DigiNotar Root CA still present in ca-certificates-java

It appears that the DigiNotar CA cert is still available on precise (package ca-certificates-java 20110912ubuntu4), except the keystore is now in /etc/ssl/certs/java/cacerts:

etienne@curst:~$ keytool -v -list -alias diginotar_root_ca -keystore /etc/ssl/certs/java/cacerts
Enter keystore password:

***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************

Alias name: diginotar_root_ca
Creation date: 11-Apr-2010
Entry type: trustedCertEntry

Owner: <email address hidden>, CN=DigiNotar Root CA, O=DigiNotar, C=NL
Issuer: <email address hidden>, CN=DigiNotar Root CA, O=DigiNotar, C=NL
Serial number: c76da9c910c4e2c9efe15d058933c4c
Valid from: Wed May 16 13:19:36 EDT 2007 until: Mon Mar 31 14:19:21 EDT 2025
Certificate fingerprints:
  MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
  SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
  Signature algorithm name: SHA1withRSA
  Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 88 68 BF E0 8E 35 C4 3B 38 6B 62 F7 28 3B 84 81 .h...5.;8kb.(;..
0010: C8 0C D7 4D ...M
]
]

Testing has revealed a whole slew of issues with the way the debian packaging attemps to update the java cert store:

bug #1: natty and earlier's ca-certificates-java hook doesn't strip the right filename extension,
        so the DigiNotar cert doesn't get removed from the java store when ca-certificates is
        upgraded.

bug #2: oneiric and later's hook java script uses full filename as the alias without stripping
        the file extension as used in natty and earlier. In theory, this shouldn't be an issue, as
        the postinst script is supposed to re-import all the certificates. Unfortunately, since
        natty and earlier had certs that aren't included in later releases, such as the DigiNotar
        cert, they will never get removed properly.

bug #3: installing ca-certificates-java after an updated ca-certificates uses the bundled cert
        store, which doesn't have the dangerous cert removed. If the ca-certificates package
        was upgraded, cert is added to untrusted list, so ca-certificates-java correctly removes
        it from its bundled store. But, if the ca-certificates package was installed after the cert
        was removed from the package, it does not get added to the untrusted list, so installing
        ca-certificates-java will not remove it from its bundled store.

bug #4: Updating from Natty to Oneiric results in the java store not being upgraded to the new
        alias names because of a java issue: "Could not initialize NSS".

Argh, stupid copy & paste...reposting info to get readable layout:

First bug: natty and earlier's ca-certificates-java hook doesn't strip the right filename extension, so the DigiNotar cert doesn't get removed from the java store when ca-certificates is upgraded.

Second bug: oneiric and later's hook java script uses full filename as the alias without stripping the file extension as used in natty and earlier. In theory, this shouldn't be an issue, as the postinst script is supposed to re-import all the certificates. Unfortunately, since natty and earlier had certs that aren't included in later releases, such as the DigiNotar cert, they will never get removed properly.

Third bug: installing ca-certificates-java after an updated ca-certificates uses the bundled cert store, which doesn't have the dangerous cert removed. If the ca-certificates package was upgraded, cert is added to untrusted list, so ca-certificates-java correctly removes it from its bundled store. But, if the ca-certificates package was installed after the cert was removed from the package, it does not get added to the untrusted list, so installing ca-certificates-java will not remove it from its bundled store.

Fourth bug: Updating from Natty to Oneiric results in the java store not being upgraded to the new alias names because of a java issue: "Could not initialize NSS".

This bug was fixed in the package ca-certificates-java - 20110912ubuntu5

---------------
ca-certificates-java (20110912ubuntu5) precise; urgency=low

  * debian/preinst, debian/postinst: remove the 20110912ubuntu1 work-around
    since it is no longer needed.
  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
    configuration.
  * debian/postinst: force migration to new alias names again. The
    migration was supposed to occur on upgrades to Oneiric, but failed
    because of an NSS error.
  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
 -- Marc Deslauriers <email address hidden> Thu, 22 Mar 2012 08:59:17 -0400

This bug was fixed in the package ca-certificates-java - 20110912ubuntu3.1

---------------
ca-certificates-java (20110912ubuntu3.1) oneiric-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/postinst: don't put a symlink in / if jvm doesn't contain nss
    configuration.
  * debian/postinst: bump version on upgrade test so we properly update
    natty ca-certificates-java security updates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 10:30:03 -0400

This bug was fixed in the package ca-certificates-java - 20100412ubuntu0.11.04.1

---------------
ca-certificates-java (20100412ubuntu0.11.04.1) natty-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/jks-keystore.hook: properly strip .pem extension from aliases.
    Also, look up and remove old incorrect aliases if necessary.
  * debian/control: bump ca-certificates Build-Depends to latest security
    update to make sure we don't bundle old certificates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 09:51:16 -0400

This bug was fixed in the package ca-certificates-java - 20100412ubuntu0.10.10.1

---------------
ca-certificates-java (20100412ubuntu0.10.10.1) maverick-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/jks-keystore.hook: properly strip .pem extension from aliases.
    Also, look up and remove old incorrect aliases if necessary.
  * debian/control: bump ca-certificates Build-Depends to latest security
    update to make sure we don't bundle old certificates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 09:51:16 -0400

This bug was fixed in the package ca-certificates-java - 20100406ubuntu1.1

---------------
ca-certificates-java (20100406ubuntu1.1) lucid-security; urgency=low

  * debian/postinst: forcibly remove diginotar cert. It could be left
    behind under certain circumstances. (LP: #920758)
  * debian/jks-keystore.hook: properly strip .pem extension from aliases.
    Also, look up and remove old incorrect aliases if necessary.
  * debian/control: bump ca-certificates Build-Depends to latest security
    update to make sure we don't bundle old certificates.
 -- Marc Deslauriers <email address hidden> Fri, 23 Mar 2012 08:32:58 -0400