gpgsm: building of certificate chains

Olaf Gellert og at pre-secure.de
Tue Feb 1 08:02:41 CET 2005 

Hi list,

I was just experimenting with cross-certificates and
came across a little strange behaviour of gpgsm. Obviously
the building of certificate chains (eg from enduser to
subCA to rootCA) is influenced by the order of the
certificates in the keyring! In the case of cross-certificates
this can lead to different validation results depending
on the order of imported keys...

Example: I have the following certificates:
ranum at ranum:~> gpgsm --list-keys | grep fingerprint
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
  fingerprint: 83:F2:31:0B:BF:DE:EB:0A:AF:8A:22:3D:E6:37:93:3A:C3:45:2E:1C
  fingerprint: 99:9B:C4:25:AB:88:59:D1:5F:B0:E1:39:5B:0F:98:19:3B:26:80:AE
  fingerprint: 44:C4:9C:82:1E:78:FA:86:53:78:2D:33:A1:41:28:E9:BF:C0:39:EE
  fingerprint: 26:10:10:4B:0A:D2:9A:06:78:97:D5:CF:D1:26:50:FD:C5:4B:EF:D1
  fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC

Now I try to verify a signed email:

ranum at ranum:~> gpgsm --verify testetext.signed
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: Signatur erzeugt am 2005-01-31 16:47:13mittels Zertifikat ID C54BEFD1
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Korrekte Signatur von "/CN=Test User B3/O=Test Organization B/C=DE/EMail=user at testorg-b.org"    alias "user at testorg-b.org"

Ok, now I change the order of the certificates by removing the
certificate 99:9B:C4:... and reimporting it. Result:

ranum at ranum:~> gpgsm --verify testtext.signedlist-keys | grep fingerprint
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
  fingerprint: 83:F2:31:0B:BF:DE:EB:0A:AF:8A:22:3D:E6:37:93:3A:C3:45:2E:1C
  fingerprint: 44:C4:9C:82:1E:78:FA:86:53:78:2D:33:A1:41:28:E9:BF:C0:39:EE
  fingerprint: 26:10:10:4B:0A:D2:9A:06:78:97:D5:CF:D1:26:50:FD:C5:4B:EF:D1
  fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC
  fingerprint: 99:9B:C4:25:AB:88:59:D1:5F:B0:E1:39:5B:0F:98:19:3B:26:80:AE

And now I try to verify the signed text again:

ranum at ranum:~> gpgsm --verify testtext.signed
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: Signatur erzeugt am 2005-01-31 16:47:13mittels Zertifikat ID C54BEFD1
gpgsm: Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert
gpgsm: Fingerprint=52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC
gpgsm: DBG: BEGIN Certificate `issuer':
gpgsm: DBG:      serial: 00
gpgsm: DBG:   notBefore: 2005-01-12 12:37:40
gpgsm: DBG:    notAfter: 2007-01-12 12:37:40
gpgsm: DBG:      issuer: 1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267,
CN=Test Root CA B1,O=Test Organization B,C=DE
gpgsm: DBG:     subject: 1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267,
CN=Test Root CA B1,O=Test Organization B,C=DE
gpgsm: DBG:   hash algo: 1.2.840.113549.1.1.5
gpgsm: DBG:   SHA1 Fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:
5B:3A:97:DC
gpgsm: DBG: END Certificate
gpgsm: after checking the fingerprint, you may want to add it manually to the li
st of trusted certificates.
gpgsm: invalid certification chain: Nicht vertrauensw?rdig

I would say, the certificate chains should be build using
an exhaustive search of the existing certificates, gpgsm
seems to try only the first match.

Olaf

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og at pre-secure.de

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

More information about the Gnupg-users mailing list