Page MenuHome GnuPG
Create Task
Maniphest T4431

gpgsm refuses to decrypt when expired certificates are present
Closed, ResolvedPublic
Actions

Description

This relates to a thread on gnupg-devel: https://lists.gnupg.org/pipermail/gnupg-devel/2019-March/034256.html

With gpgsm 2.2.13, I was unable to decrypt e-mails due to an expired CA certificate:

$ gpgsm -d mail.p7m
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate
#1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: can't sign using
'5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26':
Certificate expired
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate
#1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: Note: won't be able to encrypt to
'5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26':
Certificate expired

The core reason is that different certificates may reuse the same key (with same keygrip, same Subject Key Identifier). In my case, an expired certificate was found by dirmngr, leading to a failure, while a valid certificate with the same key exists as well.

I'm aware of two workarounds:

  1. Add disable-crl-checks to gpgsm.conf
  2. Remove expired certificate from keyring

Revisions and Commits

rG GnuPG
rG30972d218242 sm: Allow decryption even if expired other keys are configured.
rGaa58d2a49b3d sm: Allow decryption even if expired other keys are configured.

Related Objects

Event Timeline

lechten created this task.Mar 26 2019, 12:53 PM
werner added a commit: rGaa58d2a49b3d: sm: Allow decryption even if expired other keys are configured..Mar 26 2019, 1:32 PM
werner added a subscriber: werner.Mar 26 2019, 1:35 PM

The reason for the problem is that we check all configured keys to print a note about expired and otherwise unusable keys. This should be warnings but due to the way we use shared code the error counter is bumped and operations stops. With the fix these will just be warnings and decryption continues.

werner added a commit: rG30972d218242: sm: Allow decryption even if expired other keys are configured..Mar 26 2019, 1:36 PM
lechten added a comment.Mar 26 2019, 1:41 PM

A quick note: The second workaround above does not work.
The presence or absence of the expired certificate in my keyring does not matter. The check by dirmngr fails regardless.

Along the way I also executed this:
$ gpgsm -k --with-validation

This populated ~/.gnupg/crls.d/ with CRLs, which I did not realize. I guessed that removing the expired certificate solved the problem,
while really those cached CRLs were used. With those present, the expired certificate can be on the keyring as well.

werner closed this task as Resolved.Mar 26 2019, 3:25 PM
werner claimed this task.
werner mentioned this in T4434: Release GnuPG 2.1.15.
lechten added a comment.Mar 26 2019, 4:02 PM

Many thanks for the fast fix! Decryption works now. I'll report another bug for encryption.