Page MenuHome GnuPG

dirmngr --validate broken for DER encoded files
Closed, ResolvedPublic

Description

For a DER encoded file, dirmngr fails immediately:

> dirmngr-client --validate dirmngr_daemon-test2.crt.der; echo $?
dirmngr-client: no certificate or invalid encoded
2

It works after converting it to PEM format first:

> openssl x509 -inform der -text -outform pem < dirmngr_daemon-test2.crt.der > crt.pem
> dirmngr-client --validate crt.pem
dirmngr-client: validation of certificate failed: Missing issuer certificate

This is because dirmngr tries to parse the certificate as PEM first, and if that fails falls back to DER.
However, the PEM parsing failure adds an error, which trips this check:

if (log_get_errorcount (0))
    exit (2);

Originally found by openQA: https://openqa.opensuse.org/tests/1854025#step/dirmngr_daemon/21

Event Timeline

werner triaged this task as Normal priority.Jul 27 2021, 7:59 AM
werner added projects: dirmngr, gnupg (gpg23).

I gave it a try. It works now, but it still shows the no certificate or invalid encoded error message:

ae19cacfda08:~ # dirmngr-client --validate cert.pem 
dirmngr-client: validation of certificate failed: Not trusted
ae19cacfda08:~ # dirmngr-client --validate cert.crt
dirmngr-client: no certificate or invalid encoded
dirmngr-client: validation of certificate failed: Not trusted

it still shows the no certificate or invalid encoded error message:

Ah, I didn't try to fix that part. Indeed, it should not be emitted.

Fixed in: rG25d37a0a6a9c: dirmngr: Suppress error message on trial reading as PEM format.

Confirmed to work, thanks!