gpgsm does not handle certificates with ambiguous name correctly
Closed, DuplicatePublic

Description

Validating E-Mail signed with certificates issued by the DFN Verein (or by a sub-CA) still fails in GnuPG stable if CRL
checking is enabled. This is probably still the same issue as #1644, but I am not allowed to comment on that bug report (user
role missing?).

This is the relevant part of the GnuPG log (sorry for the German locale):

6 - 2015-03-03 10:28:51 dirmngr[2488]: chan_6 <- [ 44 20 30 82 05 2e 30 82 04 16 a0 03 02 01 02 02 ...(982 byte(s) skipped)

]

6 - 2015-03-03 10:28:51 dirmngr[2488]: chan_6 <- [ 44 20 62 2f 63 61 63 65 72 74 2f 63 61 63 65 72 ...(366 byte(s) skipped)

]

6 - 2015-03-03 10:28:51 dirmngr[2488]: chan_6 <- END
6 - 2015-03-03 10:28:51 dirmngr[2488.0]: checking distribution points
6 - 2015-03-03 10:28:51 dirmngr[2488.0]: fetching CRL from `http://cdp1.pca.dfn.de/global-root-ca/pub/crl/cacrl.crl'
6 - 2015-03-03 10:28:51 dirmngr[2488.0]: inserting CRL (reader 0xe8e690)
6 - 2015-03-03 10:28:51 dirmngr[2488.0]: Die "Update Times" dieser CRL sind: this=20150219T134435 next=20150321T134435
6 - 2015-03-03 10:28:51 dirmngr[2488]: chan_6 -> INQUIRE SENDCERT /CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-

Verein,C=DE

  5 - 2015-03-03 10:28:51 gpgsm[2487]: chan_9 <- INQUIRE SENDCERT /CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
  5 - 2015-03-03 10:28:51 gpgsm[2487]: certificate not found: Mehrdeutiger Name
  5 - 2015-03-03 10:28:51 gpgsm[2487]: chan_9 -> CAN
  6 - 2015-03-03 10:28:51 dirmngr[2488]: chan_6 <- CAN
  6 - 2015-03-03 10:28:51 dirmngr[2488.0]: assuan_inquire(SENDCERT) fehlgeschlagen: Der IPC Aufruf wurde abgebrochen
  6 - 2015-03-03 10:28:51 dirmngr[2488.0]: Fehler beim Holen des Zertifikats mittels Subject: Konfigurationsfehler
  6 - 2015-03-03 10:28:51 dirmngr[2488.0]: crl_parse_insert fehlgeschlagen: Fehlendes Zertifikat
  6 - 2015-03-03 10:28:51 dirmngr[2488.0]: crl_cache_insert über den DP fehlgeschlagen: Fehlendes Zertifikat
  6 - 2015-03-03 10:28:51 dirmngr[2488.0]: Kommando ISVALID fehlgeschlagen: Fehlendes Zertifikat
  6 - 2015-03-03 10:28:51 dirmngr[2488]: chan_6 -> ERR 167772217 Fehlendes Zertifikat <Dirmngr>
  5 - 2015-03-03 10:28:51 gpgsm[2487]: chan_9 <- ERR 167772217 Fehlendes Zertifikat <Dirmngr>
  5 - 2015-03-03 10:28:51 gpgsm[2487]: response of dirmngr: Nicht gefunden
  5 - 2015-03-03 10:28:51 gpgsm[2487]: certificate #0B510882/CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
  5 - 2015-03-03 10:28:51 gpgsm[2487]: Die CRL konnte nicht geprüft werden: Nicht gefunden

In order to assist in debugging this further I would also be happy to send an S/MIME-signed E-Mail to any member of the GnuPG
team.

Details

Version
2.0.27
klada set Version to 2.0.27.Mar 3 2015, 1:43 PM
klada added a subscriber: klada.
werner added a subscriber: werner.Mar 3 2015, 2:46 PM

Okay, I changed your role so that you can comment on T1644.

It is very unlikely that we are going to fix that in 2.0, thus be prepared to
move to 2.1.

werner added a comment.Mar 3 2015, 2:46 PM

Duplicate of T1644