Page MenuHome GnuPG
Create Task
Maniphest T1141

dirmngr does not try all CRL DPs if first fetchable CRL is too old
Closed, ResolvedPublic
Actions

Description

Let's have certificate with more CRL distribution points. If no up-to-date CRL
is cached, Dirmngr will build list of DPs from the certificate and it will try
to fetch CRL from the last DP.

If CRL from such DP is available it is fetched and cached. If the CRL is
up-to-date, processing continues very well.

But If fetched CRL is expired, dirmngr will not try another DP from set of DPs
listed in the certificate and it will raise an error describing "CRL is too old".

This is undesired behavior, dirmngr should try to utilize other DPs.

In addition, If verifying certificate has more ancestors and some of their CRLs
are expired, higher level applications (like gpgme/gpgsm called from mutt) will
not signal proper error: Instead of "CRL too old" the just raise error without
explanation. (However dirmngr itself prints proper error message somewhere in
the middle of messages.) This second subbug is probably related to gpgsm or
gpgme or mutt, not to dirmngr directly.

Attached is tar ball containing two files: data and PKCS7 with signature and
complete certificate chain. If given CA will not respond to my complain
regarding not synced CRL DP mirrors promptly, you will get chance to test this
issue in reality.

Details

Version
1.0.3

Related Objects

Event Timeline

petr_p added a subscriber: petr_p.Sep 22 2009, 6:34 PM

257_some_crl_dps_are_old.tar10 KBDownload

petr_p set Version to 1.0.3.Sep 22 2009, 6:34 PM
petr_p added projects: dirmngr, Bug Report.
petr_p added a comment.Sep 23 2009, 4:21 PM

I did some debugging and I found that problem is not that it does not give up on
first successfully fetched CRL regardless expiration time. The real problem is
it simply fetches from all DPs and it rewrites the CRL with CRL from next DP on
each iteration.

E.g. having 2 DPs: A with up-to-date CRL and B with expired CRL, we fetch both
of them in this order, thus result is expired CRL in cache.

I also discovered that if crl_fetch() fails (e.g. because LDAP is disabled), it
does not try next DP.

Actually, I don't understand the while-for double loop in
crl_cache_reload_crl(). Assuming all DPs are considered equivalent, we need to
get only first up-to-date CRL, that's all, we don't need to try next DPs.

petr_p added a comment.Sep 23 2009, 5:45 PM

I got the idea probably. The structure of DP extension assumed by dirmngr is:

DPEXTENSION

(DP
  (NAME)*
)*

where all DPs must be fetched and checked and each DP can be presented by more
alternative NAMEs which at least one must be fetchable. Each DP is assumed to
have different issuer DN, the cache file names are based on issuer DN.

This is problem in case of my CA. The CA has 4 DPs, all of them has the same
issuer DN, all of them are considered equivalent, but some of them are not
synced and they are expired. Because of the same DN, they overwrite themselves.
The CA assume at least one DP must be usable.

I'm not sure which description is in line with specifications. I think my CA
implements DPs in wrong way. What's your opinion?

Here is verbose output from dirmngr with disabled LDAP protocol. You can see
first DP is up-to-date, second DP saved into the same cache file is expired and
third DP raise error because of LDAP. Fourth DP (also LDAP) is not checked
because third DP failed. (I injected some more DEBUG messages):

petr@album:/tmp $ LANG=en gpgsm --verify signedmail.p7s signedmail.data
gpgsm: Signature made 2009-09-11 11:42:16 using certificate ID 0x31478690
dirmngr[4137]: trusted certificate
`/home/petr/.gnupg/trusted-certs/postsignum_qca_sub-2009.der' loaded
dirmngr[4137]: SHA1 fingerprint =
1B:DB:87:C4:81:02:97:7C:A2:77:65:E9:CC:A4:14:24:6C:6D:88:A2
dirmngr[4137]: issuer = #1C/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F
6F 74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73
2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4137]: subject = /[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 51 75 61
6C 69 66 69 65 64 20 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C
2C 20 73 2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4137]: trusted certificate
`/home/petr/.gnupg/trusted-certs/postsignum_qca_root-2009.der' loaded
dirmngr[4137]: SHA1 fingerprint =
AF:3B:84:BA:34:37:63:BB:BE:03:6C:76:5A:44:11:9E:48:B5:2D:34
dirmngr[4137]: issuer = #01/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F
6F 74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73
2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4137]: subject = /[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F 6F
74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73 2E
70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4137]: permanently loaded certificates: 2
dirmngr[4137]: runtime cached certificates: 0
dirmngr[4137]: opening cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[4137]: S/N 042653 is valid, it is not listed in the CRL
gpgsm: note: non-critical certificate policy not allowed
dirmngr[4137]: cached CRL for issuer id B7A0ACF9BAD347177CDD34DD60E771EE09565B7C
too old; update required
dirmngr[4137]: checking distribution points
dirmngr[4137]: DEBUG: in for: seq=1, name_seq=0,
DP_URI=http://www.postsignum.cz/crl/psrootqca.crl
dirmngr[4137]: fetching CRL from `http://www.postsignum.cz/crl/psrootqca.crl'
dirmngr[4137]: inserting CRL (reader 0x8439730)
dirmngr[4137]: update times of this CRL: this=20090911T075830 next=20100911T080330
dirmngr[4137]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[4137]: running in compatibility mode - certificate chain not checked!
dirmngr[4137]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[4137]: DEBUG: breaking for-loop
dirmngr[4137]: DEBUG: in for: seq=2, name_seq=0,
DP_URI=http://postsignum.ttc.cz/crl/psrootqca.crl
dirmngr[4137]: fetching CRL from `http://postsignum.ttc.cz/crl/psrootqca.crl'
dirmngr[4137]: inserting CRL (reader 0x84397b8)
dirmngr[4137]: update times of this CRL: this=20080916T081139 next=20090916T081639
dirmngr[4137]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[4137]: running in compatibility mode - certificate chain not checked!
dirmngr[4137]: new CRL still too old; it expired on 20090916T081639
dirmngr[4137]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[4137]: crl_cache_insert via DP failed: CRL too old
dirmngr[4137]: command ISVALID failed: CRL too old
gpgsm: certificate #1C/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F 6F 74
20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73 2E 70
2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
gpgsm: the available CRL is too old
gpgsm: please make sure that the "dirmngr" is properly installed
gpgsm: note: non-critical certificate policy not allowed
dirmngr[4137]: cached CRL for issuer id B7A0ACF9BAD347177CDD34DD60E771EE09565B7C
too old; update required
dirmngr[4137]: checking distribution points
dirmngr[4137]: DEBUG: in for: seq=1, name_seq=0,
DP_URI=http://www.postsignum.cz/crl/psrootqca.crl
dirmngr[4137]: fetching CRL from `http://www.postsignum.cz/crl/psrootqca.crl'
dirmngr[4137]: inserting CRL (reader 0x84500d8)
dirmngr[4137]: update times of this CRL: this=20090911T075830 next=20100911T080330
dirmngr[4137]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[4137]: running in compatibility mode - certificate chain not checked!
dirmngr[4137]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[4137]: DEBUG: breaking for-loop
dirmngr[4137]: DEBUG: in for: seq=2, name_seq=0,
DP_URI=http://postsignum.ttc.cz/crl/psrootqca.crl
dirmngr[4137]: fetching CRL from `http://postsignum.ttc.cz/crl/psrootqca.crl'
dirmngr[4137]: inserting CRL (reader 0x84440d0)
dirmngr[4137]: update times of this CRL: this=20080916T081139 next=20090916T081639
dirmngr[4137]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[4137]: running in compatibility mode - certificate chain not checked!
dirmngr[4137]: new CRL still too old; it expired on 20090916T081639
dirmngr[4137]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[4137]: crl_cache_insert via DP failed: CRL too old
dirmngr[4137]: command ISVALID failed: CRL too old
gpgsm: certificate #01/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F 6F 74
20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73 2E 70
2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
gpgsm: the available CRL is too old
gpgsm: please make sure that the "dirmngr" is properly installed
gpgsm: invalid certification chain: CRL too old

petr_p added a comment.Sep 23 2009, 5:57 PM

Sorry, I added gpgsm output without LDAP attempt because valid up-to-date CRL
for one CA was cached already. Follows output demonstrating stop on LDAP failure:

gpgsm: Signature made 2009-09-11 11:42:16 using certificate ID 0x31478690
dirmngr[4369]: trusted certificate
`/home/petr/.gnupg/trusted-certs/postsignum_qca_sub-2009.der' loaded
dirmngr[4369]: SHA1 fingerprint =
1B:DB:87:C4:81:02:97:7C:A2:77:65:E9:CC:A4:14:24:6C:6D:88:A2
dirmngr[4369]: issuer = #1C/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F
6F 74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73
2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4369]: subject = /[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 51 75 61
6C 69 66 69 65 64 20 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C
2C 20 73 2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4369]: trusted certificate
`/home/petr/.gnupg/trusted-certs/postsignum_qca_root-2009.der' loaded
dirmngr[4369]: SHA1 fingerprint =
AF:3B:84:BA:34:37:63:BB:BE:03:6C:76:5A:44:11:9E:48:B5:2D:34
dirmngr[4369]: issuer = #01/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F
6F 74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73
2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4369]: subject = /[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F 6F
74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73 2E
70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[4369]: permanently loaded certificates: 2
dirmngr[4369]: runtime cached certificates: 0
dirmngr[4369]: failed to open cache dir file
`/home/petr/.gnupg/dirmngr-cache.d/DIR.txt': No such file or directory
dirmngr[4369]: new cache dir file `/home/petr/.gnupg/dirmngr-cache.d/DIR.txt'
created
dirmngr[4369]: no CRL available for issuer id
1958CDB7CC15F5A779E4E8324908508636F772AB
dirmngr[4369]: checking distribution points
dirmngr[4369]: DEBUG: in for: seq=1, name_seq=0,
DP_URI=http://www.postsignum.cz/crl/psqualifiedca.crl
dirmngr[4369]: fetching CRL from `http://www.postsignum.cz/crl/psqualifiedca.crl'
dirmngr[4369]: inserting CRL (reader 0x9848c18)
dirmngr[4369]: update times of this CRL: this=20090923T141804 next=20090924T021804
dirmngr[4369]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[4369]: running in compatibility mode - certificate chain not checked!
dirmngr[4369]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[4369]: DEBUG: breaking for-loop
dirmngr[4369]: DEBUG: in for: seq=2, name_seq=0,
DP_URI=http://postsignum.ttc.cz/crl/psqualifiedca.crl
dirmngr[4369]: fetching CRL from `http://postsignum.ttc.cz/crl/psqualifiedca.crl'
dirmngr[4369]: inserting CRL (reader 0x98627b8)
dirmngr[4369]: update times of this CRL: this=20090923T141804 next=20090924T021804
dirmngr[4369]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[4369]: running in compatibility mode - certificate chain not checked!
dirmngr[4369]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[4369]: DEBUG: breaking for-loop
dirmngr[4369]: DEBUG: in for: seq=3, name_seq=0,
DP_URI=ldap://qca.postsignum.cz/cn%3dPostSignum%20Qualified%20CA,o%3dCeska%20posta%20s.p.%20%5bIC%2047114983%5d,c%3dCZ?certificateRevocationList
dirmngr[4369]: fetching CRL from
`ldap://qca.postsignum.cz/cn%3dPostSignum%20Qualified%20CA,o%3dCeska%20posta%20s.p.%20%5bIC%2047114983%5d,c%3dCZ?certificateRevocationList'
dirmngr[4369]: CRL access not possible due to disabled LDAP
dirmngr[4369]: crl_fetch via DP failed: Not supported
dirmngr[4369]: command ISVALID failed: Not supported
gpgsm: certificate #042653/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 51 75 61
6C 69 66 69 65 64 20 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C
2C 20 73 2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
gpgsm: checking the CRL failed: Not supported
gpgsm: invalid certification chain: Not supported

petr_p added a comment.Sep 23 2009, 8:53 PM

I read RFC 3280 and I thing I understand it.

The practice of my CA is wrong. The CA wants high availability, it should use
multiple GenericName's in one DistributionPoint.

However I think we could improve dirmngr a little to overcome the problem. The
crl_cache_insert() replaces old CRL with new one without any checks. If the
function compared CRL serial numbers, it could avoid removing older CRL by newer
one (in terms of time of adding into cache).

E.g. having up-to-date CRL in cache, it would be impossible to inject replace
current CRL with expired one through "dirmngr-client --load-crl EXPIRED_CRL".

I know it would break thinks with partial CRLs (incremental CRLs, CRLs for
specific reason), but current code does understand them either. I will try to do
a patch.

werner added a subscriber: werner.Sep 25 2009, 5:35 PM

Yes, the whole X.509 PKI busieness is a mess. However You are right that
Dirmngr should not replace a good by a broken CRL. As you can see in the code
there is a little race condition which usually has no bad effects but might come
into the game here. I have not looked at the code for weeks, though. I'd be
glad to receive a fix.

werner added a project: Info Needed.Sep 25 2009, 5:35 PM
petr_p added a comment.Sep 30 2009, 11:03 PM

D112: 262_dirmngr-1.0.3-dont_overwrite_usable_crls.diff

petr_p added a comment.Sep 30 2009, 11:03 PM

So, here it is. It's little verbose, be free to remove log_infos. This is output
I get (LDAP enabled) with this patch:

$ dirmngr --flush
dirmngr[5684]: removing cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[5684]: removing cache file `/home/petr/.gnupg/dirmngr-cache.d/DIR.txt'
dirmngr[5684]: removing cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'

$ gpgsm --verify signedmail.p7s signedmail.data
gpgsm: Signature made 2009-09-11 11:42:16 using certificate ID 0x31478690
dirmngr[5704]: trusted certificate
`/home/petr/.gnupg/trusted-certs/postsignum_qca_sub-2009.der' loaded
dirmngr[5704]: SHA1 fingerprint =
1B:DB:87:C4:81:02:97:7C:A2:77:65:E9:CC:A4:14:24:6C:6D:88:A2
dirmngr[5704]: issuer = #1C/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F
6F 74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73
2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[5704]: subject = /[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 51 75 61
6C 69 66 69 65 64 20 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C
2C 20 73 2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[5704]: trusted certificate
`/home/petr/.gnupg/trusted-certs/postsignum_qca_root-2009.der' loaded
dirmngr[5704]: SHA1 fingerprint =
AF:3B:84:BA:34:37:63:BB:BE:03:6C:76:5A:44:11:9E:48:B5:2D:34
dirmngr[5704]: issuer = #01/[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F
6F 74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73
2E 70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[5704]: subject = /[ 43 4E 3D 50 6F 73 74 53 69 67 6E 75 6D 20 52 6F 6F
74 20 51 43 41 2C 4F 3D C4 8C 65 73 6B C3 A1 20 70 6F C5 A1 74 61 5C 2C 20 73 2E
70 2E 20 5B 49 C4 8C 20 34 37 31 31 34 39 38 33 5D 2C 43 3D 43 5A ]
dirmngr[5704]: permanently loaded certificates: 2
dirmngr[5704]: runtime cached certificates: 0
dirmngr[5704]: failed to open cache dir file
`/home/petr/.gnupg/dirmngr-cache.d/DIR.txt': No such file or directory
dirmngr[5704]: new cache dir file `/home/petr/.gnupg/dirmngr-cache.d/DIR.txt'
created
dirmngr[5704]: no CRL available for issuer id
1958CDB7CC15F5A779E4E8324908508636F772AB
dirmngr[5704]: checking distribution points
dirmngr[5704]: fetching CRL from `http://www.postsignum.cz/crl/psqualifiedca.crl'
dirmngr[5704]: inserting CRL (reader 0x9de3860)
dirmngr[5704]: update times of this CRL: this=20090930T165944 next=20091001T045944
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[5704]: fetching CRL from `http://postsignum.ttc.cz/crl/psqualifiedca.crl'
dirmngr[5704]: inserting CRL (reader 0x9dfd5c0)
dirmngr[5704]: update times of this CRL: this=20090930T165944 next=20091001T045944
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[5704]: fetching CRL from
`ldap://qca.postsignum.cz/cn%3dPostSignum%20Qualified%20CA,o%3dCeska%20posta%20s.p.%20%5bIC%2047114983%5d,c%3dCZ?certificateRevocationList'
dirmngr[5704]: ldap wrapper 5706 started (reader 0x9dfd250)
dirmngr[5704]: inserting CRL (reader 0x9dfd250)
dirmngr[5704]: update times of this CRL: this=20090930T205944 next=20091001T085944
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[5704]: fetching CRL from
`ldap://postsignum.ttc.cz/cn%3dPostSignum%20Qualified%20CA,o%3dCeska%20posta%20s.p.%20%5bIC%2047114983%5d,c%3dCZ?certificateRevocationList'
dirmngr[5704]: ldap wrapper 5707 started (reader 0x9e90ae8)
dirmngr[5704]: ldap wrapper 5706 ready
dirmngr[5704]: dirmngr_ldap[5707]: processing url
`ldap://postsignum.ttc.cz/cn%3dPostSignum%20Qualified%20CA,o%3dCeska%20posta%20s.p.%20%5bIC%2047114983%5d,c%3dCZ?certificateRevocationList'
dirmngr[5704]: dirmngr_ldap[5707]: host `postsignum.ttc.cz'
dirmngr[5704]: dirmngr_ldap[5706]: processing url
`ldap://qca.postsignum.cz/cn%3dPostSignum%20Qualified%20CA,o%3dCeska%20posta%20s.p.%20%5bIC%2047114983%5d,c%3dCZ?certificateRevocationList'
dirmngr[5704]: dirmngr_ldap[5706]: host `qca.postsignum.cz'
dirmngr[5704]: dirmngr_ldap[5707]: port 389
dirmngr[5704]: dirmngr_ldap[5707]: DN `cn=PostSignum Qualified
CA,o=Ceska posta s.p. [IC 47114983],c=CZ'
dirmngr[5704]: dirmngr_ldap[5707]: attr `certificateRevocationList'
dirmngr[5704]: dirmngr_ldap[5706]: port 389
dirmngr[5704]: dirmngr_ldap[5706]: DN `cn=PostSignum Qualified
CA,o=Ceska posta s.p. [IC 47114983],c=CZ'
dirmngr[5704]: dirmngr_ldap[5706]: attr `certificateRevocationList'
dirmngr[5704]: dirmngr_ldap[5706]: scanning result for attribute
`certificateRevocationList'
dirmngr[5704]: dirmngr_ldap[5706]: available attribute
`certificateRevocationList;binary'
dirmngr[5704]: dirmngr_ldap[5706]: found attribute
`certificateRevocationList;binary'
dirmngr[5704]: dirmngr_ldap[5706]: length[0]=122859
dirmngr[5704]: dirmngr_ldap[5706]: result has been printed
dirmngr[5704]: dirmngr_ldap[5707]: scanning result for attribute
`certificateRevocationList'
dirmngr[5704]: dirmngr_ldap[5707]: available attribute
`certificateRevocationList;binary'
dirmngr[5704]: dirmngr_ldap[5707]: found attribute
`certificateRevocationList;binary'
dirmngr[5704]: inserting CRL (reader 0x9e90ae8)
dirmngr[5704]: update times of this CRL: this=20090918T083004 next=20090918T203004
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: new CRL still too old; it expired on 20090918T203004
dirmngr[5704]: New CRL has lesser number (0x3C35) than CRL stored in cache
already (0x3D45). Ingnoring new one.
dirmngr[5704]: This fact will be masked because another usable CRL is available
dirmngr[5704]: opening cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-1958CDB7CC15F5A779E4E8324908508636F772AB.db'
dirmngr[5704]: S/N 0x042653 is valid, it is not listed in the CRL
gpgsm: note: non-critical certificate policy not allowed
dirmngr[5704]: no CRL available for issuer id
B7A0ACF9BAD347177CDD34DD60E771EE09565B7C
dirmngr[5704]: checking distribution points
dirmngr[5704]: fetching CRL from `http://www.postsignum.cz/crl/psrootqca.crl'
dirmngr[5704]: dirmngr_ldap[5707]: length[0]=118379
dirmngr[5704]: dirmngr_ldap[5707]: result has been printed
dirmngr[5704]: ldap wrapper 5707 ready
dirmngr[5704]: inserting CRL (reader 0x9de3528)
dirmngr[5704]: update times of this CRL: this=20090911T075830 next=20100911T080330
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[5704]: fetching CRL from `http://postsignum.ttc.cz/crl/psrootqca.crl'
dirmngr[5704]: inserting CRL (reader 0x9e35508)
dirmngr[5704]: update times of this CRL: this=20080916T081139 next=20090916T081639
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: new CRL still too old; it expired on 20090916T081639
dirmngr[5704]: New CRL has lesser number (0x0A) than CRL stored in cache already
(0x0D). Ingnoring new one.
dirmngr[5704]: This fact will be masked because another usable CRL is available
dirmngr[5704]: fetching CRL from
`ldap://qca.postsignum.cz/cn%3dPostSignum%20Root%20QCA,o%3dCeska%20posta%20s.p.%20[IC%2047114983],c%3dCZ?certificateRevocationList'
dirmngr[5704]: ldap wrapper 5708 started (reader 0x9e2edd0)
dirmngr[5704]: inserting CRL (reader 0x9e2edd0)
dirmngr[5704]: update times of this CRL: this=20080916T081139 next=20090916T081639
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: new CRL still too old; it expired on 20090916T081639
dirmngr[5704]: New CRL has lesser number (0x0A) than CRL stored in cache already
(0x0D). Ingnoring new one.
dirmngr[5704]: This fact will be masked because another usable CRL is available
dirmngr[5704]: fetching CRL from
`ldap://postsignum.ttc.cz/cn%3dPostSignum%20Root%20QCA,o%3dCeska%20posta%20s.p.%20[IC%2047114983],c%3dCZ?certificateRevocationList'
dirmngr[5704]: ldap wrapper 5709 started (reader 0x9e4be88)
dirmngr[5704]: inserting CRL (reader 0x9e4be88)
dirmngr[5704]: update times of this CRL: this=20090911T075830 next=20100911T080330
dirmngr[5704]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[5704]: running in compatibility mode - certificate chain not checked!
dirmngr[5704]: creating cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[5704]: opening cache file
`/home/petr/.gnupg/dirmngr-cache.d/crl-B7A0ACF9BAD347177CDD34DD60E771EE09565B7C.db'
dirmngr[5704]: S/N 0x1C is valid, it is not listed in the CRL
gpgsm: note: non-critical certificate policy not allowed
dirmngr[5704]: S/N 0x01 is valid, it is not listed in the CRL
gpgsm: Good signature from "/CN=Jana Svetlá/OU=1/OU=Czech POINT/O=Obec
gpgsm: Good signature from "/CN=Jana Svetlá/OU=1/OU=Czech POINT/O=Obec Úherčice
[IČ 43500081]/C=CZ/T=úředník obecního úřadu/SerialNumber=P120293"
gpgsm: aka "ouuhercice@quick.cz"
gpgsm: This is a qualified signature
gpgsm: Note, that this software is not officially approved to create or verify
such signatures.
dirmngr[5704]: ldap wrapper 5709 ready
dirmngr[5704]: ldap wrapper 5708 ready

petr_p added a comment.Oct 1 2009, 2:46 PM

D111: 263_dirmngr-1.0.3-dont_overwrite_usable_crls-2.diff

petr_p added a comment.Oct 1 2009, 2:46 PM

My previous patch does not delete all duplicate CRLs from cache if one entry is
recognised as still usable.

Current patch #2 should fix it. It also makes some messages verbose only.

petr_p added a comment.Oct 5 2009, 9:31 PM

Just for clarification about DP list in certificate syntax and its semantics:

I talked to people from PKIX IETF working group
(http://www.ietf.org/mail-archive/web/pkix/current/msg27003.html) and they
explained me that this problematic distribution points are in line with RFC 3280.

As long as application/CA does not support/issue delta, indirect or
reason-partitioned CRLs, the application can consider all DPs as equivalent
complete CRLs.

Because dirmngr does not support such CRLs, it's not necessary to fetch lists
from all DPs. Any valid of them is enough.

petr_p added a comment.Oct 6 2009, 6:59 PM

D110: 264_dirmngr-1.0.3-allow_only_complete_dps.diff

petr_p added a comment.Oct 6 2009, 6:59 PM

Previous patches does not solve problem that one of DPs failes.

dirmngr-1.0.3-allow_only_complete_dps.diff patch makes crl_cache_reload_crl() to
allow only complete distribution points and allows to fail some of them.

When applied this and dirmngr-1.0.3-dont_overwrite_usable_crls-2.diff patch,
dirmngr works in first run and can cope with failing DPs (unfetchable or with
expired CRLs).

Again, you can check it with testcase in some_crl_dps_are_old.tar because the CA
has not yet fixed all DPs. Disabling LDAP/HTTP transport, you can see that
dirmngr iterates over DPs only until CRL is successfully fetched and inserted.
Following DPs are not consulted in addition what provides significant
performance boost.

werner removed a project: Info Needed.Dec 21 2009, 8:03 PM

Oh, lost tarck of this one.

werner claimed this task.Dec 21 2009, 8:03 PM
werner set Due Date to Jan 15 2009, 1:00 AM.
werner removed Due Date.Apr 19 2013, 5:46 PM
werner added a comment.Jan 22 2016, 1:15 PM

Re-assigning to GnuPG. It won't be fixed in the old dirmngr package.

werner added a project: gnupg.Jan 22 2016, 1:15 PM
werner closed this task as Resolved.Sep 16 2022, 4:43 PM

That particular bug seems to have been solved a long time ago. I stumbled upon up while fixing a DP bug today.