Page MenuHome GnuPG
Create Task
Maniphest T907

gpgsm LISTKEYS for external keys gives error message even if key is found
Closed, ResolvedPublic
Actions

Description

Versions:
gpgsm (GnuPG) 2.0.9
dirmngr 1.0.2-svn293

Both installed from the debian packages available at http://apt.intevation.de/

dirmngr is running as a system daemon. There is one ldap server configured in
/etc/dirmngr/ldapservers.conf:

ca.intevation.de:389:::o=Intevation GmbH,c=DE

The only root certificate in /etc/dirmngr/trusted-certs/ is that of "Wurzel ZS
3" available on that LDAP server.

For the test, run gpgsm as a user with the following settings:

pubring.kbx is empty
gpgsm.conf has prefer-system-dirmngr
trustlist.txt is empty

Now start gpgsm in server mode and search for "herzog" in external keys:

$ gpgsm --server
[...]
OK GNU Privacy Guard's S/M server 2.0.9 ready
OPTION list-mode=2
OK
OPTION with-validation=0
OK
LISTKEYS herzog
D crt::1024:1:E7C3E460CF8FD68A:20071005T171321:20091004T171321:2C::CN=ZS
4,O=Intevation
GmbH,C=DE::esES:%0Afpr:::::::::99D0AB57BFDCC65BF0722B94E7C3E460CF8FD68A::::%0Auid:::::::::CN=Bernhard
Herzog,O=Intevation GmbH,C=DE::%0Auid:::::::::<bh@intevation.de>::%0A
ERR 167772187 Nicht gefunden <Dirmngr>

Why does this result in an error ("Nicht gefunden") even though the correct
certificate has been found?

The non-server way to look for external keys gives no error message:

$ gpgsm --list-external-keys herzog
gpgsm: DBG: connection to dirmngr established

[external keys]

         ID: 0xCF8FD68A
        S/N: 2C
     Issuer: /CN=ZS 4/O=Intevation GmbH/C=DE
    Subject: /CN=Bernhard Herzog/O=Intevation GmbH/C=DE
        aka: bh@intevation.de
   validity: 2007-10-05 17:13:21 through 2009-10-04 17:13:21
   key type: 1024 bit RSA
  key usage: digitalSignature nonRepudiation keyEncipherment
fingerprint: 99:D0:AB:57:BF:DC:C6:5B:F0:72:2B:94:E7:C3:E4:60:CF:8F:D6:8A

secmem usage: 0/16384 bytes in 0 blocks
$ echo $?
0

This unexpected error leads to problems with Kleopatra as described in this
kolab issue:
https://www.intevation.de/roundup/kolab/issue2653

Details

Version
2.0.9

Related Objects

Event Timeline

bherzog set Version to 2.0.9.Apr 25 2008, 3:37 PM
bherzog added projects: S/MIME, gnupg, Bug Report.
bherzog added a subscriber: bherzog.
werner claimed this task.Apr 28 2008, 6:08 PM
werner added a subscriber: werner.
bherzog added a comment.May 5 2008, 12:13 PM

Hi Werner,
This issue is important for a critical Kolab issue. So I've raised the priority
a little. I'd like to get at least some feedback, especially what the effort
would be to fix it.

bherzog raised the priority of this task from Normal to High.May 5 2008, 12:13 PM
werner added a comment.May 6 2008, 3:20 PM

The "not found" from dirmngr stems from the try to get the issuer of the
certificate. You can get the same effect in command line mode when using the
option --with-colons:

$ ../sm/gpgsm --list-external-keys --with-colons herzog
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: issuer certificate {E90B663500FC9B5DFA1B97A6EF6DE7A2080A9F16}
(#01/CN=Wurzel ZS 3,O=Intevation GmbH,C=DE) not found using authorityKeyIdentifier
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: listing external keys failed: Not found

[external keys]

crt::1024:1:E7C3E460CF8FD68A:20071005T171321:20091004T171321:2C::CN=ZS
4,O=Intevation GmbH,C=DE::esES:
fpr:::::::::99D0AB57BFDCC65BF0722B94E7C3E460CF8FD68A::::
uid:::::::::CN=Bernhard Herzog,O=Intevation GmbH,C=DE::
uid:::::::::<bh@intevation.de>::
$ echo $?
2

doc/DETAILS says this about the cert chain field (idx=13):

the local keyDB; it is only filled if the issuer
certificate is available. The root has been reached if
this is the same string as the fingerprint. The advantage

Thus gpgsm should not print an error but simply not fill out the field. Some
years ago there might have been the problem that an empty field was accidently
taken by Kleopatra as the end of the chain.

werner added a project: In Progress.May 6 2008, 3:20 PM
werner added a comment.May 6 2008, 3:40 PM

Not quite correct. The error was probably handled. The actual cause is that we
introduced a new error message in dirmngr. Find attached a patch against the
current gnupg to fix it. Should apply to 2.0.9 as well.

werner added a project: Restricted Project.May 6 2008, 3:40 PM

D56: 167_gpgsm-ext-keylist.diff

werner removed a project: In Progress.May 6 2008, 3:40 PM
bernhard added a subscriber: bernhard.May 14 2008, 1:01 PM

Ludwigs test with 2.0.9 + patch shows that the error message does
not come anymore.
Werner, can you state when you did the change the dirmngr?
(E.g. what is the last released version that worked correclty here?)

werner added a comment.May 14 2008, 1:01 PM

Hi!

I received your mail today but I probably can't reply to
it before

May 20

If you don't get an answer within a week following that day,
please consider to send me a reminder.

In case you need urgent technical assistance, please contact

Marcus Brinkmann <marcus@g10code.com>

If you want to report a security critical bug for one of the
software packages we maintain, use the address: <security@gnupg.org>.

This mail has been sent by an automatic responder and it will
only be sent once to a given address.

Regards,

bherzog added a comment.May 20 2008, 3:45 PM

The error message is gone. However, the search result sometimes includes
additional certificates, not just the ones the user searched for. These are
then also imported, at least when using kleopatra.

To elaborate: prefer-system-dirmngr is set in ~/.gnupg/gpgsm.conf and the system
dirmngr is running and has some trusted CA certs in /etc/dirmngr/trusted-certs/.
~/.gnupg/pubring.kbx is empty. Now, searching for a certificate that was issued
by one of those CAs returns tha CA certificate as well. E.g. if Intevation's
"Wurzel ZS 3" is in /etc/dirmngr/trusted-certs/ and we search for "zs 5" on
ca.intevation.de:389:::o=Intevation GmbH,c=DE:

OK GNU Privacy Guard's S/M server 2.0.9 ready
OPTION list-mode=2
OK
OPTION with-validation=0
OK
LISTKEYS zs%205
gpgsm[27556]: can't connect to `/home/etch1/.gnupg/S.gpg-agent': Datei oder
Verzeichnis nicht gefunden
S PROGRESS starting_agent ? 0 0
can't connect to `/home/etch1/.gnupg/log-socket': Verbindungsaufbau abgelehnt
D crt::1024:1:63D31E2A850BB1EC:20030628T173918:20080627T173918:02::CN=Wurzel ZS
3,O=Intevation
GmbH,C=DE::cC:%0Afpr:::::::::AFAAB9D27E4B4B6B400891A163D31E2A850BB1EC:::A6935DD34EF3087973C706FC311AA2CCF733765B:%0Auid:::::::::CN=Test-ZS
5,O=Intevation
GmbH,C=DE::%0Auid:::::::::<ca@intevation.de>::%0Auid:::::::::(3\x3auri24\x3ahttp\x3a//ca.intevation.net)::%0Acrt:n:1024:1:311AA2CCF733765B:20030628T144737:20130627T144737:00::CN=Wurzel
ZS 3,O=Intevation
GmbH,C=DE::escESC:%0Afpr:::::::::A6935DD34EF3087973C706FC311AA2CCF733765B:::A6935DD34EF3087973C706FC311AA2CCF733765B:%0Auid:n::::::::CN=Wurzel
ZS 3,O=Intevation GmbH,C=DE::%0Auid:n::::::::<ca@intevation.de>::%0A
OK

When I do that search with Kleopatra and then import the ZS 5 certificate, teh
"Wurzel ZS 3" certificate is also imported!. Why are both certificates returned
and why are both imported when I only want to import one of them? The latter
may be a kleopatra issue, obviously.

bherzog removed a project: Restricted Project.May 20 2008, 3:45 PM

Since the error message is gone and searching in external keys works, this is no
longer urgent.

bherzog lowered the priority of this task from High to Normal.May 20 2008, 3:46 PM
bernhard added a comment.Jul 28 2008, 6:31 PM

BH,
if the error message is gone, maybe can you split out the other problem
from this issue.

bernhard reassigned this task from werner to bherzog.Jul 28 2008, 6:31 PM
bherzog added a comment.Aug 15 2008, 3:22 PM

The issue of the search returning the CAs as well as the certificates actually
searched for is now the separate Issue949.

werner closed this task as Resolved.Dec 5 2008, 6:24 PM
werner added a project: Duplicate.

Duplicate of T949

werner removed bherzog as the assignee of this task.Dec 5 2008, 6:24 PM

It seems that I can close this bug.