Page MenuHome GnuPG

dirmngr-client should auto-detect when input is in PEM form
Closed, ResolvedPublic

Description

The google.com certificate (attached here as google.pem) clearly has an issuer.
dirmngr-client can't deal with it, though, and seems to think it does not have
an issuer.

i think this is a bug in crlcache.c's "crl_cache_cert_isvalid()", which invokes
ksba_cert_get_issuer() on line 1468.

maybe this is a bug in libksba? I'm using libksba version 1.3.2.

the dirmngr log is below:

2015-02-17 15:39:12 dirmngr[14564.0] connection from process 14919 (1000:1000)
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 <- CHECKCRL
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 -> INQUIRE TARGETCERT
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 <- D -----BEGIN
CERTIFICATE-----%0AMIIGxTCCBa2gAwIBAgIIAt5tUPcKLcUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE%0ABhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl%0Acm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwMTI5MTIxOTEwWhcNMTUwNDI5MDAwMDAw%0AWjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN%0ATW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n%0Ab29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuRAs8WTffWSVn+G%0ANOsUDCE2ClJ8SEpW5bMMs15VRCiHIrtxw44b7DUfXeyo6QQleXZ3NE59n9fG5fvW%0Ar1gCQaOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG%0AA1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw%0AZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt%0AYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds%0AZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds%0AZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv%0Ab2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q%0ALmdvb2dsZS5jb20udm6CCyouZ29v
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 <- D
Z2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n%0AbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou%0AZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv%0Ab2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv%0ALmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq%0ALmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq%0ALnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1%0AYmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k%0Acm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv%0Ab2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu%0AYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC%0AB4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds%0AZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v%0AZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQNjYCR1DKULQY3glFb6RcqLbgabTAMBgNV%0AHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud%0AIAQQMA4wDAYKKwYBBAH
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 <- D
WeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp%0ALmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBYwPDiPSyL%0AVMYBWLZzbUvCeQ4GaKQLOISFRiqrnSdwc4ki3n/bQAuaLzCtUCZ3ObggoZOJGAR8%0A6DBVljUjab5f3MAyNPvbzxX2GoRtqQvrpuQgMzPvLmU5ZcE9wsrR1g4TYKuIe/9l%0AcL/jvvuhW6MUB2stWZLf28NfS0nQse50B+UH1hYv9soSkKGs/q+jgBkr9COECpAR%0As9JEhx4C1PZrUyw7iZMc/NRY6rNLdr0JUTQMlLDNO5XmsHtcpCzhZfZrzCyIQmPg%0AjKf0pOCJ3OCZLVD/ZZb6CzAZN+4hQNj973Wz25fMqYrDlQ01GEviE5v6FJscxtPL%0AFuPxdBHYRDEA%0A-----END
CERTIFICATE-----%0A
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 <- END
2015-02-17 15:39:12 dirmngr[14564.0] oops: issuer missing in certificate
2015-02-17 15:39:12 dirmngr[14564.0] command 'CHECKCRL' failed: Invalid
certificate object
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 -> ERR 167772324 Invalid
certificate object <Dirmngr>
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 <- BYE
2015-02-17 15:39:12 dirmngr[14564.0] DBG: chan_0 -> OK closing connection
2015-02-17 15:39:12 dirmngr[14564.0] handler for fd 0 terminated

Details

Version
2.1.2

Event Timeline

You need to use --pem:

  dirmngr-client -v --pem ~/tmp/google.pem

There is no auto-detection in dirmngr-client. If you think this is useful
please change Priority to "feature " and adjust the title.

dkg renamed this task from dirmngr-client google.com claims "oops: issuer missing in certificate" to dirmngr-client should auto-detect when input is in PEM form.May 11 2015, 8:49 PM
dkg removed a project: Bug Report.
dkg added a project: Feature Request.

Yes, auto-detection in dirmngr-client would be great, thanks!

justus claimed this task.