A ldap search for an email will directly import S/MIME certificates.
To reproduce:
- Ensure, some smime certificate is available on the ldap
- Search for the associated email -> the entry is found, but directly imported
Description
Description
Details
Details
- Version
- gpg4win-5.0.0 @ win11
Event Timeline
Comment Actions
I have not checked but I guess that the certificate is marked as ephemeal and kleopatra either lists ephemeral certificates or the ephemeral flag got removed to to a validation process,
Comment Actions
Gpg4win 5.0.0
Result of LISTKEYS with keylist mode 0x2 (= remote; i.e. lookup on server)
crt::4096:1:E9D11C94DCC1BAE5:20260120T102434:20270120T102434:02::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE::esES::::::23: fpr:::::::::34AFBE6C696E65D763413FA1E9D11C94DCC1BAE5:::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED: fp2:::::::::2BA723F68B44981210B2CE74BB42D957192DDC0F43EAB2BFD18A5CFF925F9DC9:::: grp:::::::::36D2569F4543378959A7B4D63B6FD4817F3695F0: uid:::::::::CN=Bob,1.2.840.113549.1.9.1=#626F6240676E7570672E74657374,O=QA,L=Erkrath,ST=NRW,C=DE::: uid:::::::::<bob@gnupg.test>::
Result of LISTKEYS with keylist mode 0x111 (= local, with secret, validate)
crt:f:4096:1:E9D11C94DCC1BAE5:20260120T102434:20270120T102434:02::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE::esES::::::23: fpr:::::::::34AFBE6C696E65D763413FA1E9D11C94DCC1BAE5:::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED: fp2:::::::::2BA723F68B44981210B2CE74BB42D957192DDC0F43EAB2BFD18A5CFF925F9DC9:::: grp:::::::::36D2569F4543378959A7B4D63B6FD4817F3695F0: uid:f::::::::CN=Bob,1.2.840.113549.1.9.1=#626F6240676E7570672E74657374,O=QA,L=Erkrath,ST=NRW,C=DE::: uid:f::::::::<bob@gnupg.test>:: crs:f:3072:1:F7ED85B98C7DDFC5:20230313T180701:20630405T170000:4D9528785EE3E701::CN=Root-CA 2020,OU=GnuPG.com,O=g10 Code GmbH,C=DE::eE:::+:::23: fpr:::::::::54DCF69AD0C25D777CB4B73EF7ED85B98C7DDFC5:::D4ECA6B469ABB5440827CB3FC7D791083C1027DB: fp2:::::::::AE250DD11730E08EA7D78F996A0BAFBD9668348E78F3465003A47009DC9D8D29:::: grp:::::::::10EA99B65693AD207A4081C6DFF465E44DFD49BF: uid:f::::::::CN=Test Tester,OU=demo,O=g10 Code GmbH,C=DE::: uid:f::::::::<ted.tester@demo.gnupg.com>:: crt:u:4096:1:BAD0BBA151F462ED:20260120T102433:20270120T102433:165AC17CC2D9EDB0F1E9AA86503AB62B20EEB012::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE::cC::::::23: fpr:::::::::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED:::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED: fp2:::::::::A5E46E01789497B72E647743135A40747B05901F7198471A3839BFB9588D5691:::: grp:::::::::D22D8490F5087FD647E514BC38EE7FBA6A9AD906: uid:u::::::::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE::: uid:u::::::::<ca@gnupg.test>:: crs:f:3072:1:67F99891C2311DD2:20230313T180555:20630405T170000:3CE06BDCCCDB7E03::CN=Root-CA 2020,OU=GnuPG.com,O=g10 Code GmbH,C=DE::sS:::+:::23: fpr:::::::::7C6A4442C88AA009D1B82BD267F99891C2311DD2:::D4ECA6B469ABB5440827CB3FC7D791083C1027DB: fp2:::::::::EAF07D4C6FE531C37D8460A41F504A507BA4B5BFAF048D5ED5B25A14FE03BCDE:::: grp:::::::::FA53C09B98FC771C31A96B05CE04FDCE84B1013D: uid:f::::::::CN=Test Tester,OU=demo,O=g10 Code GmbH,C=DE::: uid:f::::::::<ted.tester@demo.gnupg.com>:: crt:f:3072:1:72A2E3036291C878:20230313T181741:20630405T170000:3D0FAB26F82C740D::CN=Root-CA 2020,OU=GnuPG.com,O=g10 Code GmbH,C=DE::esES::::::23: fpr:::::::::A8363E8C52A262B04E8B2FC772A2E3036291C878:::D4ECA6B469ABB5440827CB3FC7D791083C1027DB: fp2:::::::::11F249A37CFB8D10199B31150AA53045188646C0272A3D0902E76CC416213206:::: grp:::::::::36513EAA2DB9BF6CF835CEF1DBDC155728089965: uid:f::::::::CN=Berta Boss,OU=demo,O=g10 Code GmbH,C=DE::: uid:f::::::::<berta.boss@demo.gnupg.com>:: crt:u:3072:1:C7D791083C1027DB:20200326T194101:20630405T170000:01::CN=Root-CA 2020,OU=GnuPG.com,O=g10 Code GmbH,C=DE::cC::::::23: fpr:::::::::D4ECA6B469ABB5440827CB3FC7D791083C1027DB:::D4ECA6B469ABB5440827CB3FC7D791083C1027DB: fp2:::::::::8BA71E53C0AF36F73EE6041E54800ECFA74EA61E08004734F35AF7579B76E2C5:::: grp:::::::::184977136DA4D5C90C202F22E3812012ABCD7174: uid:u::::::::CN=Root-CA 2020,OU=GnuPG.com,O=g10 Code GmbH,C=DE::: uid:u::::::::<root-ca-2020@gnupg.com>:: crs:f:256:18:C7FD4C0193216FA6:20230313T183140:20630405T170000:281B974B684B7934::CN=Root-CA 2020,OU=GnuPG.com,O=g10 Code GmbH,C=DE::esES:::+::brainpoolP256r1:23: fpr:::::::::FF810B9281A43C394AA138E9C7FD4C0193216FA6:::D4ECA6B469ABB5440827CB3FC7D791083C1027DB: fp2:::::::::FCAEE9A63060E168A7AC2C21BFC1D5FEAE8C9A87613847F016A3B3173597E5C6:::: grp:::::::::0D260BD2025388018FA914A59C941060259E7360: uid:f::::::::CN=Edward Tester,OU=demo,O=g10 Code GmbH,C=DE::: uid:f::::::::<edward.tester@demo.gnupg.com>::
Comment Actions
VSD 3.3.4
Result of LISTKEYS with keylist mode 0x2 (= remote; i.e. lookup on server)
crt::4096:1:E9D11C94DCC1BAE5:20260120T102434:20270120T102434:02::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE::esES::::::23: fpr:::::::::34AFBE6C696E65D763413FA1E9D11C94DCC1BAE5:::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED: fp2:::::::::2BA723F68B44981210B2CE74BB42D957192DDC0F43EAB2BFD18A5CFF925F9DC9:::: grp:::::::::36D2569F4543378959A7B4D63B6FD4817F3695F0: uid:::::::::CN=Bob,1.2.840.113549.1.9.1=#626F6240676E7570672E74657374,O=QA,L=Erkrath,ST=NRW,C=DE:: uid:::::::::<bob@gnupg.test>::
Result of LISTKEYS with keylist mode 0x111 (= local, with secret, validate)
crt:u:4096:1:BAD0BBA151F462ED:20260120T102433:20270120T102433:165AC17CC2D9EDB0F1E9AA86503AB62B20EEB012::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE::cC::::::23: fpr:::::::::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED:::5F2B39FFEF377DAF7C2DF50CBAD0BBA151F462ED: fp2:::::::::A5E46E01789497B72E647743135A40747B05901F7198471A3839BFB9588D5691:::: grp:::::::::D22D8490F5087FD647E514BC38EE7FBA6A9AD906: uid:u::::::::1.2.840.113549.1.9.1=#636140676E7570672E74657374,CN=CA,OU=QA,O=g10code,L=Erkrath,ST=NRW,C=DE:: uid:u::::::::<ca@gnupg.test>::
Comment Actions
With Gpg4win 5.0.0 the LISTKEYS after the server lookup lists the (ephemeral?) ca@gnupg.test certificate and (!) the bob@gnupg.test certificate (and some other certificates, but I guess those are from other tests).
With VSD 3.3.4 the LISTKEYS after the server lookup lists the (ephemeral?) ca@gnupg.test certificate and nothing else.
Note that the GPGME_KEYLIST_MODE_EPHEMERAL flag (0x80) is NOT set in any LISTKEYS commands, i.e. ephemeral certificates should not be listed by gpgsm.
My usual question: What happens if the keyboxd is disabled in Gpg4win 5?
Second question: Does Kleopatra VSD 3.3.4 show the ca@gnupg.test certificate in the certificate list?
Comment Actions
It also happens on CLI:
Gpg4Win 5.0.0
PS C:\Users\g10> gpgsm -k bob
PS C:\Users\g10> gpgsm -v --list-external-keys bob@gnupg.test
gpgsm: enabled compatibility flags:
[external keys]
---------------
ID: 0xDCC1BAE5
S/N: 02
(dec): 2
Issuer: /CN=CA/OU=QA/O=g10code/L=Erkrath/ST=NRW/C=DE/EMail=ca@gnupg.test
Subject: /CN=Bob/O=QA/L=Erkrath/ST=NRW/C=DE/EMail=bob@gnupg.test
validity: 2026-01-20 10:24:34 through 2027-01-20 10:24:34
key type: rsa4096
key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment
sha1 fpr: 34:AF:BE:6C:69:6E:65:D7:63:41:3F:A1:E9:D1:1C:94:DC:C1:BA:E5
sha2 fpr: 2B:A7:23:F6:8B:44:98:12:10:B2:CE:74:BB:42:D9:57:19:2D:DC:0F:43:EA:B2:BF:D1:8A:5C:FF:92:5F:9D:C9
PS C:\Users\g10> gpgsm -k bob
[keyboxd]
---------
ID: 0xDCC1BAE5
S/N: 02
(dec): 2
Issuer: /CN=CA/OU=QA/O=g10code/L=Erkrath/ST=NRW/C=DE/EMail=ca@gnupg.test
Subject: /CN=Bob/O=QA/L=Erkrath/ST=NRW/C=DE/EMail=bob@gnupg.test
validity: 2026-01-20 10:24:34 through 2027-01-20 10:24:34
key type: rsa4096
key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment
sha1 fpr: 34:AF:BE:6C:69:6E:65:D7:63:41:3F:A1:E9:D1:1C:94:DC:C1:BA:E5
sha2 fpr: 2B:A7:23:F6:8B:44:98:12:10:B2:CE:74:BB:42:D9:57:19:2D:DC:0F:43:EA:B2:BF:D1:8A:5C:FF:92:5F:9D:C9VSD 3.3.4
C:\Users\g10>gpgsm -k bob
C:\Users\g10>gpgsm -v --list-external-keys bob@gnupg.test
gpgsm: enabled compatibility flags: de-vs-trustlist
[external keys]
---------------
ID: 0xDCC1BAE5
S/N: 02
(dec): 2
Issuer: /CN=CA/OU=QA/O=g10code/L=Erkrath/ST=NRW/C=DE/EMail=ca@gnupg.test
Subject: /CN=Bob/O=QA/L=Erkrath/ST=NRW/C=DE/EMail=bob@gnupg.test
validity: 2026-01-20 10:24:34 through 2027-01-20 10:24:34
key type: rsa4096
key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment
fingerprint: 34:AF:BE:6C:69:6E:65:D7:63:41:3F:A1:E9:D1:1C:94:DC:C1:BA:E5
sha2 fpr: 2B:A7:23:F6:8B:44:98:12:10:B2:CE:74:BB:42:D9:57:19:2D:DC:0F:43:EA:B2:BF:D1:8A:5C:FF:92:5F:9D:C9
C:\Users\g10>gpgsm -k bobComment Actions
Yes
Does Kleopatra VSD 3.3.4 show the ca@gnupg.test certificate in the certificate list?
The "ca" root cert was imported manually before via Kleopatra and is shown.
What happens if the keyboxd is disabled in Gpg4win 5?
Without keyboxd, the certificate is not imported.