Page MenuHome GnuPG

GPGSM / GPGME: Untrusted root CA's cause certificates to be invalid instead of Unknown trust
Closed, ResolvedPublic

Description

So one aspect of T6701 does not work for me the way I intended it, encrypting non vs-nfd compliant to untrusted root cas. The problem is that S/MIME certs where the Root CA is not trusted are reported on a GPGME level as invalid even though the userids have correctly "Unknown Trust"

I think this is the wrong behavior. But I would not flag this for 3.2. maybe discuss this.

./run-keylist --validate --offline --cms andre.heinecke@
keyid   : B2B822E38FC56EE5
can_cap : es
has_cap : es
flags   : secret invalid de-vs
upd     : 0 (0)
fpr    0: 13EE42BED4051016FB44A5CBB2B822E38FC56EE5
v5fpr  0: 992DF2C09D681E7652813073ACAD8C84F381A9F5B8BC89735D18D91FB86DAEFC
grip   0: 54A386908D4F4550307C587A227D63AF1B932AD1
caps   0: es
flags  0: secret invalid de-vs
userid 0: CN=Andre Heinecke,OU=demo,O=g10 Code GmbH,C=DE
    mbox: [none]
   email: 
    name: 
   cmmnt: 
     upd: 0 (0)
   valid: unknown
userid 1: <andre.heinecke@demo.gnupg.com>
    mbox: andre.heinecke@demo.gnupg.com
   email: <andre.heinecke@demo.gnupg.com>
    name: 
   cmmnt: 
     upd: 0 (0)
   valid: unknown

Event Timeline

aheinecke created this task.
aheinecke added a subscriber: werner.

My very simple patch for this would be:

diff --git a/sm/keylist.c b/sm/keylist.c
index bac973984..7692445f0 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -456,6 +456,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
     *truststring = 'r';
   else if (gpg_err_code (valerr) == GPG_ERR_CERT_EXPIRED)
     *truststring = 'e';
+  else if (gpg_err_code (valerr) == GPG_ERR_NOT_TRUSTED)
+    *truststring = '-';
   else
     {
       /* Lets also check whether the certificate under question

Since according to doc/DETAILS:

  • i :: The key is invalid (e.g. due to a missing self-signature)

Is simply not true here. The key is fully valid, it is just not trusted. This would then show the certificates in Kleopatra as uncertified just like any random OpenPGP Certificate.

@werner may I commit this? Pretty please. 🫣

Okay, I known do the same what we do for a single root certificate, that is mark it as "not trusted" ('n').

werner changed the task status from Open to Testing.Nov 27 2023, 2:04 PM
werner edited projects, added gnupg22; removed gpgme.
werner moved this task from Backlog to WiP on the gnupg22 board.
werner moved this task from WiP to QA on the gnupg22 board.

Tested on Windows with Kleopatra and 2.2 and with gpgme and 2.4 on Unix.

Thank you very much on behalf of our S/MIME users. This also makes it easier for us in the frontend to show a consistent UI.