mozilla/America_Online_Root_Certification_Authority_1.crt, 
mozilla/America_Online_Root_Certification_Authority_2.crt, 
mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt, 
mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, 
mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, 
mozilla/beTRUSTed_Root_CA.crt, 
mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, 
mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, 
mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, 
mozilla/Camerfirma_Global_Chambersign_Root.crt, mozilla/Certplus_Class_2_
 Primary_CA.crt, mozilla/Certum_Root_CA.crt, 
mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/Comodo_Secure_Services_root.crt, 
mozilla/Comodo_Trusted_Services_root.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DigiNotar_Root_CA.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, 
mozilla/DST_ACES_CA_X6.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/Entrust.net_Global_Secure_Personal_CA.crt, 
mozilla/Entrust.net_Global_Secure_Server_CA.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust.net_Secure_Personal_CA.crt, 
mozilla/Entrust.net_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, mozilla/Equifax_
 Secure_CA.crt, mozilla/Equifax_Secure_eBusiness_CA_1.crt, 
mozilla/Equifax_Secure_eBusiness_CA_2.crt, 
mozilla/Equifax_Secure_Global_eBusiness_CA.crt, 
mozilla/Firmaprofesional_Root_CA.crt, mozilla/GeoTrust_Global_CA_2.crt, 
mozilla/GeoTrust_Global_CA.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, 
mozilla/Go_Daddy_Class_2_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt, 
mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt, 
mozilla/IPS_CLASE1_root.crt, mozilla/IPS_CLASE3_root.crt, 
mozilla/IPS_CLASEA1_root.crt, mozilla/IPS_CLASEA3_root.crt, 
mozilla/IPS_Servidores_root.crt, mozilla/IPS_Timestamping_root.crt, 
mozilla/NetLock_Business_=Class_B=_Root.crt, 
mozilla/NetLock_Express_=Class_C=_Root.crt, 
mozilla/NetLock_Notary_=Class_A=_Root.crt, 
mozilla/NetLock_Qualified_=Class_QA=_Root.crt, mozilla/Network_Solutions_Certifi
 cate_Authority.crt, mozilla/QuoVadis_Root_CA_2.crt, 
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA.crt, 
mozilla/RSA_Root_Certificate_1.crt, mozilla/RSA_Security_1024_v3.crt, 
mozilla/RSA_Security_2048_v3.crt, mozilla/Secure_Global_CA.crt, 
mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_Root_CA.crt, 
mozilla/Sonera_Class_1_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, 
mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/Starfield_Class_2_CA.crt, 
mozilla/StartCom_Certification_Authority.crt, mozilla/StartCom_Ltd..crt, 
mozilla/Swisscom_Root_CA_1.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, 
mozilla/SwissSign_Platinum_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, 
mozilla/Taiwan_GRCA.crt, mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, 
mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, 
mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt, 
mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Thawte_Personal_Freemail_CA.crt, 
mozilla/Thawte_Personal_Premium_CA.
 crt, mozilla/Thawte_Premium_Server_CA.crt, mozilla/thawte_Primary_Root_CA.crt, 
mozilla/Thawte_Server_CA.crt, mozilla/Thawte_Time_Stamping_CA.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, 
mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, 
mozilla/UTN_USERFirst_Hardware_Root_CA.crt, 
mozilla/UTN-USER_First-Network_Applications.crt, 
mozilla/ValiCert_Class_1_VA.crt, mozilla/ValiCert_Class_2_VA.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certificati
 on_Authority.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, 
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_RSA_Secure_Server_CA.crt, 
mozilla/Verisign_Time_Stamping_Authority_CA.crt, 
mozilla/Visa_eCommerce_Root.crt, mozilla/Visa_International_Global_Root_2.crt, 
mozilla/Wells_Fargo_Root_CA.crt, 
mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, 
mozilla/XRamp_Global_CA_Root.crt, signet.pl/signet_ca1_pem.crt, 
signet.pl/signet_ca2_pem.crt, signet.pl/signet_ca3_pem.crt, 
signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_ocspklasa3_pem.crt, 
signet.pl/signet_pca2_pem.crt, signet.pl/signet_pca3_pem.crt, 
signet.pl/signet_rootca_pem.crt, signet.pl/signet_tsa1_pem.crt, spi-inc.org/sp
 i-ca-2003.crt, spi-inc.org/spi-cacert-2008.crt, 
telesec.de/deutsche-telekom-root-ca-2.crt
  ca-certificates/new_crts:
  ca-certificates/trust_new_crts: yes

--- End Message ---

--- Begin Message ---

It appears that the current versions of certtool (gnutls-bin_3.0.8-2)
and openssl_1.0.0e-3 handle Algorithm: ecdsa-with-SHA384 without error.
 This bug report was never really about ca-certificates, anyway :-)

If there are still errors with gnome-keyring or postfix, please open
bugs against those packages.

-- 
Kind regards,
Michael Shuler

signature.asc
Description: OpenPGP digital signature

--- End Message ---

Bug#552723: marked as done (ca-certificates: invalid subject public-key info for COMODO_ECC_Certification_Authority.crt)

Reply via email to