Failure to sign with gpgsm

Pedro Pessoa pessoa at angulosolido.pt
Tue Nov 14 15:42:35 CET 2006 

On Friday 10 November 2006 22:39, Pedro Pessoa wrote:
> Altough I can sign with a certificate from Thawte, when using a certificate
> from the Portuguese nacional laywer association I'm having this error:
> gpgsm: error creating signature: No value <KSBA>
>
> The certificate tree is correctly verified:
> gpgsm: DBG: gcry_pk_verify: Success
> gpgsm: certificate is good
> gpgsm: DBG: got issuer's certificate:
> gpgsm: DBG: BEGIN Certificate `issuer':
> (...)
> gpgsm: DBG: gcry_pk_verify: Success
> gpgsm: error creating signature: No value <KSBA>
>
> Any thoughts on this? What's going on?
>
> I've tried the following versions:
> gnupg2 1.9.16 with libksba 0.9.11
> and
> gnupg2 1.9.22 with libksba 0.9.15
> both give out the same error.

After trying to figure out what's this problem and reaching a dead end, I went 
through the diferences out of a dump in both certtificates, the one that 
works, and the one that doesn't.
- Both have the fields:
	. Serial number
	. Issuer
	. Subject
	. sha1_fpr
	. md5_fpr
	. certid
	. keygrip
	. notBefore
	. notAfter
	. hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
	. keyType: 2048 bit RSA
	. chainLength: not a CA
- These are only present on the certificate that doesn't work:
	. authKeyId.ki
	. keyUsage:  digitalSignature nonRepudiation keyEncipherment dataEncipherment 
keyAgreement
 	. extKeyUsage: 1.3.6.1.4.1.6204.20.18.2.105.1020 (suggested)
                                 clientAuth (suggested)
                                 emailProtection (suggested)
	. policies: 1.3.6.1.4.1.6204.10.2
                        1.3.6.1.4.1.6204.10.2.1020
	. crlDP: http://www.multicert.com/ca/multicert-ca-02.crl
ldap://ldap.multicert.com/cn=MULTICERT-CA%2002,o=MULTICERT-CA,c=PT?certificateRevocationList?base
               issuer: none
	. crlDP: CN=CRL26,CN=MULTICERT-CA 02,O=MULTICERT-CA,C=pt
               issuer: none
	. authInfo: 1.3.6.1.5.5.7.48.1
	. subjInfo: [none]
	. extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess)  [44 octets]
	. extn: 2.16.840.1.113730.1.1 (netscape-cert-type)  [4 octets]

Is it possible that one or several of these fields only present on the 
certificate that doesn't work is causing the failure?
Is there any way to strip them out of the certificate?

Btw, I've just tested importing the "bad" certificate on Thunderbird, and 
there I can use it to sign messages. Is this a certificate or gnupg problem? 
I'm really at a loss...

Thanks,
Pedro

-- 
Angulo Sólido - Tecnologias de Informação
http://angulosolido.pt

More information about the Gnupg-users mailing list