Internal error returned from within gnutls_certificate_set_openpgp_key()

Joke de Buhr joke at
Fri Sep 21 11:37:19 CEST 2012


i discovered the internal error seems to be related to the openpgp key size.
if the key contains just a single signing subkey with 2048 or more bits gnutls 
reports the internal error. a signing subkey with 1024 bits will however.

moreover the key can contain encryption subkeys up to 4096 bits without 
problem as long as the encryption subkey isn't marked for signing. the 
authentication flags doesn't seem to have any effect at all.

the problem seems to be related to the key exchange algorithm. the signature 
flag enables DHE_RSA and ECDHE_RSA whereas the encryption flag enable RSA key 

any comments on how to avoid this problem?


On Tuesday 18 September 2012 19:32:45 you wrote:
> well, it seems this error has something to do with the flags of the
> authentication subkey.
> if the subkey is marked for authentication and signing
> gnutls_certificate_set_openpgp_key() will report an internal error. if the
> subkey is not marked for signing the function reports success. the
> encryption flags doesn't seem to matter.
> regards
> joke
> On Tuesday 18 September 2012 11:34:18 you wrote:
> > hi,
> > 
> > i'm using GnuTLS version 3.1.1.
> > 
> > there seems to be a problem within gnutls_certificate_set_openpgp_key().
> > 
> > gnutls_certificate_set_openpgp_key() uses gnutls_privkey_import_openpgp()
> > (flag GNUTLS_PRIVKEY_IMPORT_COPY) to obtain a copy of the passed private
> > key. copying is done calling _gnutls_openpgp_privkey_cpy() with in turn
> > calls gnutls_openpgp_privkey_export() and gnutls_openpgp_privkey_import().
> > 
> > during this copying procedure the key somehow gets messed up and
> > gnutls_openpgp_privkey_import() returns GNUTLS_E_INTERNAL_ERROR.
> > 
> > importing the private key with gnutls_openpgp_privkey_import() in the
> > first
> > place to pass the parameter to gnutls_certificate_set_openpgp_key() worked
> > without problem. the pgp-key contains a master-key with flags SCE and a
> > single subkey with flags SEA. using a pgp-key with just a master-key seems
> > to work by the way.
> > 
> > if needed i'm can provide a test program and the gpg-key.
> > 
> > 
> > regards
> > Joke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 729 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120921/e6e9ece4/attachment.pgp>

More information about the Gnutls-help mailing list