gpgsm refuses to encrypt with failure to check CRL
Open, NormalPublic

Description

With gpgsm 2.2.15 and ~/.gnupg/crls.d/ renamed away, I see this when trying to encrypt:

gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate not found: No public key
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: can't sign using '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Not found
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Missing certificate
gpgsm: can't encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Missing certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate not found: No public key
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: can't encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Not found

Encryption works when adding disable-crl-checks.

After executing gpgsm -k --with-validation (also without disable-crl-checks), CRLs are present in ~/.gnupg/crls.d/, and encryption works without disable-crl-checks.

Should I post 1150 lines of debug-all log information of dirmngr for the failed encryption? I do not see what goes wrong where.

lechten created this task.Mar 26 2019, 5:03 PM
werner added a subscriber: werner.Mar 26 2019, 7:51 PM

Actually you should never use --debug-all; we have more specific log levels. Use --debug help to see them.

We need to replicate the problem and that means you need to test this in a clean environment and not in one where you removed a required directory. How did you invoke gpgsm, which OS do you use, what options are you using and where can we get the certificates for testing.

On the mailing list it was explained that there is a problem with the DFN certificates and that it is useless that we workaround them, given that they expire in a few months anyway.

werner triaged this task as Normal priority.

I don't think this is a bug. Failure to encrypt when CRL check fails is expected.

I agree, the question is which CRL is checked when how. Maybe there is some mistake on my side. Here is a recipe for Debian:

sudo killall dirmngr
sudo killall gpg-agent
rm -rf /tmp/gpgsm
mkdir /tmp/gpgsm
# cp ~/.gnupg/dirmngr.conf /tmp/gpgsm

# Import CA chains:
wget https://www.uni-muenster.de/WWUCA/all-ca.pem
gpgsm --homedir /tmp/gpgsm --import all-ca.pem

# Delete expired certificate:
gpgsm --homedir /tmp/gpgsm --delete-key 0xE904A1EB

# Retrieve user certificate:
ldapsearch -h ldap.pca.dfn.de -tt -x -b O=DFN-Verein,C=DE '(mail=lechten@wi.uni-muenster.de)' userCertificate
# The  certificate is stored under a random file name in /tmp, import it:
gpgsm --homedir /tmp/gpgsm --import /tmp/ldapsearch-userCertificate\;binary-Xw3esp

# Try to encrypt:
gpgsm --homedir /tmp/gpgsm -e -r lechten@wi.uni-muenster.de /etc/passwd > passwd.enc
# gpgsm: Note: non-critical certificate policy not allowed
# gpgsm: certificate not found: No public key
# gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
# gpgsm: checking the CRL failed: Not found
# gpgsm: can't encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Not found

The missing certificate seems to be one by "C=DE, O=T-Systems International GmbH, OU=Trust Center, CN=Deutsche Telekom Internal Root CA 2". After importing that (although it is probably called "internal" for a reason), encryption still fails (as I understand it as not CRL can be found):

wget https://www.telesec.de/de/cpki/downloadbereich/bereich-zum-downloaden?download=711:deutschen-telekom-internal-root-ca-2 -O internal.cer
gpgsm --homedir /tmp/gpgsm --import internal.cer

echo "85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF S relax" > /tmp/gpgsm/trustlist.txt
gpgsm --homedir /tmp/gpgsm -e -r lechten@wi.uni-muenster.de /etc/passwd > passwd.enc
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: no CRL found for certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #179060EBAE9B8C/CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
gpgsm: no CRL found for certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: can't encrypt to 'lechten@wi.uni-muenster.de': No CRL known

I forgot: Instead of importing the missing internal CA, this works:

gpgsm --homedir /tmp/gpgsm -k --with-validation
gpgsm --homedir /tmp/gpgsm -e -r lechten@wi.uni-muenster.de /etc/passwd > passwd.enc
werner edited projects, added gnupg; removed gnupg (gpg22), Bug Report.May 15 2019, 9:39 AM
gpgsm --homedir /tmp/gpgsm --list-chain --with-validation

Will give you more detailed info about your certificate. For even more details use --dump-chain instead of --list-chain.