gpgsm refuses to decrypt when expired certificates are present
Closed, ResolvedPublic

Description

This relates to a thread on gnupg-devel: https://lists.gnupg.org/pipermail/gnupg-devel/2019-March/034256.html

With gpgsm 2.2.13, I was unable to decrypt e-mails due to an expired CA certificate:

$ gpgsm -d mail.p7m
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate
#1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: can't sign using
'5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26':
Certificate expired
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate
#1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: Note: won't be able to encrypt to
'5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26':
Certificate expired

The core reason is that different certificates may reuse the same key (with same keygrip, same Subject Key Identifier). In my case, an expired certificate was found by dirmngr, leading to a failure, while a valid certificate with the same key exists as well.

I'm aware of two workarounds:

  1. Add disable-crl-checks to gpgsm.conf
  2. Remove expired certificate from keyring

Related Objects

lechten created this task.Mar 26 2019, 12:53 PM
werner added a subscriber: werner.Mar 26 2019, 1:35 PM

The reason for the problem is that we check all configured keys to print a note about expired and otherwise unusable keys. This should be warnings but due to the way we use shared code the error counter is bumped and operations stops. With the fix these will just be warnings and decryption continues.

A quick note: The second workaround above does not work.
The presence or absence of the expired certificate in my keyring does not matter. The check by dirmngr fails regardless.

Along the way I also executed this:
$ gpgsm -k --with-validation

This populated ~/.gnupg/crls.d/ with CRLs, which I did not realize. I guessed that removing the expired certificate solved the problem,
while really those cached CRLs were used. With those present, the expired certificate can be on the keyring as well.

werner closed this task as Resolved.
werner claimed this task.

Many thanks for the fast fix! Decryption works now. I'll report another bug for encryption.