Wrong applet signature recognition?

Юрий Мироненко tallman at inbox.ru
Thu Jun 2 16:51:44 UTC 2011


I am using bank web application, which uses java-applet for logging in and for making transaction digital signatures. I am/was especially happy it works ok with open jdk, so I should not use proprietary SUN solution. Link to login page of my bank account management application:
* https://retail.payment.ru/n/Auth/LoginCert.aspx

But it looks like some time (at the begiining of the year) they updated certificate of applet, and I have a problem. Applet still works ok, but OpenJDK displaying me it's untrusted. While Sun JRE shows everything ok.

I make some efforts to detect the problem...and it looks like OpenJDK for some reason detects only one level of signing. I.e.:
- applet are signed by Open Joint-Stock Company Promsvyazbank
- Open Joint-Stock Company Promsvyazbank certificate are signed by Thawte Code Signing CA - G2
- Thawte Code Signing CA - G2 certificate are signed by thawte Primary Root CA
- I have thawte Primary Root CA certificate in list of trusted sertificates (for both OpenJDK and Sun platforms)

And Sun shows me two levels of signing and result is "trusted", while OpenJDK shows me only one level of signing, and result is "untrusted".

Maybe my analysis is wrong somehow, I knows a little about OpenJDK signing before I begins to investigate it. Now I know little more, but, still, it's only some limited non-professional efforts to understand a problem.

More information about the discuss mailing list