Bug in certificate management
Robert Schiele
robert.schiele@t-online.de
Sun Aug 24 19:58:02 2003
--oLBj+sq0vYjzfsbl
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello.
I think, I suffered a bug in certificate management. I received a S/MIME
signed mail and wanted to check it using gpgsm. I will attach the signature
to this mail, but I cannot give you the mail itself because it has propriet=
ary
contents included, but the contents of the mail are not needed to show the
problem anyway. If you need additional information not contained in that
mail, feel free to contact me.
Now for the information:
Installed versions:
libgcrypt 1.1.12
libksba 0.4.6
newpg 0.9.4
dirmngr 0.4.4
When there is no S/MIME certificate in the key database and I check the sig=
ned
mail, then the certificate is automatically stored into the key database, b=
ut
the chain to the root certificate is incorrect. Importing the correct root
certificate (availlable from
http://www.trustcenter.de/certservices/cacerts/tcclass1-2011.pem) afterwards
does not fix the problem:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
$ gpgsm --list-sig
$ gpgsm --verify signature
gpgsm: detached signature w/o data - assuming certs-only
gpgsm: Signature made [date not given] using certificate ID 0FBD9450
gpgsm: invalid signature: bad signature
$ gpgsm --list-sig
/home/robert/.gnupg/pubring.kbx
------------------------------
Serial number: 02
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 13:56:33 Z through 2005-12-31 13:56:33 Z
fingerprint: DA:C0:59:0B:0D:94:FC:15:D7:15:2E:B6:79:70:03:5B:8D:B9:F5:2B
Serial number: 2EF400000002DE4C0C29183976D3
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /CN=3DIngram Rechnungsversand/C=3DDE/EMail=3Dinvoice@e-servi=
ce.ingrammicro.de
validity: 2003-06-02 10:23:40 Z through 2004-06-02 10:23:40 Z
key usage: digitalSignature nonRepudiation keyEncipherment
fingerprint: D2:FA:F2:15:14:DA:A9:DF:7D:0A:2E:17:25:E6:97:60:0F:BD:94:50
Certified by
Serial number: 02
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 13:56:33 Z through 2005-12-31 13:56:33 Z
fingerprint: DA:C0:59:0B:0D:94:FC:15:D7:15:2E:B6:79:70:03:5B:8D:B9:F5:2B
$ gpgsm --import tcclass1-2011.pem
gpgsm: total number processed: 1
gpgsm: imported: 1
$ gpgsm --list-sig
/home/robert/.gnupg/pubring.kbx
------------------------------
Serial number: 02
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 13:56:33 Z through 2005-12-31 13:56:33 Z
fingerprint: DA:C0:59:0B:0D:94:FC:15:D7:15:2E:B6:79:70:03:5B:8D:B9:F5:2B
Serial number: 2EF400000002DE4C0C29183976D3
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /CN=3DIngram Rechnungsversand/C=3DDE/EMail=3Dinvoice@e-servi=
ce.ingrammicro.de
validity: 2003-06-02 10:23:40 Z through 2004-06-02 10:23:40 Z
key usage: digitalSignature nonRepudiation keyEncipherment
fingerprint: D2:FA:F2:15:14:DA:A9:DF:7D:0A:2E:17:25:E6:97:60:0F:BD:94:50
Certified by
Serial number: 02
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 13:56:33 Z through 2005-12-31 13:56:33 Z
fingerprint: DA:C0:59:0B:0D:94:FC:15:D7:15:2E:B6:79:70:03:5B:8D:B9:F5:2B
Serial number: 03E9
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 11:59:59 Z through 2011-01-01 11:59:59 Z
key usage: digitalSignature certSign crlSign
chain length: unlimited
fingerprint: 72:0F:C1:5D:DC:27:D4:56:D0:98:FA:BF:3C:DD:78:D3:1E:F5:A8:DA
$=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
I can work around this problem by importing the correct root certificate
_before_ checking the mail for the first time:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
$ gpgsm --list-sig
$ gpgsm --import tcclass1-2011.pem
gpgsm: total number processed: 1
gpgsm: imported: 1
$ gpgsm --list-sig
/home/robert/.gnupg/pubring.kbx
------------------------------
Serial number: 03E9
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 11:59:59 Z through 2011-01-01 11:59:59 Z
key usage: digitalSignature certSign crlSign
chain length: unlimited
fingerprint: 72:0F:C1:5D:DC:27:D4:56:D0:98:FA:BF:3C:DD:78:D3:1E:F5:A8:DA
$ gpgsm --verify gpgsm.log.16
gpgsm: detached signature w/o data - assuming certs-only
gpgsm: Signature made [date not given] using certificate ID 0FBD9450
gpgsm: invalid signature: bad signature
$ gpgsm --list-sig
/home/robert/.gnupg/pubring.kbx
------------------------------
Serial number: 03E9
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 11:59:59 Z through 2011-01-01 11:59:59 Z
key usage: digitalSignature certSign crlSign
chain length: unlimited
fingerprint: 72:0F:C1:5D:DC:27:D4:56:D0:98:FA:BF:3C:DD:78:D3:1E:F5:A8:DA
Serial number: 02
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 13:56:33 Z through 2005-12-31 13:56:33 Z
fingerprint: DA:C0:59:0B:0D:94:FC:15:D7:15:2E:B6:79:70:03:5B:8D:B9:F5:2B
Serial number: 2EF400000002DE4C0C29183976D3
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /CN=3DIngram Rechnungsversand/C=3DDE/EMail=3Dinvoice@e-servi=
ce.ingrammicro.de
validity: 2003-06-02 10:23:40 Z through 2004-06-02 10:23:40 Z
key usage: digitalSignature nonRepudiation keyEncipherment
fingerprint: D2:FA:F2:15:14:DA:A9:DF:7D:0A:2E:17:25:E6:97:60:0F:BD:94:50
Certified by
Serial number: 03E9
Issuer: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
Subject: /OU=3DTC TrustCenter Class 1 CA/O=3DTC TrustCenter for Secur=
ity in Data Networks GmbH/L=3DHamburg/ST=3DHamburg/C=3DDE/EMail=3Dcertifica=
te@trustcenter.de
validity: 1998-03-09 11:59:59 Z through 2011-01-01 11:59:59 Z
key usage: digitalSignature certSign crlSign
chain length: unlimited
fingerprint: 72:0F:C1:5D:DC:27:D4:56:D0:98:FA:BF:3C:DD:78:D3:1E:F5:A8:DA
$=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Robert
--=20
Robert Schiele Tel.: +49-621-181-2517
Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
--yrj/dFKFPuw6o+aM
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=signature
Content-Transfer-Encoding: base64
MIIJVAYJKoZIhvcNAQcCoIIJRTCCCUECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
B6YwggNpMIIC0qADAgECAg4u9AAAAALeTAwpGDl20zANBgkqhkiG9w0BAQQFADCBvDELMAkG
A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoT
MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAg
BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDEgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRp
ZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTAzMDYwMjEwMjM0MFoXDTA0MDYwMjEwMjM0MFow
YDELMAkGA1UEBhMCREUxIDAeBgNVBAMTF0luZ3JhbSBSZWNobnVuZ3N2ZXJzYW5kMS8wLQYJ
KoZIhvcNAQkBFiBpbnZvaWNlQGUtc2VydmljZS5pbmdyYW1taWNyby5kZTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA0XKrTijtUfAuLBkhkODx1T3qRQQQgdDO36tVebIqNmb6HK6B
KYGO6NvEhyLP7/PisWpwtxz0+IydebjHyYf57mpGMSboQDhsNBp7N5NKe11S9O8Zx0pFNS1a
eSVgHIUTPjqXwFQQvTfzdfdTP1DUmJ7BMFbdupLpUgw5AT0WZR8CAwEAAaOByDCBxTAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAzBglghkgBhvhCAQgEJhYkaHR0cDovL3d3dy50
cnVzdGNlbnRlci5kZS9ndWlkZWxpbmVzMBEGCWCGSAGG+EIBAQQEAwIFoDBdBglghkgBhvhC
AQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2dpLWJpbi9jaGVjay1yZXYuY2dp
LzJFRjQwMDAwMDAwMkRFNEMwQzI5MTgzOTc2RDM/MA0GCSqGSIb3DQEBBAUAA4GBAJSDEl3k
E02eGAxkGyaMBMkl/rfi/fx6jIpSR0pzWZsDTUpQ1ig/TJECoWtdkk4cS/+DMtGsC+qrRb26
731DmQvOywnshNBYNi0XQNWqOyHUBniBM//BT0C4NRr15BrT4DacDZEACM3EVDY82zr4bRIL
KdfYQrkvun51/nU3YYkVMIIENTCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBvDELMAkG
A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoT
MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAg
BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDEgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRp
ZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTk4MDMwOTEzNTYzM1oXDTA1MTIzMTEzNTYzM1ow
gbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTow
OAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBH
bWJIMSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAxIENBMSkwJwYJKoZIhvcNAQkB
FhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAsCnrtHazrte2W7Re573jsZxJBFdboavZfxMb/bphq9jncd8tAJRdUUh9I+91YoSQPAof
WRF0L46Apf0wAj0pUs1yGkkhnLzLUo5IoWOWyBCFMGlXdEXAWobG1T3gaFd9MWokjUWXPjF+
aGYybiRt7DI2yUHK8DFEyKNhyhugNh8CAwEAAaOCAUMwggE/MEAGCWCGSAGG+EIBAwQzFjFo
dHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2k/MEAGCWCG
SAGG+EIBBAQzFjFodHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNrLXJl
di5jZ2k/MDwGCWCGSAGG+EIBBwQvFi1odHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2kt
YmluL1JlbmV3LmNnaT8wPgYJYIZIAYb4QgEIBDEWL2h0dHA6Ly93d3cudHJ1c3RjZW50ZXIu
ZGUvZ3VpZGVsaW5lcy9pbmRleC5odG1sMCgGCWCGSAGG+EIBDQQbFhlUQyBUcnVzdENlbnRl
ciBDbGFzcyAxIENBMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQQFAAOBgQAFQlIm
pAwnAUSsXCUowkRCVAi5HcU+bFlmxLNOUKf4+JZ1oZZ16BY4oM1dbvp5pxt7HR7DALlmvlrW
Yg/n8nu470zgwD9Zrjm3hAmeq/GpLmtp4q3M8up4CQUgOEJxGH7Hspfm1QIFBlajX/GqwsRP
/vfvFg+d7KqFzz0pJPEEzTGCAXYwggFyAgEBMIHPMIG8MQswCQYDVQQGEwJERTEQMA4GA1UE
CBMHSGFtYnVyZzEQMA4GA1UEBxMHSGFtYnVyZzE6MDgGA1UEChMxVEMgVHJ1c3RDZW50ZXIg
Zm9yIFNlY3VyaXR5IGluIERhdGEgTmV0d29ya3MgR21iSDEiMCAGA1UECxMZVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBDQTEpMCcGCSqGSIb3DQEJARYaY2VydGlmaWNhdGVAdHJ1c3RjZW50
ZXIuZGUCDi70AAAAAt5MDCkYOXbTMAkGBSsOAwIaBQAwDQYJKoZIhvcNAQEBBQAEgYARyJhZ
FwEWNoQDg0aW3WPEbLneEbF43HZEaCRT6SNpnwZL0FHUm7e9mY5nbGhONyFLp7DMi9UbR9ob
Bnn6yzwXZbbXzzYQhgaXZ8wXKDB37599hewl9TRVhSrCx0e+V/UbaRcl1SnWkj895rxfBfnH
+gdHeBF0DRYO+pcKFOgCFA==
--yrj/dFKFPuw6o+aM--
--oLBj+sq0vYjzfsbl
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/SPtMxcDFxyGNGNcRAhEnAKCqRn2cj5aPTlA6m90dsW5f96uehQCfa3NN
65wKn/wN8YltzkvMyW3RPJ0=
=XQ1X
-----END PGP SIGNATURE-----
--oLBj+sq0vYjzfsbl--