Problems with cert validation via CRL

Peter Lebbing peter at digitalbrains.com
Tue Feb 21 16:13:18 CET 2017 

On 21/02/17 13:20, David Gray wrote:
> I'm no expert, but when I look at the debug info (attached to
> original email), it appears that gpgsm is able to get the crl that my
> cert points to but it may be having trouble parsing it.

Reading that part made me think it couldn't find the issuer of the CRL:

> dirmngr[3184.0]: error fetching certificate by subject: Configuration error
> dirmngr[3184.0]: CRL issuer certificate {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found

When I fetch the CRL we're talking about, OpenSSL tells me about it:

> Certificate Revocation List (CRL):
>         Version 2 (0x1)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
>         Last Update: Feb 20 16:07:34 2017 GMT
>         Next Update: Feb 24 16:07:34 2017 GMT
>         CRL extensions:
>             X509v3 Authority Key Identifier: 
>                 keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
> 
>             X509v3 CRL Number: 
>                 822

The issuer is the certificate that gpgsm knows about:

> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
>         Validity
>             Not Before: Dec 22 00:00:00 2014 GMT
>             Not After : May 30 10:48:38 2020 GMT
>         Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Client Authentication and Secure Email CA
> [...]
>         X509v3 extensions:
>             X509v3 Authority Key Identifier: 
>                 keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
> 
>             X509v3 Subject Key Identifier: 
>                 92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
> [...]
> SHA1 Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:89

I suspect that even though gpgsm knows about it, dirmngr might not,
hence the failing CRL verification. I think you need to feed the
certificate to dirmngr as well.

Whether this is actually the reason you're having problems, I don't know.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170221/c5979ea8/attachment.sig>

More information about the Gnupg-users mailing list