Trouble with gpgsm

Jeff Mitchell jeff at emailgoeshere.com
Thu Mar 23 23:27:49 CET 2006 

I have my own CA that I use for my mail/web/openldap/etc server.  I
generated a CA cert, and used this to sign a certificate for the server
daemons.  All has generally gone well, until I've wanted to use
KAddressBook to grab addresses off of my LDAP server.  It complains that
verification of the certificate failed when it tries to connect with TLS
or SSL.

I have gpg 1.9 installed (using Gentoo; it's slotted alongside 1.4), and
gpg-agent, watchgnupg, Kleopatra, etc. all work fine.  However, while
I've been able to import my CA certificate and private key and have
verified it by adding the appropriate line to trustlist.txt, I cannot
seem to import the server certificate that it signed.  I continually get
the following message:

  5 - 2006-03-23 16:58:30 gpgsm[27069]: self-signed certificate has a
BAD signature: Bad signature
  5 - 2006-03-23 16:58:30 gpgsm[27069]: basic certificate checks failed
- not imported

OpenSSL will verify the certificate:

jeff at scales ~ $ openssl verify -CAfile /etc/ssl/certs/My_CA.pem ./server.crt
server.crt: OK

And if I re-verify the CA certificate with gpgsm, through Kleopatra,
logging level Basic (here's hoping I'm not giving out any information I
didn't want to be giving out :-)  ):


  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- OPTION
lc-messages=en_US.utf8
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- HAVEKEY
AEDB2E87FEF060315E94B85A187ADB8B147E5D95
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- ISTRUSTED
F4B09616C152F40095ECE57792CAEF68569207FD
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK
  4 - 2006-03-23 17:21:45 gpgsm[27300]: no running dirmngr - starting one
[client at fd 6 connected]
  6 - 2006-03-23 17:21:45 dirmngr[27301]: permanently loaded certificates: 0
  6 - 2006-03-23 17:21:45 dirmngr[27301]:     runtime cached certificates: 0
  6 - 2006-03-23 17:21:45 dirmngr[27301.0x8081538] DBG: -> OK Dirmngr
0.9.3 at your service
  4 - 2006-03-23 17:21:45 gpgsm[27300]: DBG: connection to dirmngr
established
  6 - 2006-03-23 17:21:45 dirmngr[27301.0x8081538] DBG: <- ISVALID
368B186305A2CD33AE58546032  5 - 2006-03-23 17:21:45
gpg-agent[26852.0x80882b0] DBG: <- OPTION lc-messages=en_US.utf8
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- HAVEKEY
AEDB2E87FEF060315E94B85A187ADB8B147E5D95
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- ISTRUSTED
F4B09616C152F40095ECE57792CAEF68569207FD
  5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK
  4 - 2006-03-23 17:21:45 gpgsm[27300]: no running dirmngr - starting

As you can see my CA certificate is trusted, and I've imported the
secret key.  I do not have a CRL imported, but I don't think that matters.

Now, the relevant parts of the output, logging level guru, when I try to
import the certificate signed by my CA:

  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- IMPORT
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: signature value: 28 37 3A
73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 31 32 38 3A 6D 41 FD
BA B2 9A 80 FC C3 1C 80 CA 3A 91 58 69 57 86 7F EA 4D 43  4 - 2006-03-23
17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION
ttyname=/dev/pts/2
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION
ttytype=xterm
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION
lc-ctype=en_US.utf8
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION
lc-messages=en_US.utf8
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- INPUT FD=13
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK
  4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- IMPORT
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: signature value: 28 37 3A
73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 31 32 38 3A 6D 41 FD
BA B2 9A 80 FC C3 1C 80 CA 3A 91 58 69 57 86 7F EA 4D 43 17 82 B5 AD B5
12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB
7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3
39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC
F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A
8B A4 BE 23 CD 29 29 29
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08
2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04
F1 32 DE 01
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a
BAD signature: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate
`self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7
0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33
5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9
40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8
68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08
2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04
F1 32 DE 01
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a
BAD signature: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate
`self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7
0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33
5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9
40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8
68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08
2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04
F1 32 DE 01
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a
BAD signature: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate
`self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7
0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33
5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9
40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8
68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08
2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04
F1 32 DE 01
  4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature
  4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a
BAD signature: Bad signature


I have no idea what's going on...I hope somebody can help!

Thanks,
Jeff

More information about the Gnupg-users mailing list