Page MenuHome GnuPG
Create Task
Maniphest T6702

Kleopatra: Use GPGME_ENCRYPT_ALWAYS_TRUST
Open, HighPublic
Actions

Description

When an error occurs during S/MIME file encryption the user should be offered a yes / no message box, which indicates that we can lower the security checks. Make it non VS-NfD compliant (in VS-NfD) mode and try again to encrypt with: GPGME_ENCRYPT_ALWAYS_TRUST.

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRAe4e4615f4fe8 Fix initialization of encryption flags
rKLEOPATRA9eed4a45ed93 Don't set the AlwaysTrust flag for S/MIME

Related Objects
Search...

Event Timeline

aheinecke triaged this task as Normal priority.Sep 4 2023, 8:49 AM
aheinecke created this task.
aheinecke added a subtask: T6559: GPGSM: "always trust like override" or "force" option.
ebo changed the status of subtask T6559: GPGSM: "always trust like override" or "force" option from Open to Testing.Sep 7 2023, 10:51 AM
ebo closed subtask T6559: GPGSM: "always trust like override" or "force" option as Resolved.Sep 18 2023, 3:39 PM
aheinecke raised the priority of this task from Normal to High.Oct 13 2023, 9:56 AM

We just realized that similar to what we had in GpgOL ( https://dev.gnupg.org/T6701 ) that AlwaysTrust is used by default. And this will now result in the behavior which I also mentioned in our meeting that without question it encrypts to any S/MIME certificate. Without any warning that it is not VS-NfD compliant to do so.
This must be fixed because otherwise we show an operation as VS-NfD compliant, e.g. to encrypt to a certificate with a broken CRL. Which is not VS-NfD compliant because the CRL check was not done.

So where encrypt jobs are used we need to check for the protocol and first try to encrypt to S/MIME without ALWAYS_TRUST because otherwise the operation will always go through.

aheinecke added a comment.Oct 13 2023, 10:04 AM

For testing with file encryption and notepad you can use this chain which is valid but does not provide a valid CRL for us

greenbone-support.pem2 KBDownload
just please do not send mails to this certificate.

ikloecker added a commit: rKLEOPATRA9eed4a45ed93: Don't set the AlwaysTrust flag for S/MIME.Oct 13 2023, 10:44 AM
aheinecke lowered the priority of this task from High to Normal.Oct 13 2023, 11:23 AM

Ok. Both notepad and file encryption now again produce errors as expected. So the new override would just be a new feature and no longer a regression.

We should probably also check KMail though. There might be a similar fix needed although there I am unsure if the old keyresolver does not do a crl check when a certificate is selected.

ikloecker added a subscriber: ikloecker.Oct 13 2023, 2:36 PM
In T6702#176858, @aheinecke wrote:

We should probably also check KMail though. There might be a similar fix needed although there I am unsure if the old keyresolver does not do a crl check when a certificate is selected.

Not sure about S/MIME, but for OpenPGP I'm pretty sure that a check is done when a certificate is selected in the old approval dialog (resp. in the key chooser opened from this dialog).

ikloecker added a commit: rKLEOPATRAe4e4615f4fe8: Fix initialization of encryption flags.Oct 17 2023, 10:41 AM
timegrid edited projects, added Feature Request, vsd34; removed Restricted Project.Jan 23 2026, 11:17 AM
timegrid added a subscriber: timegrid.

We need to test the current state

timegrid changed the task status from Open to Testing.Jan 23 2026, 11:17 AM
timegrid moved this task from Backlog to QA on the vsd34 board.
werner raised the priority of this task from Normal to High.Wed, Mar 18, 11:23 AM
werner changed the task status from Testing to Open.Wed, Mar 18, 11:25 AM
werner moved this task from QA to Backlog on the vsd34 board.
werner added a subscriber: werner.

It is clearly not implemented for S/MIME: rKLEOPATRA9eed4a45ed93 but it should be.

ikloecker mentioned this in Unknown Object (Maniphest Task).Mon, Mar 23, 8:53 AM
ikloecker added a comment.Mon, Mar 23, 3:02 PM

Do we have a test certificate for this? The certificate in T6702#176845 is expired.

ikloecker claimed this task.Mon, Mar 23, 3:28 PM
ikloecker added a project: gpd5x.
ikloecker moved this task from Backlog to WIP on the gpd5x board.
ikloecker added a project: Info Needed.Tue, Mar 24, 9:34 AM

It needs to be clarified which kind of errors should be handled and which kind of S/MIME certificates should be allowed to be used for encryption:

  • Valid certificates where the CRL check (or OCSP check?) fails
  • Invalid certificates (e.g. because of incomplete chain/missing CA)
  • Expired certificates

Currently, Kleopatra doesn't even allow to start/attempt encryption for certificates which are not valid. Allowing invalid or expired certificates will require massive changes.

ebo added a parent task: T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST.Tue, Mar 24, 10:07 AM
timegrid added a comment.EditedTue, Mar 24, 10:23 AM

Maybe those smime certs will do:

ca.pem2 KBDownload

  • broken: inaccessible url crlDistributionPoints = URI:http://gnupg.test/crl.pem

    bob-brokenCrlDP.p124 KBDownload
  • invalid: invalid content crlDistributionPoints = URI:https://gnupg.com/share/g10code-key.asc

    bob-invalidCrlDP.p124 KBDownload

In my tests, both have the same behavior:

  • invalid after opening the details, so the cert can't be chosen for file encryption afterwards
  • if chosen before invalidation, it hangs indefinitely on file encryption (will create another ticket for this)
ebo added a subscriber: ebo.Tue, Mar 24, 11:07 AM

According to Werner, that should be:

It needs to be clarified which kind of errors should be handled and which kind of S/MIME certificates should be allowed to be used for encryption:

  • Valid certificates where the CRL check (or OCSP check?) fails
  • Invalid certificates (e.g. because of incomplete chain/missing CA)
  • Expired certificates
timegrid added a comment.Tue, Mar 24, 11:39 AM

Ticket for the hang on file encryption: T8187: Kleopatra: File encryption with invalid S/MIME certificate hangs indefinitely

ikloecker removed ikloecker as the assignee of this task.Wed, Mar 25, 10:04 AM
ikloecker moved this task from WIP to Backlog on the gpd5x board.
timegrid edited projects, added needs discussion; removed Info Needed.EditedThu, Mar 26, 12:57 PM

@ebo and me talked about this and T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST. We think, it's best to have a short meeting to discuss further changes.

There are currently two issues here (for both GpgOL and Kleopatra), which might have been mixed:

  1. Handling of errors (=broken CRL check for smime certs) with an easy way to "process anyway" (the original main issue of this ticket)
  2. A general wish to force the encryption for certain disallowed smime and pgp certs (expired, invalid, etc) (most important usecase: sending mails / encrypting files to recipients with temporarily expired cert or missing intermediate/root certs)

Issue 1)

  • was implemented in GpgOL
  • should still be implemented in Kleopatra in the same way it works in GpgOL (on CRL error: Dialog to retry with lower security checks = force flag)

Issue 2) should be a new ticket and needs to be specified

  • current state of offered certs in
    • GpgOL (security dialog)
      • "sign as": expired/revoked/disabled not offered, invalid forbidden
      • "encrypt to": all offered, invalid/disabled/expired/revoked forbidden (ok button disabled)
    • Kleopatra (tested with sign/encrypt file, probably the same for notepad/etc)
      • all offered (tedious, but possible via "show certificate list"), invalid/disabled/expired/revoked forbidden (OK button disabled)
  • to enable a "process anyway (i know, what i'm doing)" workflow in both Kleopatra/GpgOL, i suggest
    • on forbidden certs (probably only invalid/expired/disabled, not revoked?) add a checkbox ~"lower security" (with more explanation in the tooltip) next to the disabled OK button, which reenables the OK button and adds the "force" flag (also possible for pgp?)
    • maybe an additional warning/confirmation dialog, if the checkbox was checked
    • add a registry setting to disable this checkbox (as some admins might not want to enable their users to do this)
    • Kleopatra
      • maybe readd those forbidden certs to the default dropdown list (or keep that way as incentive to fix the problem)
      • maybe only add the checkbox for smime certs, if that's easier (as pgp certs can be easily extended)
    • GpgOL
      • add the forbidden certs to "sign as" as well (probably the sender also wants to force this temporarily)
      • ensure, that the security dialog is shown, if a forbidden cert is chosen (probably already works that way?)
timegrid mentioned this in T8193: Draft: Add a workflow to force encryption/signature with invalid or expired certificates.Thu, Mar 26, 3:31 PM
timegrid added a comment.Thu, Mar 26, 3:33 PM

Issue 1) should be implemented as already described (on error -> dialog to retry with "always trust" flag)

Issue 2) moved to new issue T8193: Draft: Add a workflow to force encryption/signature with invalid or expired certificates

werner added a subtask: T8193: Draft: Add a workflow to force encryption/signature with invalid or expired certificates.Fri, Mar 27, 11:14 AM