Page MenuHome GnuPG
Create Task
Maniphest T5713

Kleopatra: PKCS#12 Import no Error on bad passphrase
Closed, ResolvedPublic
Actions

Description

Noticed while testing for 3.1.20 Kleopatra no longer shows an error if you enter a wrong passphrase for pkcs#12. It only shows 0 imported. Somehow the error is lost. This is with GnuPG 2.2.33

But the errors from PKCS#12 import were never really nice as kleopatra showed things like "BER Error" and so on instead of a helpful text that the passphrase might have been wrong. So improving this while checking for the missing error would be nice.

Details

Version
master

Revisions and Commits

rG GnuPG
rG94092793f6a2 sm: Fix reporting of bad passphrase error
rGa47b3a408734 sm: Fix reporting of bad passphrase error
rKLEOPATRA Kleopatra
rKLEOPATRAf95f92e5b7f1 Do not treat canceled imports as failed
rM GPGME
rM300776f39165 cpp: Check fpr of import status for NULL
rM82f43455e941 qt: Detect an import error caused by a wrong password
rM305d8668ca72 core: Detect bad passphrase error on certificate import
rMf99451e20fd2 qt,tests: Add test runner for testing the import job

Related Objects

Event Timeline

aheinecke triaged this task as Normal priority.Dec 2 2021, 1:51 PM
aheinecke created this task.
ikloecker added a comment.Dec 3 2021, 4:27 PM

@aheinecke Please provide an example of a PKCS#12 certificate.

aheinecke added a comment.Dec 20 2021, 9:42 AM

I've uploaded my testcerts to: https://heinecke.or.at/div/testzertifikate.tar.gz.gpg

You can test for example with berta-enc

The correct passphrase for all the certificates in this folder is "test"

ikloecker added a comment.Dec 20 2021, 10:22 AM

With Kleopatra 3.1.20.220370+git20211216T120053~68b4545e (22.03.70) using GnuPG 2.3.4-beta24 and Libgcrypt 1.9.4-beta152 I get the error message Invalid object when I import only berta-enc.p12 and enter a wrong password. I'll have to check with GnuPG 2.2.33.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Dec 20 2021, 10:22 AM
ikloecker added a comment.Dec 20 2021, 10:36 AM

gpgsm 2.3.4 sends the result:

S ERROR import.parsep12 11
S IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ERR 50331713 Invalid object <GpgSM>
aheinecke added a comment.Dec 20 2021, 10:40 AM

As I understand it after the p12 decryption the output is just tried to be imported. With the wrong passphrase this is just garbage and can lead to different errors.

I think Kleopatra needs to handle any error when importing an S/MIME secret key as "Most likely bad passphrase" error.

aheinecke added a comment.Dec 20 2021, 10:41 AM

Because, as a user, what do you do if you see "invalid object" you think that something is wrong with your data instead of trying to type the passphrase again.

ikloecker added a comment.Dec 20 2021, 10:45 AM

Okay. gpgsm even logs "gpgsm: possibly bad passphrase given" internally.

ikloecker added a comment.Dec 20 2021, 11:03 AM

Actually, the "11" at the end of the "ERROR" status line means "bad passphrase". But I think gpgme ignores this status line.

werner added a subscriber: werner.Dec 20 2021, 4:37 PM

It would be easier to educate gpgme about the 11.

ikloecker added a commit: rM82f43455e941: qt: Detect an import error caused by a wrong password.Dec 22 2021, 3:29 PM
ikloecker added a commit: rM305d8668ca72: core: Detect bad passphrase error on certificate import.
ikloecker added a commit: rM300776f39165: cpp: Check fpr of import status for NULL.
ikloecker added a commit: rMf99451e20fd2: qt,tests: Add test runner for testing the import job.
ikloecker added a commit: rKLEOPATRAf95f92e5b7f1: Do not treat canceled imports as failed.
ikloecker changed the task status from Open to Testing.Dec 22 2021, 3:42 PM
ikloecker reassigned this task from ikloecker to aheinecke.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ikloecker.

(q)gpgme now tries to detect a failed import caused by a bad passphrase and emits a bad passphrase error in this case. Kleopatra then shows a "Bad passphrase" error instead of an "Invalid object" error.

Automatically retrying the import, so that the user can retry entering the correct passphrase isn't trivial.

I still cannot reproduce the original issue that no error is shown if a wrong password is entered on import. @aheinecke, can you reproduce this issue?

werner mentioned this in T5819: Release GPGME 1.17.0.Mar 6 2022, 6:09 PM
aheinecke added a comment.Sep 9 2022, 4:07 PM

Mh, this has not changed anything for me. With GnuPG 2.3.8-beta32 i get either Invalid Object or no error at all. With this certificate

berta-enc.p123 KBDownload
and password "0" i always get "Invalid Object" (also with other passwords)
With this certificate
berta.encr.p12.pem5 KBDownload
i get no error at all and just an import result.

Since nothing changed for me I double checked that I had the current GPGME and I have it.

COMMAND      PID      USER  FD   TYPE DEVICE SIZE/OFF     NODE NAME
kleopatra 125709 aheinecke mem    REG  254,1 29076512 20193342 libqgpgme.so.15.1.0
(main) aheinecke@hopper ~/d/m/lib> ls -al libqgpgme.so
lrwxrwxrwx 1 aheinecke aheinecke 19 Sep  9 15:59 libqgpgme.so -> libqgpgme.so.15.1.0
ikloecker added a comment.Sep 9 2022, 6:25 PM

This was broken by a regression in the P12 parsing code.

ikloecker added a commit: rGa47b3a408734: sm: Fix reporting of bad passphrase error.Sep 9 2022, 6:27 PM
werner added a commit: rG94092793f6a2: sm: Fix reporting of bad passphrase error.Oct 13 2022, 6:00 PM
werner mentioned this in T6181: Release GnuPG 2.2.40.Oct 14 2022, 6:01 PM
werner mentioned this in T6106: Release GnuPG 2.3.8.
werner closed this task as Resolved.Nov 17 2022, 9:34 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 2:57 PM
ebo mentioned this in T4779: GpgSM: "Invalid Object" error when importing .p12 certs with wrong passphrase.Sep 18 2023, 2:23 PM