Fresh certificate marked as expired / messed-up certificate chain pulling expired root cert in gpgsm

Dr. Thomas Orgis thomas.orgis at uni-hamburg.de
Sat Jul 20 20:07:37 CEST 2019 

Hi,

thanks for looking at this …

am Sat, 20 Jul 2019 11:01:49 +0200
schrieb Dirk Gottschalk <dirk.gottschalk1980 at googlemail.com>: 

> This is the issue here. These two certs of DTAG (Telekom) are exired
> and that's the reason why gpgsm is complaining correctly.

Please check again my original post, though. The issue I see is that
these certs are not even supposed to be in the chain! To repeat the
summary, which may be lost in the noise before it:

The chain in the imported new key & cert file how it should be:

4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
3. DFN-Verein Global Issuing CA signed by DFN-Verein Certification Authority 2
2. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
1. T-TeleSec GlobalRoot Class 2 signed by T-TeleSec GlobalRoot Class 2 (root)

Compared to what gpgsm sees/shows:

4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
3. DFN-Verein Global Issuing CA signed by DFN-Verein Certification Authority 2
2. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
1. T-TeleSec GlobalRoot Class 2 signed by Deutsche Telekom Root CA 2
0. Deutsche Telekom Root CA 2 signed by Deutsche Telekom Root CA 2 (expired root)

The bogus signatures by the old Telekom certificates appear only after
importing in gpgsm, and colleagues using the same kind of certificates
use them without problem in software not relying on gpgsm. So I assume
the presence of the old certificates stirs things up. When I create a
fresh user and import the new key with its certs into gpgsm, the chain
looks like it should.

/home/tester/.gnupg/pubring.kbx
-------------------------------
           ID: 0x310C60AF
        Issuer: /CN=DFN-Verein Global Issuing CA/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
      Subject: /CN=Thomas Orgis/OU=HPC/OU=Basis-Infrastruktur/OU=RRZ/O=Universitaet Hamburg/L=Hamburg/ST=Hamburg/C=DE
      validity: 2019-07-05 08:22:41 through 2022-07-04 08:22:41
Certified by
           ID: 0xD9463C45
       Issuer: /CN=DFN-Verein Certification Authority 2/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
      Subject: /CN=DFN-Verein Global Issuing CA/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
     validity: 2016-05-24 11:38:40 through 2031-02-22 23:59:59
 chain length: 1
Certified by
           ID: 0xD3A89A93
       Issuer: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust Center/O=T-Systems Enterprise Services GmbH/C=DE
      Subject: /CN=DFN-Verein Certification Authority 2/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
     validity: 2016-02-22 13:38:22 through 2031-02-22 23:59:59
 chain length: 2
Certified by
           ID: 0x17D894E9
       Issuer: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust Center/O=T-Systems Enterprise Services GmbH/C=DE
      Subject: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust Center/O=T-Systems Enterprise Services GmbH/C=DE
     validity: 2008-10-01 10:40:14 through 2033-10-01 23:59:59
 chain length: unlimited


So this looks like a corruption in my keyring that includes the history
of using gpgsm for about 5 years:-/  I now could play games with
exporting keys and starting with a fresh database … but I'd like to
have understood first what happened here.

Regards,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg

More information about the Gnupg-users mailing list