S/MIME which certificate format

Marco Moock mm at dorfdsl.de
Tue May 6 17:11:37 CEST 2025 

Am 06.05.2025 um 11:48:49 Uhr schrieb Werner Koch:

> On Tue,  5 Nov 2024 17:11, Marco Moock said:
> > m at ryz:~$ gpgsm --show-cert zertifikat-smime/PKCS7_File/PKCS7.p7b
> > gpgsm: enabled debug flags: ipc
> > gpgsm: enabled compatibility flags:
> > gpgsm: ksba_cert_hash failed: Kein Wert
> > gpgsm: ksba_cert_hash failed: Kein Wert  
> 
> Using current GnuPG (master, 2.5.6-beta): I get this:
> 
>           ID: 0x520AB3F9
>           S/N: 00CDB882CF52A4258A4CB6FA03C415DDBD
>         (dec): 273449774896932489317308577343912402365
>        Issuer: CN=Sectigo RSA Client Authentication and Secure Email
> CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB Subject:
> [error] aka: <mm at dorfdsl.de>
>      sha2_fpr:
> DE:DB:58:6F:AA:72:31:A2:91:5C:FC:1E:55:27:77:3C:F0:27:03:DB:28:CB:83:BE:49:15:0A:01:
> 
> which sounds okay.
> 
>  gpgsm (GnuPG) 2.4.8-beta3
>  libgcrypt 1.11.0
>  libksba 1.6.7-beta9
> 
> works fine as well.  A likely fix was this one in Libksba
> 
>   Noteworthy changes in version 1.6.7 (2024-06-21) [C22/A14/R7]
>   ------------------------------------------------
> 
>    * Allow for an empty Subject in certs.  [T7171]
> 
> I assume that you used a 1.6.6 or older.

I used

libksba8:amd64 1.6.7-2+b1
gnupg          2.4.7-17

and those versions give an error, so it is not only the libksba
1.6.6 version.

gpgsm: ksba_cert_hash failed: Kein Wert
ksba: ber-decoder: node `?': TLV length too large
File ........: zertifikat-smime/PKCS7_File/PKCS7.p7b
           ID: 0xFFFFFFFF
          S/N: keine
        (dec): keine
       Issuer: [error]
      Subject: [error]
     sha2_fpr:
FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF
sha1_fpr: FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF
md5_fpr: FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF certid: error
      keygrip: error
    notBefore: keine
     notAfter: keine
     hashAlgo: (null)
      keyType: [error]
    subjKeyId: [none]
    authKeyId: [none]
     keyUsage: [none]
  extKeyUsage: [none]
     policies: [none]
  chainLength: [none]
        crlDP: [none]
     authInfo: [none]
     subjInfo: [none]

If needed, I can try to build other versions, but this takes time as I
have to create Debian packets first. Most systems need gnupg and I
can't manually build and install it, as is breaks the dependency system.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1746524929muell at cartoonies.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250506/cf86411b/attachment-0001.sig>

More information about the Gnupg-users mailing list