Page MenuHome GnuPG
Create Task
Maniphest T5531

dirmngr --validate broken for DER encoded files
Closed, ResolvedPublic
Actions

Description

For a DER encoded file, dirmngr fails immediately:

> dirmngr-client --validate dirmngr_daemon-test2.crt.der; echo $?
dirmngr-client: no certificate or invalid encoded
2

It works after converting it to PEM format first:

> openssl x509 -inform der -text -outform pem < dirmngr_daemon-test2.crt.der > crt.pem
> dirmngr-client --validate crt.pem
dirmngr-client: validation of certificate failed: Missing issuer certificate

This is because dirmngr tries to parse the certificate as PEM first, and if that fails falls back to DER.
However, the PEM parsing failure adds an error, which trips this check:

if (log_get_errorcount (0))
    exit (2);

Originally found by openQA: https://openqa.opensuse.org/tests/1854025#step/dirmngr_daemon/21

Revisions and Commits

rG GnuPG
rG25d37a0a6a9c dirmngr: Suppress error message on trial reading as PEM format.
rG4d19759ce5fb dirmngr: Clear the error count to try certificate as binary.

Related Objects

Event Timeline

fvogt created this task.Jul 26 2021, 2:43 PM
werner triaged this task as Normal priority.Jul 27 2021, 7:59 AM
werner added projects: dirmngr, gnupg (gpg23).
gniibe added a commit: rG4d19759ce5fb: dirmngr: Clear the error count to try certificate as binary..Mar 24 2022, 5:57 AM
gniibe claimed this task.Mar 24 2022, 5:57 AM
gniibe added a project: Restricted Project.
gniibe added a subscriber: gniibe.

Thank you. Confirmed.

Fixed in rG4d19759ce5fb: dirmngr: Clear the error count to try certificate as binary..

fvogt added a comment.Mar 24 2022, 9:50 AM

I gave it a try. It works now, but it still shows the no certificate or invalid encoded error message:

ae19cacfda08:~ # dirmngr-client --validate cert.pem 
dirmngr-client: validation of certificate failed: Not trusted
ae19cacfda08:~ # dirmngr-client --validate cert.crt
dirmngr-client: no certificate or invalid encoded
dirmngr-client: validation of certificate failed: Not trusted
gniibe added a comment.Mar 25 2022, 12:42 AM

it still shows the no certificate or invalid encoded error message:

Ah, I didn't try to fix that part. Indeed, it should not be emitted.

Fixed in: rG25d37a0a6a9c: dirmngr: Suppress error message on trial reading as PEM format.

gniibe added a commit: rG25d37a0a6a9c: dirmngr: Suppress error message on trial reading as PEM format..Mar 25 2022, 12:43 AM
fvogt closed this task as Resolved.Mar 25 2022, 9:54 AM

Confirmed to work, thanks!

gniibe removed a project: Restricted Project.Mar 25 2022, 11:45 PM
werner mentioned this in T5743: Release GnuPG 2.3.5.Apr 21 2022, 5:59 PM