Problems with cert validation via CRL
David Gray
deg at davidegray.com
Wed Feb 22 02:03:19 CET 2017
You were correct, Peter. I haven't had a chance to verify on Ubuntu yet, but
on Windows the following steps did the trick:
- there was no 'trusted-certs' directory in my existing home directory
(C:\users\dave\appdata\Roaming\gnupg\), so I created one. I also went ahead
and created a 'logs' directory.
- I added the line "log-file
C:\Users\dave\AppData\Roaming\gnupg\logs\dirmngrlog.txt" to my dirmngr.conf
file to capture what I wanted
- I saved a copy of the root cert with fingerprint
02FAF3E291435468607857694DF5E45B68851868 to a DER-encoded file with .crt
extension to the 'trusted-certs' directory.
- I executed the 'gpgsm --list-keys --with-validation --debug-all' command,
and all keys were shown to be good.
I've attached the debug output from the command as well as the dirmngrlog.txt
file that was generated in case it is of interest. (As an aside, you may
notice that I've installed version 2.1.18 since the last output was provided).
I don't fully understand everything that is shown in these files, but it sure
seems to me like you were exactly right - dirmngr did not know to trust that
root cert, so it couldn't verify that the CRL was signed by a trustworthy
party. Once I told dirmngr that the root cert could be trusted, it could
verify the CRL. I've since been able to encrypt data using this key, so
things are looking good.
I can't thank you enough - this has been extremely helpful.
Thanks!
Dave
-----Original Message-----
From: Peter Lebbing [mailto:peter at digitalbrains.com]
Sent: Tuesday, February 21, 2017 10:13 AM
To: David Gray <deg at davidegray.com>; NIIBE Yutaka <gniibe at fsij.org>
Cc: gnupg-users at gnupg.org
Subject: Re: Problems with cert validation via CRL
On 21/02/17 13:20, David Gray wrote:
> I'm no expert, but when I look at the debug info (attached to original
> email), it appears that gpgsm is able to get the crl that my cert
> points to but it may be having trouble parsing it.
Reading that part made me think it couldn't find the issuer of the CRL:
> dirmngr[3184.0]: error fetching certificate by subject: Configuration
> error
> dirmngr[3184.0]: CRL issuer certificate
> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
When I fetch the CRL we're talking about, OpenSSL tells me about it:
> Certificate Revocation List (CRL):
> Version 2 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
> Last Update: Feb 20 16:07:34 2017 GMT
> Next Update: Feb 24 16:07:34 2017 GMT
> CRL extensions:
> X509v3 Authority Key Identifier:
>
> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>
> X509v3 CRL Number:
> 822
The issuer is the certificate that gpgsm knows about:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
> CN=AddTrust External CA Root
> Validity
> Not Before: Dec 22 00:00:00 2014 GMT
> Not After : May 30 10:48:38 2020 GMT
> Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
> Limited, CN=COMODO SHA-256 Client Authentication and Secure Email CA [...]
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>
> X509v3 Subject Key Identifier:
>
> 92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
> [...]
> SHA1
> Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:8
> 9
I suspect that even though gpgsm knows about it, dirmngr might not, hence the
failing CRL verification. I think you need to feed the certificate to dirmngr
as well.
Whether this is actually the reason you're having problems, I don't know.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: windows-listkeys-withvalidation-02212017-success.txt
URL: </pipermail/attachments/20170221/70fe22ca/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dirmngrlog.txt
URL: </pipermail/attachments/20170221/70fe22ca/attachment-0003.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4803 bytes
Desc: not available
URL: </pipermail/attachments/20170221/70fe22ca/attachment-0001.bin>
More information about the Gnupg-users
mailing list