GPGSM: Might be too strict in certificate chain validation
Open, LowPublic

Description

Moved out of T3948 according to the original reporter this chain should be valid. I can't really tell. But as this is not a real world example and the result is invalid anyway I don't think that it needs a high prio.

CERT_PATH_COMMON_13|ERROR|VALID|INVALID

Checks the behaviour of the application when a self-issued certificate is found in the path. This path is not invalid, because self-issued certificates are allowed in the path and processing rules have been specified.

Root CA:

Test Message with the other certs:

export GNUPGHOME=$(mktemp -d)
gpgsm --import CERT_PATH_COMMON_13_ROOT_CA.TA.crt
echo "87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0 S" > $GNUPGHOME/trustlist.txt
echo "disable-crl-checks" > $GNUPGHOME/gpgsm.conf
gpgparsemail --crypto CERT_PATH_COMMON_13.eml

gpgsm --with-validation -k   

/tmp/tmp.LCjRsU5Glg/pubring.kbx
-------------------------------
           ID: 0xDD932FD0
          S/N: 01
       Issuer: /CN=Test Root/C=DE
      Subject: /CN=Test Root/C=DE
     validity: 2017-09-02 09:24:39 through 2022-09-05 09:24:39
     key type: 2048 bit RSA
    key usage: certSign crlSign
 chain length: 1
  fingerprint: 87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0
  [certificate is good]

           ID: 0x7A885CA5
          S/N: 2B05
       Issuer: /CN=Test Root/C=DE
      Subject: /CN=Test Sub CA/C=DE
     validity: 2017-09-04 09:25:51 through 2020-09-05 09:25:51
     key type: 4096 bit RSA
    key usage: certSign crlSign
     policies: 1.2.3.4:C:
 chain length: 0
  fingerprint: EB:F6:8E:6D:88:CF:63:90:96:24:CE:9D:15:2A:6E:32:7A:88:5C:A5
  [certificate policy not allowed]
  [certificate policy not allowed]
  [certificate is bad: No policy match]

           ID: 0x8AFC7801
          S/N: 2EED
       Issuer: /CN=Test Root/C=DE
      Subject: /CN=Test Root/C=DE
     validity: 2017-09-03 09:25:44 through 2021-09-05 09:25:44
     key type: 4096 bit RSA
    key usage: certSign crlSign
     policies: 1.2.3.4:C:
 chain length: 1
  fingerprint: 94:5F:8B:99:68:EA:98:DE:E1:94:30:65:31:3F:0C:80:8A:FC:78:01
  [certificate policy not allowed]
  [certificate is bad: No policy match]

           ID: 0xB69584CD
          S/N: 271D
       Issuer: /CN=Test Sub CA/C=DE
      Subject: /CN=Test EE/C=DE
          aka: test@mtg.de
     validity: 2017-08-05 09:25:56 through 2019-09-05 09:25:56
     key type: 4096 bit RSA
    key usage: digitalSignature keyEncipherment
     policies: 1.2.3.4:C:
  fingerprint: 77:94:7B:19:0D:9F:16:04:BB:6C:BA:19:FF:45:9D:BB:B6:95:84:CD
  [certificate policy not allowed]
  [certificate policy not allowed]
  [certificate policy not allowed]
  [certificate chain longer than allowed by CA (1)]
  [certificate is bad: Bad certificate chain]

Details

Version
2.2.7-beta33