Page MenuHome GnuPG
Create Task
Maniphest T6841

GPGSM / GPGME: Untrusted root CA's cause certificates to be invalid instead of Unknown trust
Closed, ResolvedPublic
Actions

Description

So one aspect of T6701 does not work for me the way I intended it, encrypting non vs-nfd compliant to untrusted root cas. The problem is that S/MIME certs where the Root CA is not trusted are reported on a GPGME level as invalid even though the userids have correctly "Unknown Trust"

I think this is the wrong behavior. But I would not flag this for 3.2. maybe discuss this.

./run-keylist --validate --offline --cms andre.heinecke@
keyid   : B2B822E38FC56EE5
can_cap : es
has_cap : es
flags   : secret invalid de-vs
upd     : 0 (0)
fpr    0: 13EE42BED4051016FB44A5CBB2B822E38FC56EE5
v5fpr  0: 992DF2C09D681E7652813073ACAD8C84F381A9F5B8BC89735D18D91FB86DAEFC
grip   0: 54A386908D4F4550307C587A227D63AF1B932AD1
caps   0: es
flags  0: secret invalid de-vs
userid 0: CN=Andre Heinecke,OU=demo,O=g10 Code GmbH,C=DE
    mbox: [none]
   email: 
    name: 
   cmmnt: 
     upd: 0 (0)
   valid: unknown
userid 1: <andre.heinecke@demo.gnupg.com>
    mbox: andre.heinecke@demo.gnupg.com
   email: <andre.heinecke@demo.gnupg.com>
    name: 
   cmmnt: 
     upd: 0 (0)
   valid: unknown

Revisions and Commits

rG GnuPG
rGa6eefa99963a gpgsm: Set validity flag in keylisting to n for untrusted root cert.
rG73aa6dc6e41f gpgsm: Set validity flag in keylisting to n for untrusted root cert.

Related Objects

Event Timeline

aheinecke triaged this task as Normal priority.Nov 25 2023, 6:14 AM
aheinecke created this task.
aheinecke assigned this task to werner.Nov 25 2023, 7:35 AM
aheinecke added a subscriber: werner.

My very simple patch for this would be:

diff --git a/sm/keylist.c b/sm/keylist.c
index bac973984..7692445f0 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -456,6 +456,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
     *truststring = 'r';
   else if (gpg_err_code (valerr) == GPG_ERR_CERT_EXPIRED)
     *truststring = 'e';
+  else if (gpg_err_code (valerr) == GPG_ERR_NOT_TRUSTED)
+    *truststring = '-';
   else
     {
       /* Lets also check whether the certificate under question

Since according to doc/DETAILS:

  • i :: The key is invalid (e.g. due to a missing self-signature)

Is simply not true here. The key is fully valid, it is just not trusted. This would then show the certificates in Kleopatra as uncertified just like any random OpenPGP Certificate.

@werner may I commit this? Pretty please. 🫣

werner added a comment.Nov 27 2023, 2:00 PM

Okay, I known do the same what we do for a single root certificate, that is mark it as "not trusted" ('n').

werner changed the task status from Open to Testing.Nov 27 2023, 2:04 PM
werner edited projects, added gnupg22; removed gpgme.
werner moved this task from Backlog to WiP on the gnupg22 board.
werner moved this task from WiP to QA on the gnupg22 board.

Tested on Windows with Kleopatra and 2.2 and with gpgme and 2.4 on Unix.

werner moved this task from QA to gnupg-2.2.42 on the gnupg22 board.Nov 27 2023, 2:07 PM
werner edited projects, added gnupg22 (gnupg-2.2.42); removed gnupg22.
werner added a commit: rG73aa6dc6e41f: gpgsm: Set validity flag in keylisting to n for untrusted root cert..Nov 27 2023, 2:09 PM
werner added a commit: rGa6eefa99963a: gpgsm: Set validity flag in keylisting to n for untrusted root cert..
aheinecke added a comment.Nov 27 2023, 4:07 PM

Thank you very much on behalf of our S/MIME users. This also makes it easier for us in the frontend to show a consistent UI.

werner closed this task as Resolved.Nov 28 2023, 5:00 PM