Page MenuHome GnuPG
Create Task
Maniphest T4436

gpgsm refuses to encrypt with failure to check CRL
Closed, ResolvedPublic
Actions

Description

With gpgsm 2.2.15 and ~/.gnupg/crls.d/ renamed away, I see this when trying to encrypt:

gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate not found: No public key
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: can't sign using '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Not found
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Missing certificate
gpgsm: can't encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Missing certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate not found: No public key
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: can't encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Not found

Encryption works when adding disable-crl-checks.

After executing gpgsm -k --with-validation (also without disable-crl-checks), CRLs are present in ~/.gnupg/crls.d/, and encryption works without disable-crl-checks.

Should I post 1150 lines of debug-all log information of dirmngr for the failed encryption? I do not see what goes wrong where.

Revisions and Commits

rG GnuPG
rG5d96aab27dcf gpgsm: Improve cert lookup callback from dirmngr.
rGffc25228550f gpgsm: Improve cert lookup callback from dirmngr.

Related Objects

Event Timeline

lechten created this task.Mar 26 2019, 5:03 PM
werner added a subscriber: werner.Mar 26 2019, 7:51 PM

Actually you should never use --debug-all; we have more specific log levels. Use --debug help to see them.

We need to replicate the problem and that means you need to test this in a clean environment and not in one where you removed a required directory. How did you invoke gpgsm, which OS do you use, what options are you using and where can we get the certificates for testing.

On the mailing list it was explained that there is a problem with the DFN certificates and that it is useless that we workaround them, given that they expire in a few months anyway.

werner triaged this task as Normal priority.Mar 26 2019, 7:53 PM
werner added projects: S/MIME, gnupg (gpg22).
aheinecke added a subscriber: aheinecke.Mar 27 2019, 8:37 AM

I don't think this is a bug. Failure to encrypt when CRL check fails is expected.

lechten added a comment.Mar 27 2019, 9:23 AM

I agree, the question is which CRL is checked when how. Maybe there is some mistake on my side. Here is a recipe for Debian:

sudo killall dirmngr
sudo killall gpg-agent
rm -rf /tmp/gpgsm
mkdir /tmp/gpgsm
# cp ~/.gnupg/dirmngr.conf /tmp/gpgsm

# Import CA chains:
wget https://www.uni-muenster.de/WWUCA/all-ca.pem
gpgsm --homedir /tmp/gpgsm --import all-ca.pem

# Delete expired certificate:
gpgsm --homedir /tmp/gpgsm --delete-key 0xE904A1EB

# Retrieve user certificate:
ldapsearch -h ldap.pca.dfn.de -tt -x -b O=DFN-Verein,C=DE '(mail=lechten@wi.uni-muenster.de)' userCertificate
# The  certificate is stored under a random file name in /tmp, import it:
gpgsm --homedir /tmp/gpgsm --import /tmp/ldapsearch-userCertificate\;binary-Xw3esp

# Try to encrypt:
gpgsm --homedir /tmp/gpgsm -e -r lechten@wi.uni-muenster.de /etc/passwd > passwd.enc
# gpgsm: Note: non-critical certificate policy not allowed
# gpgsm: certificate not found: No public key
# gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
# gpgsm: checking the CRL failed: Not found
# gpgsm: can't encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Not found

The missing certificate seems to be one by "C=DE, O=T-Systems International GmbH, OU=Trust Center, CN=Deutsche Telekom Internal Root CA 2". After importing that (although it is probably called "internal" for a reason), encryption still fails (as I understand it as not CRL can be found):

wget https://www.telesec.de/de/cpki/downloadbereich/bereich-zum-downloaden?download=711:deutschen-telekom-internal-root-ca-2 -O internal.cer
gpgsm --homedir /tmp/gpgsm --import internal.cer

echo "85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF S relax" > /tmp/gpgsm/trustlist.txt
gpgsm --homedir /tmp/gpgsm -e -r lechten@wi.uni-muenster.de /etc/passwd > passwd.enc
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: no CRL found for certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #179060EBAE9B8C/CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
gpgsm: no CRL found for certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: can't encrypt to 'lechten@wi.uni-muenster.de': No CRL known
lechten added a comment.Mar 27 2019, 9:44 AM

I forgot: Instead of importing the missing internal CA, this works:

gpgsm --homedir /tmp/gpgsm -k --with-validation
gpgsm --homedir /tmp/gpgsm -e -r lechten@wi.uni-muenster.de /etc/passwd > passwd.enc
werner edited projects, added gnupg; removed gnupg (gpg22), Bug Report.May 15 2019, 9:39 AM
gpgsm --homedir /tmp/gpgsm --list-chain --with-validation

Will give you more detailed info about your certificate. For even more details use --dump-chain instead of --list-chain.

werner added a comment.Sep 16 2022, 4:54 PM

I just fixed a bug related to the DP. That might be related. See rG0c8299e2b56ef2e1

werner added a commit: rGffc25228550f: gpgsm: Improve cert lookup callback from dirmngr..Feb 26 2023, 7:15 PM
werner added a commit: rG5d96aab27dcf: gpgsm: Improve cert lookup callback from dirmngr..
werner closed this task as Resolved.Feb 26 2023, 7:17 PM
werner claimed this task.

I guess this is fixed with this commit for 2.2. and 2.4. Given that the report is quite old with not new infos since 2019, I'll close it.