Page MenuHome GnuPG

dirmngr --validate broken for DER encoded files
Open, NormalPublic

Description

For a DER encoded file, dirmngr fails immediately:

> dirmngr-client --validate dirmngr_daemon-test2.crt.der; echo $?
dirmngr-client: no certificate or invalid encoded
2

It works after converting it to PEM format first:

> openssl x509 -inform der -text -outform pem < dirmngr_daemon-test2.crt.der > crt.pem
> dirmngr-client --validate crt.pem
dirmngr-client: validation of certificate failed: Missing issuer certificate

This is because dirmngr tries to parse the certificate as PEM first, and if that fails falls back to DER.
However, the PEM parsing failure adds an error, which trips this check:

if (log_get_errorcount (0))
    exit (2);

Originally found by openQA: https://openqa.opensuse.org/tests/1854025#step/dirmngr_daemon/21

Event Timeline

werner triaged this task as Normal priority.Jul 27 2021, 7:59 AM
werner added projects: dirmngr, gnupg (gpg23).