Page MenuHome GnuPG

import of p12 file fails with "invalid crypto engine"
Testing, NormalPublic

Description

Export smime secret subkey in Kleopatra. Import the resulting .p12 file.

Result: Error "invalid crypto engine":

Event Timeline

ikloecker removed ikloecker as the assignee of this task.
ikloecker triaged this task as Normal priority.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added projects: gnupg, gpgme, kleopatra.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added subscribers: ikloecker, werner.

The error is generated in parse_import in gpgme/src/import.c:

if (errno || args == tail || *tail != ' ')
  {
    /* The crypto backend does not behave.  */
    free (import);
    return trace_gpg_error (GPG_ERR_INV_ENGINE);
  }

This is caused by gpgsm emitting the status messages:

S IMPORT_PROBLEM 1 5448908A18925104F7DC6F1B1B1989F14D015C7D
S IMPORT_PROBLEM 1

The second status message is invalid (from gpgme's point of view). gpgme expects additional information following the problem code (1 meaning GPG_ERR_BAD_CERT).

Conclusion:
It's either a bug in gpgme which makes a wrong assumption about the format of the IMPORT_PROBLEM status messages or a bug in gpgsm which emits a wrongly formatted status message.

Ok. That is about the Invalid Crypto Engine. But this does not explain why a .p12 export via Kleopatra leads to this error when we export a valid certificate. The same thing I do with Kleopatra on the Command Line works:

> gpgsm  --export-secret-key-p12 0xF6FCE189 | gpgsm --import
gpgsm: issuer certificate (#/1.2.840.113549.1.9.1=#696E666F40673130636F64652E636F6D,CN=g10 Code TEST CA 2019,OU=Testlab,O=g10 Code GmbH,C=DE) not found
gpgsm: total number processed: 2
gpgsm:              unchanged: 1
gpgsm:       secret keys read: 1
gpgsm:  secret keys unchanged: 1

gpgsm may emit S IMPORT_PROBLEM 1 (with no fingerprint information) when it cannot find valid fingerprint.
I think that this case should be handled correctly by GPGME, not returning GPG_ERR_INV_ENGINE.

Pushed the fix for GPG_ERR_INV_ENGINE.

BTW, gnupg/doc/DETAILS tells that the fingerprint is optional:

*** IMPORT_PROBLEM <reason> [<fingerprint>]
      Issued for each import failure.  Reason codes are:

Now "BER error" is reported, if the user tries to import a .p8 certificate. (The certificate exported by Kleopatra wasn't stored as PKCS#12, but presumably as PKCS#8 which gpgsm cannot import. See T6189: Secret key backup of S/MIME certificate creates bad result.)

From a user perspective, that's not really that much better because most likely they have no idea what "BER error" this means. Reporting something like "invalid certificate data" together with an explanation that the file may not contain a certificate or contains a certificate stored in an unsupported format would be much better.

ikloecker changed the task status from Open to Testing.Tue, Sep 13, 9:10 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.

The export/backup of the secret part of S/MIME certificates has been fixed with T6189: Secret key backup of S/MIME certificate creates bad result. An exported certificate should now be imported without problems.

werner removed a project: Restricted Project.Thu, Sep 22, 10:41 AM