Page MenuHome GnuPG

dirmngr fails to load crl when imported manually
Closed, ResolvedPublic

Description

here is the scenario:

  1. Install gpg4win in latest beta in win10 64 bit vm
  2. download certificate revocation list from any provider (i.E.

http://crl.cacert.org/revoke.crl)

  1. remove the network access from the vm
  2. load the crl manually (i.E. "gpgsm --call-dirmngr loadcrl

C:\Users\intevation\Downloads\root-ca-2010.crl")

  1. Error 2016-08-25 10:34:09 dirmngr[4428] handler for fd 488 started 2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001e8 -> # Home:

C:\Users\intevation\AppData\Roaming\gnupg

2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001e8 -> # Config:

C:\Users\intevation\AppData\Roaming\gnupg\dirmngr.conf

2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001e8 -> OK Dirmngr 2.1.11

at your service

2016-08-25 10:34:09 dirmngr[4428] handler for fd 500 started
2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> # Home:

C:\Users\intevation\AppData\Roaming\gnupg

2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> # Config:

C:\Users\intevation\AppData\Roaming\gnupg\dirmngr.conf

2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> OK Dirmngr 2.1.11

at your service

2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 <- GETINFO version
2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> D 2.1.11
2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> OK
2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 <- OPTION audit-events=1
2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> OK
2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 <- loadcrl

C:\Users\intevation\Downloads\root-ca-2010.crl

2016-08-25 10:34:09 dirmngr[4428] update times of this CRL:

this=20160806T140950 next=20160925T140950

2016-08-25 10:34:09 dirmngr[4428] ksba_crl_parse failed: Unknown system error
2016-08-25 10:34:09 dirmngr[4428] crl_parse_insert failed: Unknown system error
2016-08-25 10:34:09 dirmngr[4428] command 'LOADCRL' failed: Unknown system

error <Unknown source>

2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 -> ERR -1 Unknown

system error <Unknown source>

    2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001e8 <- [eof]
    2016-08-25 10:34:09 dirmngr[4428] handler for fd 488 terminated
    2016-08-25 10:34:09 dirmngr[4428] DBG: chan_0x000001f4 <- [eof]
    2016-08-25 10:34:09 dirmngr[4428] handler for fd 500 terminated

Additionally: Works in Linux too (Just hit any Linux Live CD and retry the steps
described above)

Details

Version
2.1.15

Event Timeline

2.1.11 is not in the latest beta. Should be 2.1.13.

For testing / reporting it is also better to download the latest version from
gnupg.org
https://gnupg.org/download/index.html

Woops didn't want to submit the last message as I had already looked into it myself.

This was reproducible using libksba's t-crl-parse with our root ca's clr but not
with an example file lying next to it.

Turned out that t-crl-parse opened the file in text mode. Conversion errors then
caused an invalid (too large read). When switching to binary mode it worked as
expected.

Dirmngr used the same. I've tested that crl parsing worked with the attached patch.

Now I get:
dirmngr[780]: error fetching certificate by subject: Configuration error
dirmngr[780]: crl_parse_insert failed: Missing certificate

But I think that is a different error as I get the same one when trying to
import the CRL on an empty homedir and parsing works now.

aheinecke lowered the priority of this task from High to Normal.
aheinecke added projects: Windows, Restricted Project, Windows 32.
aheinecke added a subscriber: werner.

Okay, if this transfers line endings because of the textmode read, it will
depend on the contents of the CRL in question. This explains why the defect was
not seen in earlier testing.

And pem does not work for this (I guess and tried on a GNU system).
It is okay that pem does not work, because this is a rarely used function I think.

this also affects version 2.1.15 (latest gpg4win beta) and 1.1.1 (latest gpg4win
stable)

Jochen, can you please find out:
a) Does this still work on GNU/Linux?
b) Did this work with elder Gpg4win version? With binary search you

should find out qickley when this broke.
aheinecke removed a project: Restricted Project.Sep 5 2016, 2:14 PM

Jochen: I'd rather you (manually) patch the dirmngr tarball included in
gpg4win-2 and create a testinstaller and try that one out.

I found the Problem in this issue and tested that the attached patch solves the
problem, yes It would have worked on GNU/Linux as the "b" has no effect there.
Finding out since when the problem existed appears moot to me and you would have
to check in dirmngr's SVN and likely always existed.

But maybe there are additional problems (as this is imo a very exotic feature)
so it would probably make sense to test it again on Windows before preparing the
next stable Gpg4win release.

Jochen, is T2448 (aheinecke on Sep 05 2016, 02:14 PM / Roundup) something you could do?

bernhard changed Version from 2.1.11 to 2.1.15.Sep 19 2016, 10:26 AM

I'm on T2448 (aheinecke on Sep 05 2016, 02:14 PM / Roundup).

JochenSaalfeld added a project: Unreleased.

It is now patched in gpg4win and I think aheinecke pushed the patch also to linux.

The Bug iteself has been resolved with that patch, but is yet unreleased.