Page MenuHome GnuPG
Create Task
Maniphest T6770

Add --ignore-cert-extensions to dirmngr
Closed, InvalidPublic
Actions

Description

Some CA's have issued certificates that use extensions which we do not support. ( T6677 T6678 ) An example is

greenbone-support-chain.pem6 KBDownload
for support greenbone.net certified by DigiCert. There are other examples in our internal tracker but this is a good example because we can use it publicly.

We can make this work when we put the following in "gpgsm.conf":

# See: https://dev.gnupg.org/T6677
ignore-cert-extension 2.5.29.36
# See: https://dev.gnupg.org/T6678
ignore-cert-extension 2.5.29.54

This works fine until you enable CRLs

When CRL checks are enabled:

gpgsm --with-validation --enable-crl-checks -k support@greenbone.net

it still fails. (See T6545 ) for the error.

We thought we needed an option --ignore-crl-extensions to fix that but that was a thought error. Because the problem is not crl extensions, it is that dimngr validates the CRLs itself and this validation does not use GPGSM and as such the GPGSM option to ignore the cert extensions still fails.

Since all the code is there to ignore the extensions etc. this task is mostly about plumbing in a new option and add this in the right place. So you can take a look at how --ignore-crl-extensions was added to dirmngr. And then look into GPGSM how --ignore-cert-extensions work. And then add the option --ignore-cert-extensions also to dirmngr.

Ideally GPGSM could transmit the option from its config to dirmngr so that it would only be need to set once. But there is a small usecase for setting this option in dirmngr and not in GPGSM and so this feature makes sense on its own and would anyway be the basis for such a transmission.

Related Objects

Event Timeline

aheinecke triaged this task as High priority.Oct 20 2023, 2:57 PM
aheinecke created this task.
aheinecke closed this task as Invalid.Oct 20 2023, 4:08 PM

So dirmngr already has that option.

I can put:
ignore-cert-extension 2.5.29.36
ignore-cert-extension 2.5.29.54

in my dirmngr.conf and this helps.

It then still complains:
2023-10-20 14:50:51 dirmngr[20741.6] unknown critical CRL extension 2.5.29.28

So I add:
ignore-crl-extension 2.5.29.28

But still:

2023-10-20 14:50:51 dirmngr[20741.6] not checking CRL for #0CE7E0E517D846FE8FE560FC1BF03039/CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
2023-10-20 14:50:51 dirmngr[20741.6] checking CRL for #04AE79606666901AB9C57FA66C5BDCCD/CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
2023-10-20 14:50:51 dirmngr[20741.6] S/N 0x04AE79606666901AB9C57FA66C5BDCCD is valid, it is not listed in the CRL
2023-10-20 14:50:51 dirmngr[20741.6] DBG: chan_6 -> INQUIRE ISTRUSTED 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
2023-10-20 14:50:51 dirmngr[20741.6] DBG: chan_6 <- D 1
2023-10-20 14:50:51 dirmngr[20741.6] DBG: chan_6 <- END
2023-10-20 14:50:51 dirmngr[20741.6] [1] result of checking this CRL: Success
2023-10-20 14:50:51 dirmngr[20741.6] [1] result of checking all CRLs: Success
2023-10-20 14:50:51 dirmngr[20741.6] target certificate may be valid
2023-10-20 14:50:51 dirmngr[20741.6] unknown critical CRL extension 2.5.29.28
2023-10-20 14:50:51 dirmngr[20741.6] (CRL='http://crl4.digicert.com/DigiCertSHA2AssuredIDCA-g3.crl')
2023-10-20 14:50:51 dirmngr[20741.6] creating cache file '/home/aheinecke/.gnupg/crls.d/crl-5075D49D9106458C0A3441CC988226ED8F0F4A0A.db'
2023-10-20 14:50:51 dirmngr[20741.6] crl_cache_insert via DP failed: Invalid CRL
2023-10-20 14:50:51 dirmngr[20741.6] command 'ISVALID' failed: Invalid CRL
2023-10-20 14:50:51 dirmngr[20741.6] DBG: chan_6 -> ERR 167772293 Invalid CRL <Dirmngr>
aheinecke added a comment.Oct 20 2023, 4:23 PM

That output was also misleading,. that was from before I added the ignore-crl-extension in there. I was confused because I still got the error:

2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 -> OK Dirmngr 2.4.3 at your service
2023-10-20 16:04:26 dirmngr[28245.6] connection from process 28243 (1000:1000)
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 <- GETINFO version
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 -> D 2.4.3
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 -> OK
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 <- OPTION audit-events=1
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 -> OK
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 <- ISVALID 5075D49D9106458C0A3441CC988226ED8F0F4A0A.08AC076EBD96BD9FBEBE2196B660F2D9
2023-10-20 16:04:26 dirmngr[28245.6] available CRL for issuer ID 5075D49D9106458C0A3441CC988226ED8F0F4A0A can't be used
2023-10-20 16:04:26 dirmngr[28245.6] command 'ISVALID' failed: Invalid CRL object
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 -> ERR 167772322 Invalid CRL object <Dirmngr>
2023-10-20 16:04:26 dirmngr[28245.6] DBG: chan_6 <- [eof]
2023-10-20 16:04:26 dirmngr[28245.6] handler for fd 6 terminated
2023-10-20 16:10:44 dirmngr[28245.6] handler for fd 6 started
2023-10-20 16:10:44 dirmngr[28245.6] DBG: chan_6 -> # Home: /home/aheinecke/.gnupg
2023-10-20 16:10:44 dirmngr[28245.6] DBG: chan_6 -> # Config: /home/aheinecke/.gnupg/dirmngr.conf
2023-10-20 16:10:44 dirmngr[28245.6] DBG: chan_6 -> OK Dirmngr 2.4.3 at your service
2023-10-20 16:10:44 dirmngr[28245.6] connection from process 28706 (1000:1000)
2023-10-20 16:10:44 dirmngr[28245.6] DBG: chan_6 <- KILLDIRMNGR
2023-10-20 16:10:44 dirmngr[28245.6] DBG: chan_6 -> OK closing connection
2023-10-20 16:10:44 dirmngr[28245.0] socket file has been removed - shutting down

But that was just because I was missing a

dirmngr --flush

So with:
dirmngr.conf:

# Unsupported cert extensions
# See: https://dev.gnupg.org/T6677
ignore-cert-extension 2.5.29.36
# See: https://dev.gnupg.org/T6678
ignore-cert-extension 2.5.29.54

# Unsupported CRL extensions
# See: https://dev.gnupg.org/T6545
ignore-crl-extension 2.5.29.28

And gpgsm.conf

# Unsupported cert extensions
# See: https://dev.gnupg.org/T6677
ignore-cert-extension 2.5.29.36
# See: https://dev.gnupg.org/T6678
ignore-cert-extension 2.5.29.54

It works.

werner removed projects: gnupg24 (gnupg-2.4.4), gnupg22 (gnupg-2.2.42).Oct 24 2023, 3:36 PM
werner added a subscriber: werner.

According to our rules an initial set of tags should never be a milestone but be in the Backlog or, if work already started,in the WiP column. Because it is anyway invalid, I removed the tags.