I'm testing gpgsm for automatic import of missing certificates through the --auto-issuer-key-retrieve switch. In practice, I have encountered certificates that refer to CAs in the AIA extension, but program can not download them for various reasons. These various reasons cause automatic certificate retrieval to fail, and because of this, patch discovery/validation is broken at some stage of import. An example of a command I use:
$ gpgsm --homedir "R:\abc" --import --batch --auto-issuer-key-retrieve --disable-crl-checks --disable-policy-checks --debug-level guru "file_with_certs.p7b" > "gpgsm_log.txt" 2>&1For example, I add a steps to reproduce that can be repeated to collect about 2,300 certificates from the trusted eu list, (file eu_cert_list.sh.txt), some certs had deficiencies in AIA, pointed to wrong CA certificate (quite recently by the same method I collected about 3 thousand of them).
gpgsm --show-certs concatenate_bundle.pem gpgsm --show-certs concatenate_bundle.p7b
gpgsm/dirmngr can be improved to collect, fetch as many certs as possible (on the first attempt), making life easier.
Things that gpgsm doesn't handle:
- multiple http AIA extensions in one cert
- text encoding of individual certificates (.pem -----BEGIN CERTIFICATE-----)
- der encoded .p7c CMS "certs-only" message (aka degenerate) containing a single or a whole set of certificates (mini repo)
- text encoding of the above degenerate files (.p7b -----BEGIN PKCS7-----)
- detection of processed duplicates
I created a test case with ready-made certificates and packages that need to be placed on the local http://localhost:1180 server. I also generated 3 sets of this tests in tar.gz packages on this page. The script (daedalus_hierarchy.sh) generates the same hierarchy structure each time but with different names, keys and signatures on the certificates. The crux of the test is that after importing IMPORT_THIS_xxxxx/certs_all_users_in_or.der.p7b file, the program can/should add 7 users and find the root and intermediate certificates (build a path to the top of the hierarchy), fetch CAs using the AIA extension from the localhost. Certificates do not contain CRLs, Name Constraints or Policy, only AIAs in various, extreme situations. Certificates do not contain countless combinations of AIAs, but for checking basic functions they are quite suitable. I briefly described the paths for each user in this repo (mermaid tree graphs).
Certificates can be used to test various optimizations, sorting, see: G5 & G6 user. I read that libpkix has the most such optimizations. Maybe it would be possible to use some of the ideas from this project? It's under a custom BSD license with an anti-nuclear add-on, but I see, that you're old-school pacifists, so it shouldn't be a problem...
In the test certs, I also included SIA extensions (caRepository) that build a path down, in the reverse direction, but I don't see much use in gpgsm, so it seems that adding this extension is out of scope.
take care
similar:
https://dev.gnupg.org/T2119
related?
https://dev.gnupg.org/T7308
https://dev.gnupg.org/T6458
https://dev.gnupg.org/T5882
gpgsm --version gpgsm (GnuPG) 2.4.5 libgcrypt 1.10.3 libksba 1.6.6
