501019 - VeriSign G5 root certificate is unknown

Status: RESOLVED DUPLICATE of bug 484164

(Core Graveyard :: Plug-ins, defect)

Description

[Anders Pilegaard]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/8.04 (hardy) Firefox/3.0.11
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/8.04 (hardy) Firefox/3.0.11

My netbank has recently got new certificates on the Java applet used for login.  They are using VeriSign, but it looks like VeriSign has started using a new root certificate which Firefox doesn't recognize - "VeriSign G5".

I have verified this problem with Firefox 3.0.11 in both Ubuntu and Windows XP.

When I searched for "verisign g5" in all bugs, I came across the closed bugs 402947 "Add VeriSign G5 EV root certificate" and 422918 "Add VeriSign Class 3 Public Primary CA - G5 to NSS".  The last comments in these two seem to indicate that the root certificate may actually be known to Firefox, but without the right "trust bits"?

When looking at the details of the certificate I can see two layers of VeriSign certificates.  Here are the details:

VeriSign Class 3 Public Primary Certification Authority - G5 (VeriSign, Inc.)

Version: V3
Serial Number: [116639655533497101825591822189106265875]
Signature Algorithm [SHA1withRSA]
Issuer:
  OU=Class 3 Public Primary Certification Authority,
  O="VeriSign, Inc.",
  C=US

Validity: [From: Wed Nov 08 00:00:00 GMT 2006, To: Sun Nov 07 23:59:59 GMT 2021]

Subject:
  CN=VeriSign Class 3 Public Primary Certification Authority - G5,
  OU="(c) 2006 VeriSign, Inc. - For authorized use only",
  OU=VeriSign Trust Network,
  O="VeriSign, Inc.",
  C=US

Signature:
  0000: A9 7B 66 29 30 F7 D5 B4   A6 96 12 D0 EE 72 F0 58  ..f)0........r.X
  0010: 11 69 15 55 5F 41 FF D2   12 84 13 A4 D9 03 66 FF  .i.U_A........f.
  0020: A9 E0 4C C9 ED 8C 72 8B   B4 D7 55 3B 29 15 60 C8  ..L...r...U;).`.
  0030: 3C 21 EF 44 2E 93 3D C6   0B 0C 8D 24 3F 1E FB 01  <!.D..=....$?...
  0040: 5A 7A DD 83 66 14 D1 C7   FD 30 53 48 51 85 85 13  Zz..f....0SHQ...
  0050: A8 54 E1 EE 76 A2 89 18   D3 97 89 7A C6 FD B3 BD  .T..v......z....
  0060: 94 61 5A 3A 08 CF 14 93   BD 93 FD 09 A9 7B 56 C8  .aZ:..........V.
  0070: 00 B8 44 58 E9 DE 5B 77   BD 07 1C 6C 0B 30 30 C7  ..DX..[w...l.00.

MD5 Fingerprint: FC:E2:FB:AB:3D:9A:EA:EE:43:17:63:DC:2F:70:2E:4A


-------------------------------------------


VeriSign Class 3 Extended Validation SSL SGC CA (VeriSign Class 3 Public Primary Certification Authority - G5)

Version: V3
Serial Number: [58864371251733017494540126890095603011]
Signature Algorithm: [SHA1withRSA]
Issuer:
  CN=VeriSign Class 3 Public Primary Certification Authority - G5,
  OU="(c) 2006 VeriSign, Inc. - For authorized use only",
  OU=VeriSign Trust Network,
  O="VeriSign, Inc.",
  C=US

Validity: [From: Wed Nov 08 00:00:00 GMT 2006, To: Mon Nov 07 23:59:59 GMT 2016]

Subject: 
  CN=VeriSign Class 3 Extended Validation SSL SGC CA,
  OU=Terms of use at https://www.verisign.com/rpa (c)06,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc.",
  C=US

Signature:
  0000: 27 74 A6 34 EA 1D 9D E1   53 D6 1C 9D 0C A7 5B 4C  't.4....S.....[L
  0010: A9 67 F2 F0 32 B7 01 0F   FB 42 18 38 DE E4 EE 49  .g..2....B.8...I
  0020: C8 13 C9 0B EC 04 C3 40   71 18 72 76 43 02 23 5D  .......@q.rvC.#]
  0030: AB 7B C8 48 14 1A C8 7B   1D FC F6 0A 9F 36 A1 D2  ...H.........6..
  0040: 09 73 71 66 96 75 51 34   BF 99 30 51 67 9D 54 B7  .sqf.uQ4..0Qg.T.
  0050: 26 45 AC 73 08 23 86 26   99 71 F4 8E D7 EA 39 9B  &E.s.#.&.q....9.
  0060: 06 09 23 BF 62 DD A8 C4   B6 7D A4 89 07 3E F3 6D  ..#.b........>.m
  0070: AE 40 59 50 79 97 37 3D   32 78 7D B2 63 4B F9 EA  .@YPy.7=2x..cK..
  0080: 08 69 0E 13 ED E8 CF BB   AC 05 86 CA 22 CF 88 62  .i.........."..b
  0090: 5D 3C 22 49 D8 63 D5 24   A6 BD EF 5C E3 CC 20 3B  ]<"I.c.$...\.. ;
  00A0: 22 EA FC 44 C6 A8 E5 1F   E1 86 CD 0C 4D 8F 93 53  "..D........M..S
  00B0: D9 7F EE A1 08 A7 B3 30   96 49 70 6E A3 6C 3D D0  .......0.Ipn.l=.
  00C0: 63 EF 25 66 63 CC AA B7   18 17 4E EA 70 76 F6 BA  c.%fc.....N.pv..
  00D0: 42 A6 80 37 09 4E 9F 66   88 2E 6B 33 66 C8 C0 71  B..7.N.f..k3f..q
  00E0: A4 41 EB 5A E3 FC 14 2E   4B 88 FD AE 6E 5B 65 E9  .A.Z....K...n[e.
  00F0: 27 E4 BF E4 B0 23 C1 B2   7D 5B 62 25 D7 3E 10 D4  '....#...[b%.>..

MD5 Fingerprint:
  CA:D5:A7:99:DD:90:93:60:B8:7C:31:9B:DE:D5:F3:2F


Reproducible: Always

Steps to Reproduce:
1. Open the page http://www.sparnord.dk/
2. Let the mouse hover over the blue drop-down marked "Netbanken" in the left-hand side.  This should unfold the menu.
3. Left click on the topmost entry, marked "Log på".

1-3a: It might be sufficient just to visit https://www.sparnord.dk/bank/logon/
Actual Results:  
Firefox tries to load a Java applet, and opens a dialogue saying that the certificate is not issued by a trusted authority.

Expected Results:  
Firefox loads the Java applet, and if not previously used it should pop-up a confirmation dialogue saying that the certificate was trusted.  After accepting it, a logon window should appear.

Comment 1

[Jo Hermans]

Attachment: screenshot

Do you mean this dialog ? That's one generated by Java, not by Firefox. Firefox has accepted the certificate, as shown by the green button in the location bar.

Comment 2

[Jo Hermans]

dupe of bug 484164 ?

Comment 3

[Anders Pilegaard]

Re comment #1: Yes, that is exactly the dialog I'm seeing.  Sorry about the confusion - I didn't realize that this was a dialog from Java and not from Firefox.

Re comment #2: I think you're right - it sounds *very* much like this is a duplicate of bug 484164.

Thanks for the quick reply - guess I'll have to go check if there's a newer java and/or figure out how to get and install that Verisign root certificate myself ... :-)