Page MenuHome GnuPG

Can't Encrypt with PIV-I Encryption Certificate - Unsupported Certificate
Closed, ResolvedPublic

Description

When I try to encrypt a file using someone's encryption certificate, I receive
an "Unsupported Certificate" error. See attached p7b.

Event Timeline

Here is a screen shot of the certificate chain.

Here is a screen shot of the error message.

Confirmed.
I imported Scott-Perry.p7b by gpgsm, which worked fine.
Then, invoking 'gpgsm --debug-all -r 0x085c2a5c --encrypt some.txt', it said:

gpgsm: certificate #08278A9EBB6B91E8587386AF2C312F99/CN=RAPIDGate PIV-I Agency
CA,O=Eid Passport\, Inc.,C=US
gpgsm: checking the CRL failed: Unsupported certificate
gpgsm: validation model used: shell
gpgsm: can't encrypt to '0x085c2a5c': Unsupported certificate

Here is error in dirmngr:

2015-04-22 09:23:41 dirmngr[3108.0] critical certificate extension 2.5.29.36 is
not supported
2015-04-22 09:23:41 dirmngr[3108.0] critical certificate extension 2.5.29.54 is
not supported
2015-04-22 09:23:41 dirmngr[3108.0] error checking validity of CRL issuer
certificate: Unsupported certificate
2015-04-22 09:23:41 dirmngr[3108.0] crl_parse_insert failed: Unsupported certificate
2015-04-22 09:23:41 dirmngr[3108.0] crl_cache_insert via DP failed: Unsupported
certificate
2015-04-22 09:23:41 dirmngr[3108.0] command 'ISVALID' failed: Unsupported
certificate
2015-04-22 09:23:41 dirmngr[3108.0] DBG: chan_0 -> ERR 167772263 Unsupported
certificate <Dirmngr>
2015-04-22 09:23:41 dirmngr[3108.0] DBG: chan_0 <- [eof]

werner added a subscriber: werner.

That is not a bug but due to non-supported certificate policy constraints.

If you want to ignore them as a workaround you may modify the function
unknown_criticals which you find in
gnupg/dirmngr/validate.c and gnupg/sm/validate.c. Add to the
"known" array the strings "2.5.29.36" and "2.5.29.54".

werner claimed this task.

Note that we now have also an option instead of the workaround from 2015