[issue151] gpgme_key_t->expired == false on expired (S/MIME) key with validating keylisting.

Marc Mutz aegypten-issues at intevation.de
Thu Apr 15 15:21:41 CEST 2004


New submission from Marc Mutz <marc at klaralvdalens-datakonsult.se>:

This is what a validating keylisting returns for my old 
 CN=Marc Mutz,L=org,OU=KMail,O=KDE,C=DE 
key that expired June 2003: 
 
(gdb) p *key 
$5 = {_refs = 1, revoked = 0, expired = 0, disabled = 0, invalid = 0, 
  can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 1, 
  can_authenticate = 0, _unused = 0, protocol = GPGME_PROTOCOL_CMS, 
  issuer_serial = 0x8138390 "0B", 
  issuer_name = 0x817cd80 "CN=Test-ZS3,O=Intevation GmbH,C=DE", 
  chain_id = 0x8177698 "09AA5F1DE795237656239C9A78536B07E43C15AC", 
  owner_trust = GPGME_VALIDITY_UNKNOWN, subkeys = 0x8177900, 
  uids = 0x8199688, _last_subkey = 0x8177900, _last_uid = 0x8171128} 
(gdb) p *key->uids 
$6 = {next = 0x8171128, revoked = 0, invalid = 1, _unused = 0, 
  validity = GPGME_VALIDITY_UNKNOWN, 
  uid = 0x81996ac "CN=Marc Mutz,OU=KMail,O=KDE,L=org,C=DE", 
  name = 0x81996d2 "", email = 0x81996d2 "", comment = 0x81996d2 "", 
  signatures = 0x0, _last_keysig = 0x0} 
(gdb) p *key->subkeys 
$7 = {next = 0x0, revoked = 0, expired = 0, disabled = 0, invalid = 1, 
  can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0, 
  can_authenticate = 0, _unused = 0, pubkey_algo = GPGME_PK_RSA, 
  length = 1024, keyid = 0x8177914 "528130280665A867", 
  _keyid = "528130280665A867", 
  fpr = 0x81997f8 "67348E8ACF3DFBB38121353B528130280665A867", 
  timestamp = 1042554823, expires = 1058106823} 
(gdb) p time(0) 
$8 = 1082034803 
 
cf. the values of $8 and $7.expires... 
 
The effect is that all certs are marked as valid in certmanager with the new 
validate certs function... 
 
Same goes for revoked certs: 
$ gpgsm --list-keys --with-validation C86D3C261BC257877CA44EFB2E6C6ECF0A280532 
Secure memory is not locked into core 
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! 
gpgsm: It is only intended for test purposes and should NOT be 
gpgsm: used in a production environment or with production keys! 
/home/marc/.gnupg/pubring.kbx 
----------------------------- 
Serial number: 0C 
       Issuer: /CN=ZS 4/O=Intevation GmbH/C=DE 
      Subject: /CN=David Faure/O=Klarälvdalens Datakonsult AB/L=Cheval 
Blanc/C=SE 
          aka: dfaure at klaralvdalens-datakonsult.se 
     validity: 2004-02-18 10:05:42 through 2006-02-17 10:05:42 
    key usage: digitalSignature nonRepudiation keyEncipherment 
  fingerprint: C8:6D:3C:26:1B:C2:57:87:7C:A4:4E:FB:2E:6C:6E:CF:0A:28:05:32 
gpgsm: no running dirmngr - starting one 
can't connect to `/home/marc/.gnupg/log-socket': Connection refused 
switching logging to stderr 
dirmngr[30273.0x80646b8] DBG: -> OK Dirmngr 0.5.4-cvs at your service 
gpgsm: DBG: connection to dirmngr established 
dirmngr[30273.0x80646b8] DBG: <- ISVALID 
0EFFD19584318700CE22B0528C0E005F722A69A7.0C 
dirmngr[30273]: opening cache file 
`/home/marc/.gnupg/dirmngr-cache.d/crl-0EFFD19584318700CE22B0528C0E005F722A69A7.db' 
dirmngr[30273]: S/N 0C is not valid; reason=00  date=20040224T115352 
dirmngr[30273]: command ISVALID failed: Certificate revoked 
dirmngr[30273.0x80646b8] DBG: -> ERR 167772254 Certificate revoked <Dirmngr> 
  [certificate has been revoked] 
dirmngr[30273.0x80646b8] DBG: <- ISVALID 
7F2A402CBB016A9146D613568C89D3596A4111AA.01 
dirmngr[30273]: opening cache file 
`/home/marc/.gnupg/dirmngr-cache.d/crl-7F2A402CBB016A9146D613568C89D3596A4111AA.db' 
dirmngr[30273]: S/N 01 is valid, it is not listed in the CRL 
dirmngr[30273.0x80646b8] DBG: -> OK 
gpgsm: no running gpg-agent - starting one 
gpg-agent[30274]: Secure memory is not locked into core 
gpg-agent[30274]: NOTE: this is a development version! 
can't connect to `/home/marc/.gnupg/log-socket': Connection refused 
switching logging to stderr 
gpg-agent[30274.0x8073b18] DBG: -> OK Your orders please 
gpgsm: DBG: connection to agent established 
gpg-agent[30274.0x8073b18] DBG: <- RESET 
gpg-agent[30274.0x8073b18] DBG: -> OK 
gpg-agent[30274.0x8073b18] DBG: <- OPTION display=:0 
gpg-agent[30274.0x8073b18] DBG: -> OK 
gpg-agent[30274.0x8073b18] DBG: <- OPTION ttyname=/dev/pts/3 
gpg-agent[30274.0x8073b18] DBG: -> OK 
gpg-agent[30274.0x8073b18] DBG: <- OPTION ttytype=xterm 
gpg-agent[30274.0x8073b18] DBG: -> OK 
gpg-agent[30274.0x8073b18] DBG: <- OPTION lc-ctype=C 
gpg-agent[30274.0x8073b18] DBG: -> OK 
gpg-agent[30274.0x8073b18] DBG: <- OPTION lc-messages=C 
gpg-agent[30274.0x8073b18] DBG: -> OK 
gpg-agent[30274.0x8073b18] DBG: <- ISTRUSTED 
A6935DD34EF3087973C706FC311AA2CCF733765B 
gpg-agent[30274.0x8073b18] DBG: -> OK 
dirmngr[30273.0x80646b8] DBG: <- ISVALID 
7F2A402CBB016A9146D613568C89D3596A4111AA.00 
dirmngr[30273]: S/N 00 is valid, it is not listed in the CRL 
dirmngr[30273.0x80646b8] DBG: -> OK 
  [certificate is bad: Certificate revoked] 
 
secmem usage: 1344/16384 bytes in 2 blocks 
dirmngr[30273.0x80646b8] DBG: <- [EOF] 
 
 
yet: 
 
(gdb) p *key 
$9 = {_refs = 1, revoked = 0, expired = 0, disabled = 0, invalid = 0, 
  can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0, 
  can_authenticate = 0, _unused = 0, protocol = GPGME_PROTOCOL_CMS, 
  issuer_serial = 0x81a2578 "0C", 
  issuer_name = 0x81a0828 "CN=ZS 4,O=Intevation GmbH,C=DE", 
  chain_id = 0x819a328 "28126047B34F852D9408A968508F21F065E65E44", 
  owner_trust = GPGME_VALIDITY_UNKNOWN, subkeys = 0x8197fe0, 
  uids = 0x815bfc8, _last_subkey = 0x8197fe0, _last_uid = 0x81a7d40} 
(gdb) p *key->uids 
$10 = {next = 0x81a7d40, revoked = 1, invalid = 0, _unused = 0, 
  validity = GPGME_VALIDITY_UNKNOWN, 
  uid = 0x815bfec "CN=David Faure,O=Klarälvdalens Datakonsult AB,L=Cheval 
Blanc,C=SE", name = 0x815c02e "", email = 0x815c02e "", 
  comment = 0x815c02e "", signatures = 0x0, _last_keysig = 0x0} 
(gdb) p *key->subkeys 
$11 = {next = 0x0, revoked = 1, expired = 0, disabled = 0, invalid = 0, 
  can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0, 
  can_authenticate = 0, _unused = 0, pubkey_algo = GPGME_PK_RSA, 
  length = 1024, keyid = 0x8197ff4 "2E6C6ECF0A280532", 
  _keyid = "2E6C6ECF0A280532", 
  fpr = 0x81a96a0 "C86D3C261BC257877CA44EFB2E6C6ECF0A280532", 
  timestamp = 1077098742, expires = 1140170742} 
 
As you can, in this case, the problem is that gpgme_key_t->revoked is not set, 
although gpgme_subkey_t->revoked and gpgme_user_id_t->revoked are.

----------
assignedto: werner
messages: 693
nosy: marc, werner
priority: bug
status: unread
title: gpgme_key_t->expired == false on expired (S/MIME) key with validating keylisting.
topic: GPGME, gpgsm
______________________________________________________
Aegypten issue tracker <aegypten-issues at intevation.de>
<https://intevation.de/roundup/aegypten/issue151>
______________________________________________________



More information about the Gpa-dev mailing list