Page MenuHome GnuPG
Create Task
Maniphest T949

gpgsm LISTKEYS for external keys sometimes returns issueing CAs as well
Closed, ResolvedPublic
Actions

Description

Issue split out of Issue907. Mostly copied from T907 (bherzog on May 20 2008, 03:45 PM / Roundup):

The search result of gpgsm sometimes includes
additional certificates, not just the ones the user searched for. These are
then also imported, at least when using kleopatra.

To elaborate: prefer-system-dirmngr is set in ~/.gnupg/gpgsm.conf and the system
dirmngr is running and has some trusted CA certs in /etc/dirmngr/trusted-certs/.
~/.gnupg/pubring.kbx is empty. Now, searching for a certificate that was issued
by one of those CAs returns tha CA certificate as well. E.g. if Intevation's
"Wurzel ZS 3" is in /etc/dirmngr/trusted-certs/ and we search for "zs 5" on
ca.intevation.de:389:::o=Intevation GmbH,c=DE:

OK GNU Privacy Guard's S/M server 2.0.9 ready
OPTION list-mode=2
OK
OPTION with-validation=0
OK
LISTKEYS zs%205
gpgsm[27556]: can't connect to `/home/etch1/.gnupg/S.gpg-agent': Datei oder
Verzeichnis nicht gefunden
S PROGRESS starting_agent ? 0 0
can't connect to `/home/etch1/.gnupg/log-socket': Verbindungsaufbau abgelehnt
D crt::1024:1:63D31E2A850BB1EC:20030628T173918:20080627T173918:02::CN=Wurzel ZS
3,O=Intevation
GmbH,C=DE::cC:%0Afpr:::::::::AFAAB9D27E4B4B6B400891A163D31E2A850BB1EC:::A6935DD34EF3087973C706FC311AA2CCF733765B:%0Auid:::::::::CN=Test-ZS
5,O=Intevation
GmbH,C=DE::%0Auid:::::::::<ca@intevation.de>::%0Auid:::::::::(3\x3auri24\x3ahttp\x3a//ca.intevation.net)::%0Acrt:n:1024:1:311AA2CCF733765B:20030628T144737:20130627T144737:00::CN=Wurzel
ZS 3,O=Intevation
GmbH,C=DE::escESC:%0Afpr:::::::::A6935DD34EF3087973C706FC311AA2CCF733765B:::A6935DD34EF3087973C706FC311AA2CCF733765B:%0Auid:n::::::::CN=Wurzel
ZS 3,O=Intevation GmbH,C=DE::%0Auid:n::::::::<ca@intevation.de>::%0A
OK

When I do that search with Kleopatra and then import the ZS 5 certificate, teh
"Wurzel ZS 3" certificate is also imported!. Why are both certificates returned
and why are both imported when I only want to import one of them? The latter
may be a kleopatra issue, obviously.

Details

Due Date
Jan 30 2009, 1:00 AM

Related Objects

Event Timeline

bherzog added projects: S/MIME, gnupg, Bug Report.Aug 15 2008, 3:22 PM
bherzog added subscribers: bernhard, werner, bherzog.
werner added a comment.Oct 27 2008, 10:56 AM

When doing an external key listing, gpgsm asks the configured LDAP servers to
return matching certificates. All returned certificates are shown. Given that
there is no common rule on how to search LDAP servers for certain certificate
attributes, Dirmngr uses a very general filter to do the search. This yields
more certifciates than the internal search implemented in GnuPG.

We could apply the gpgsm internal key listing rules to the external search as a
post processing filter if that is really desired.

werner added a project: Stalled.Dec 5 2008, 5:58 PM
werner set Due Date to Jan 30 2009, 1:00 AM.
werner mentioned this in T907: gpgsm LISTKEYS for external keys gives error message even if key is found.Mar 30 2017, 7:10 PM
werner added a project: Won't Fix.Jul 1 2011, 11:34 AM

It seems this is not important enough to implement an extra filter for this case.

werner closed this task as Resolved.Jul 1 2011, 11:34 AM
werner claimed this task.
werner removed a project: Stalled.