gpgsm 2.1.13 / libksba-1.3.4 fail to verify certificate chain

Stefan Dalibor scd at lst.de
Sat Jun 18 20:20:18 CEST 2016 

Hi,
trying to set up S/MIME protectecd communication via mutt, but gpgsm 2.1.13
/ libksba 1.3.4 (built under Fedora 21) are unable to verify the certificate
chain:

$ gpgsm --debug-level guru --debug-all --dirmngr-program ./bin/dirmngr.sh --verify smime.p7s                                                                          ~/gnupg-2.1.13:0
gpgsm: reading options from '/home/scd/.gnupg/gpgsm.conf'
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
gpgsm: detached signature
gpgsm: DBG: enabling hash algorithm 2 (1.3.14.3.2.26)
gpgsm: detached signature w/o data - assuming certs-only
gpgsm: DBG: signer 0 - issuer: <snip>
gpgsm: DBG: signer 0 - serial: <snip>
gpgsm: DBG: signer 0 - digest algo: 2
gpgsm: DBG: signer 0 - content-type attribute: 1.2.840.113549.1.7.1
gpgsm: DBG: signer 0 - signature available (sigval hash=0)
gpgsm: Signature made 2016-06-14 15:39:52 using certificate ID 0x<snip>
gpgsm: invalid signature: message digest attribute does not match computed one
gpgsm: DBG: message:   9B BB CE DF 97 53 23 1A 8A 2D 82 16 D7 32 74 D0 C7 4D A5 B3
gpgsm: DBG: computed:  DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95 60 18 90 AF D8 07 09

Tried to get more information by letting gnupg parse the mail, but got only
"Not implmented" messages for CRL checking / invalid certification chain
(see end of output below).

Is there anything I can do configuration-wise, or is verificating this chain
just not -- hopefully yet :)? -- supported by gpgsm?

Thanks,
Stefan

$ ./tools/gpgparsemail --verbose --crypto mailmsg.txt
gpgparsemail: non canonical ended line detected (line 2)
.<snip, mail hdrs parsed ok>
h media: multipart signed
h signed.protocol: application/x-pkcs7-signature
b down
b part
:------<cert ID A, snip>
c begin_hash
.Content-Type: multipart/related;
.       boundary="_004_3D4F30E57ECFD443966400DFA1FDC090787B3C04S1001gagde_";
.       type="multipart/alternative"
h media:   multipart related
b down
b part
:--_004_<cert ID B, snip>_
.Content-Type: multipart/alternative;
.       boundary="_000_3D4F30E57ECFD443966400DFA1FDC090787B3C04S1001gagde_"
h media:     multipart alternative
b down
b part
:--_000_<cert ID B, snip>_
.Content-Type: text/plain; charset="utf-8"
.Content-Transfer-Encoding: base64
h media:       text plain
 <snip>

b part
:--_000_<cert ID B, snip>_
.Content-Type: text/html; charset="utf-8"
.Content-Transfer-Encoding: base64
h media:       text html
 <snip>

b last
b up
:--_000_<cert ID B, snip>_
b part
:--_004_<cert ID B, snip>_
.<snip, gif parsed ok>
h media:     image gif

b last
b up
:--_004_<cert ID B, snip>_
b part
c end_hash
:------F461B893FB2CA2F661FD798058E2475B
.Content-Type: application/x-pkcs7-signature; name="smime.p7s"
.Content-Transfer-Encoding: base64
.Content-Disposition: attachment; filename="smime.p7s"
h media:   application x-pkcs7-signature
c begin_signature
 <snip>

b last
c end_signature
b up
c [GNUPG:] NEWSIG
# gpgsm: Signature made 2016-06-14 15:39:52 using certificate ID 0x<snip>
# gpgsm: Note: non-critical certificate policy not allowed
# gpgsm: certificate #<snip>
# gpgsm: checking the CRL failed: Not implemented
c [GNUPG:] GOODSIG <snip>
c [GNUPG:] VALIDSIG <snip>
# gpgsm: invalid certification chain: Not implemented
c [GNUPG:] TRUST_UNDEFINED 69
:------F461B893FB2CA2F661FD798058E2475B--

More information about the Gnupg-users mailing list