gpgsm: ksba_cms_parse failed: Broken pipe

[Werner Koch]

Hi!

On Thu, 14 Dec 2023 16:19, Jakob Bohm said:

>   zcat ${infl} |
>     faketime "${DSTAMP}" gpgsm --verify --validation-model shell
> --assume-binary --status-fd 3 --output - - 3>${wrkdir}/sigdec.status
> || :


>     gpgsm: ksba_cms_parse failed: Broken pipe

gpgsm expects more data but zcat already sent its EOF.  This might be
due to a broken ASN.1 structure which announced N bytes but gpgsm was
not able to read thes N bytes.  CMS chunks up the data so that you can
have a very long stream of data.  (I have sometimes seen chunks of just
one byte).

That is the error message you meant, or did you see more?  Adding
--verbose is often very helpful.

> Message on status-fd (copied to stderr by cat command)
>
>     [GNUPG:] ERROR verify.leave 32877

This is the machine interface; which you rightfully parse.

  $ gpg-error 32877
  32877 = (0, 32877) = (GPG_ERR_SOURCE_UNKNOWN, GPG_ERR_EPIPE) = (Unspecified source, Broken pipe)

verify.leave helps us to locate the place where the error as emitted:
Here is is at the end of gpgsm_verify function but unfortunately we
can't get the offset of the input data where it stopped parsing.  You
may use "--debug hashing" to write a file with the data hashed
(i.e. what is verified).  That gives an indication where inthe stream
the error occured.

Anothyer useful tool is the venerable dumpasn1 tool which you could use
instead of gpgsm to find error in the input data structure.

> Which of the inputs was being truncated on the way to the that
> parsing function?

The decompressed $infl .

> It would be much easier if the gpgsm code could be used standalone
> like the old gpg1 could, with no entanglement to pinentry, dirmgr

Yeah But for security reasons we have separated tasks in a way similar
to what postfix does.

> status-fd protocol etc. etc.  scripted signing and verification of
> computer generated data is not suited to a human-centric user

Right, it is a machine interface.  For gpg we have the extra tool gpgv
to make verification against a known set of keys easy.  And recently we
added --assert-signer which basically does the same.  There has never
been a demand to have a dedicated verification tool for CMS but I can
imagine to add a  --assert-signer also to gpgsm.

Your use of faketime is interesting ;-)


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231214/32cc4e5c/attachment.sig>