Home GnuPG
Diffusion GnuPG 1067403c8a7f

sm: Do not expect X.509 keyids to be unique


sm: Do not expect X.509 keyids to be unique

* sm/certlist.c (gpgsm_find_cert): Add arg allow_ambiguous and use it.
* sm/call-dirmngr.c (inq_certificate): Pass true to ALLOW_AMBIGUOUS
(run_command_inq_cb): Ditto.
* sm/gpgsm.c (main): Pass false.
* sm/server.c (cmd_passwd): Pass false.

As described in my report T1644, it is possible that multiple
certificates exist with the same Distinguished Name and the same key.
In this case, verifying S/MIME signatures and other actions fail with
"certificate not found: Ambiguous name". For details see the bug

To circumvent the problem, I am patching GnuPG since 2014 so that in
this case the newest of the ambiguous certificates is used.

This is not an ultimate solution of the problem: You should try every
certificate with the same DN until verification succeeds or until all
certificates fail, and if multiple certificates of a chain are
ambiguous you even have to check every combination. You may even
consider checking the keyUsage attributes of the ambiguous certificates
to reduce the number of combinations.

But in the existing case of the certificates in the German Research
Network (DFN) PKI where the newest one is the valid one and all
ambiguous certificates have the same keyUsage attributes, this patch
has proven to be sufficient over the last three years.

With every GnuPG update, I have adapted the patch, luckily I never
needed to change anything except line numbers.

ChangeLog log written by wk, comment taken from mail. Signed-off line
was missing in the plain diff. However the mail with the patch and
the DCO posted as reply to that mail were both signed.

  • GnuPG-bug-id: T1644
  • Signed-off-by: Werner Koch <wk@gnupg.org>


perskeAuthored on Oct 24 2017, 5:29 PM
wernerCommitted on Oct 24 2017, 5:29 PM
rG6e808ae4700d: gpgconf: Ignore non-installed components with --apply-profile.
T1644: Do not expect KeyIDs to be unique