Invalid crypto engine importing a certificate
Open, NormalPublic

Description

I'm trying to import "Certificato Root (self-signed) per ArubaPEC S.p.A. NG CA 3" from here https://www.pec.it/termini-condizioni.aspx .
In Kleopatra I click Import (as I did several times) and select the downloaded file. I get "Invalid crypto engine" error.
Other certificate on the same page were imported correctly (ArubaPEC EU Qualified Certificates CA G1 of ArubaPEC S.p.A.).

Details

Version
Kleopatra 3.1.4 gpg4win 3.1.5
LoZio created this task.Wed, Feb 27, 7:15 PM
aheinecke triaged this task as Normal priority.Thu, Feb 28, 1:09 PM
aheinecke added projects: S/MIME, gpgme.
aheinecke added a subscriber: aheinecke.

Thanks for the report.

We have two issues here.

  1. There is an error. In this case it is:
gpgsm: no issuer found in certificate
gpgsm: basic certificate checks failed - not imported
gpgsm: ksba_cert_hash failed: No value
ksba: ERROR: object length field 88 octects too large
ksba: ber-decoder: node `?': TLV length too large

This is caused by the certificate missing the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags. OpenSSL can't import the certificate this way either. If you add these lines (in the beginning and end of the file) it works.

  1. The error is not properly handled in GPGME. Invalid Crypto Engine should never occur.

For simplicity here is the certificate that causes the error attached:

LoZio added a comment.Thu, Feb 28, 1:57 PM

The certificate was defintely missing the tag lines, thanks. I also tried opening the certificate from that page (Windows has no problems without the tag lines) and exporting it explicitly as base64, and the output file is fine.
The problem is that the import now seems to go well, but no certificate is imported at all. I tried several times and the import box just closes after selecting the file.
I tried to close Kleopatra and it says there are ongoing background operations. At least 15 mins passed between the import and the closing tentative.
Actually, it is stuck doing something.

LoZio added a comment.Thu, Feb 28, 2:00 PM

Ouch, worse problem here. After closing kleopatra telling it to stop doing whatever it was, I restarted the application and now it's stuck in "Loading certificate cache"

LoZio added a comment.Thu, Feb 28, 2:13 PM

The only action I can do is quit the program telling it to stop the background actvity, but I cannot use it anymore...

LoZio added a comment.Thu, Feb 28, 2:24 PM

The exact file that created the lock is attached

.
I zipped it to avoid an unintended import that kills Kleopatra.

LoZio added a comment.EditedThu, Feb 28, 2:39 PM

Looking at other threads I found the problem in some .lock file in my gnupg directory. One of them was locked by a running process and I was not able to delete. So I opened up task manager and I had dozens of gnupg related processes running. I killed all of them and removed any .lock file.
This way Kleopatra started again but the certificate above (aruba) was not present in the imported ones. And, of course, I'm not going to import it anymore, will use my sixt sense to trust certificates...

Ouch indeed. Looks like you run into a "hanging" gpg-agent situation in that case our main background process is blocked and all other processes wait for it to respond and nothing works anymore.
This should never happen and we need to fix it. But so far we have not found a way to reproduce it.