Export smime secret subkey in Kleopatra. Import the resulting .p12 file.
Result: Error "invalid crypto engine":
Description
Description
Revisions and Commits
Revisions and Commits
| rM GPGME | |||
| rM80670f60ba97 Fix parsing import status for invalid fingerprint. | |||
Related Objects
Related Objects
Event Timeline
Comment Actions
The error is generated in parse_import in gpgme/src/import.c:
if (errno || args == tail || *tail != ' ')
{
/* The crypto backend does not behave. */
free (import);
return trace_gpg_error (GPG_ERR_INV_ENGINE);
}This is caused by gpgsm emitting the status messages:
S IMPORT_PROBLEM 1 5448908A18925104F7DC6F1B1B1989F14D015C7D S IMPORT_PROBLEM 1
The second status message is invalid (from gpgme's point of view). gpgme expects additional information following the problem code (1 meaning GPG_ERR_BAD_CERT).
Conclusion:
It's either a bug in gpgme which makes a wrong assumption about the format of the IMPORT_PROBLEM status messages or a bug in gpgsm which emits a wrongly formatted status message.
Comment Actions
Ok. That is about the Invalid Crypto Engine. But this does not explain why a .p12 export via Kleopatra leads to this error when we export a valid certificate. The same thing I do with Kleopatra on the Command Line works:
> gpgsm --export-secret-key-p12 0xF6FCE189 | gpgsm --import gpgsm: issuer certificate (#/1.2.840.113549.1.9.1=#696E666F40673130636F64652E636F6D,CN=g10 Code TEST CA 2019,OU=Testlab,O=g10 Code GmbH,C=DE) not found gpgsm: total number processed: 2 gpgsm: unchanged: 1 gpgsm: secret keys read: 1 gpgsm: secret keys unchanged: 1
Comment Actions
gpgsm may emit S IMPORT_PROBLEM 1 (with no fingerprint information) when it cannot find valid fingerprint.
I think that this case should be handled correctly by GPGME, not returning GPG_ERR_INV_ENGINE.
Comment Actions
BTW, gnupg/doc/DETAILS tells that the fingerprint is optional:
*** IMPORT_PROBLEM <reason> [<fingerprint>]
Issued for each import failure. Reason codes are:Comment Actions
Now "BER error" is reported, if the user tries to import a .p8 certificate. (The certificate exported by Kleopatra wasn't stored as PKCS#12, but presumably as PKCS#8 which gpgsm cannot import. See T6189: Secret key backup of S/MIME certificate creates bad result.)
From a user perspective, that's not really that much better because most likely they have no idea what "BER error" this means. Reporting something like "invalid certificate data" together with an explanation that the file may not contain a certificate or contains a certificate stored in an unsupported format would be much better.
Comment Actions
The export/backup of the secret part of S/MIME certificates has been fixed with T6189: Secret key backup of S/MIME certificate creates bad result. An exported certificate should now be imported without problems.