Page MenuHome GnuPG

Kleopatra: PKCS#12 Import no Error on bad passphrase
Closed, ResolvedPublic


Noticed while testing for 3.1.20 Kleopatra no longer shows an error if you enter a wrong passphrase for pkcs#12. It only shows 0 imported. Somehow the error is lost. This is with GnuPG 2.2.33

But the errors from PKCS#12 import were never really nice as kleopatra showed things like "BER Error" and so on instead of a helpful text that the passphrase might have been wrong. So improving this while checking for the missing error would be nice.



Event Timeline

aheinecke triaged this task as Normal priority.Dec 2 2021, 1:51 PM
aheinecke created this task.

@aheinecke Please provide an example of a PKCS#12 certificate.

I've uploaded my testcerts to:

You can test for example with berta-enc

The correct passphrase for all the certificates in this folder is "test"

With Kleopatra (22.03.70) using GnuPG 2.3.4-beta24 and Libgcrypt 1.9.4-beta152 I get the error message Invalid object when I import only berta-enc.p12 and enter a wrong password. I'll have to check with GnuPG 2.2.33.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Dec 20 2021, 10:22 AM

gpgsm 2.3.4 sends the result:

S ERROR import.parsep12 11
S IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ERR 50331713 Invalid object <GpgSM>

As I understand it after the p12 decryption the output is just tried to be imported. With the wrong passphrase this is just garbage and can lead to different errors.

I think Kleopatra needs to handle any error when importing an S/MIME secret key as "Most likely bad passphrase" error.

Because, as a user, what do you do if you see "invalid object" you think that something is wrong with your data instead of trying to type the passphrase again.

Okay. gpgsm even logs "gpgsm: possibly bad passphrase given" internally.

Actually, the "11" at the end of the "ERROR" status line means "bad passphrase". But I think gpgme ignores this status line.

It would be easier to educate gpgme about the 11.

ikloecker changed the task status from Open to Testing.Dec 22 2021, 3:42 PM
ikloecker reassigned this task from ikloecker to aheinecke.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ikloecker.

(q)gpgme now tries to detect a failed import caused by a bad passphrase and emits a bad passphrase error in this case. Kleopatra then shows a "Bad passphrase" error instead of an "Invalid object" error.

Automatically retrying the import, so that the user can retry entering the correct passphrase isn't trivial.

I still cannot reproduce the original issue that no error is shown if a wrong password is entered on import. @aheinecke, can you reproduce this issue?

Mh, this has not changed anything for me. With GnuPG 2.3.8-beta32 i get either Invalid Object or no error at all. With this certificate

and password "0" i always get "Invalid Object" (also with other passwords)
With this certificate i get no error at all and just an import result.

Since nothing changed for me I double checked that I had the current GPGME and I have it.

kleopatra 125709 aheinecke mem    REG  254,1 29076512 20193342
(main) aheinecke@hopper ~/d/m/lib> ls -al
lrwxrwxrwx 1 aheinecke aheinecke 19 Sep  9 15:59 ->

This was broken by a regression in the P12 parsing code.