S/MIMEProject
ActivePublic

Members

  • This project does not have any members.

Watchers

  • This project does not have any watchers.

Recent Activity

Tue, Mar 31

werner triaged T4898: auto import CA certs with authInfo.caIssuers as Normal priority.
Tue, Mar 31, 12:04 PM · dirmngr, S/MIME, gnupg (gpg23)
werner created T4898: auto import CA certs with authInfo.caIssuers.
Tue, Mar 31, 12:04 PM · dirmngr, S/MIME, gnupg (gpg23)
gniibe added a commit to T4896: ksba: Ed25519 support: rK2625e13bc9d5: ecc: Add Ed25519 and Ed448 public key support..
Tue, Mar 31, 9:00 AM · libksba, Feature Request, S/MIME
gniibe added a comment to T4888: GpgSM: Support ECC key generation by gpgsm_genkey.

genkey for Ed25519 works now with libksba in master.

Tue, Mar 31, 8:59 AM · Feature Request, S/MIME
gniibe added a comment to T4896: ksba: Ed25519 support.

For public key, it's done.

Tue, Mar 31, 8:59 AM · libksba, Feature Request, S/MIME

Mon, Mar 30

dkg closed T4892: gpgsm --gen-key with existing key from "ssh-add" fails as Resolved.
Mon, Mar 30, 9:59 PM · Bug Report, S/MIME
dkg reopened T4892: gpgsm --gen-key with existing key from "ssh-add" fails as "Open".
Mon, Mar 30, 9:59 PM · Bug Report, S/MIME
werner closed T4895: segfaults in certreqen.c from logging NULL return from get_parameter as Resolved.

Thanks.

Mon, Mar 30, 5:35 PM · gnupg (gpg22), S/MIME, Bug Report
werner added a commit to T4895: segfaults in certreqen.c from logging NULL return from get_parameter: rG9c5c7c6f602c: sm: Fix possible NULL deref in error messages of --gen-key..
Mon, Mar 30, 5:35 PM · gnupg (gpg22), S/MIME, Bug Report
werner added a commit to T4895: segfaults in certreqen.c from logging NULL return from get_parameter: rG2b4b0b1223aa: sm: Fix possible NULL deref in error messages of --gen-key..
Mon, Mar 30, 5:35 PM · gnupg (gpg22), S/MIME, Bug Report
werner added a commit to T4892: gpgsm --gen-key with existing key from "ssh-add" fails: rK1e903fe558bd: Allow optional elements in keyinfo objects..
Mon, Mar 30, 5:32 PM · Bug Report, S/MIME
werner added a comment to T4892: gpgsm --gen-key with existing key from "ssh-add" fails.

The problem was the comment field which was not expected in an rsa key. However ist makes sense to allow additional fields and thus I pushed a change to Libksba.

Mon, Mar 30, 5:00 PM · Bug Report, S/MIME
gniibe added a project to T4896: ksba: Ed25519 support: libksba.
Mon, Mar 30, 7:55 AM · libksba, Feature Request, S/MIME
gniibe created T4896: ksba: Ed25519 support.
Mon, Mar 30, 7:55 AM · libksba, Feature Request, S/MIME
dkg created T4895: segfaults in certreqen.c from logging NULL return from get_parameter.
Mon, Mar 30, 12:37 AM · gnupg (gpg22), S/MIME, Bug Report

Fri, Mar 27

gniibe added a comment to T4888: GpgSM: Support ECC key generation by gpgsm_genkey.

NIST P-256 key generation looks good.

Fri, Mar 27, 11:53 AM · Feature Request, S/MIME

Thu, Mar 26

dkg added a comment to T4892: gpgsm --gen-key with existing key from "ssh-add" fails.

OK, i've asked on gnupg-devel.

Thu, Mar 26, 3:24 PM · Bug Report, S/MIME
werner closed T4892: gpgsm --gen-key with existing key from "ssh-add" fails as Wontfix.

Please use the mailing list for help on generating keys. I would also suggest to use GnuPG master for such experiments.

Thu, Mar 26, 10:27 AM · Bug Report, S/MIME
gniibe added a commit to T4888: GpgSM: Support ECC key generation by gpgsm_genkey: rG49ea53b755f0: gpgsm: Support key generation with ECC..
Thu, Mar 26, 7:56 AM · Feature Request, S/MIME
gniibe added a commit to T4888: GpgSM: Support ECC key generation by gpgsm_genkey: rG238707db8b05: gpgsm: Remove restriction of key generation (only RSA)..
Thu, Mar 26, 3:44 AM · Feature Request, S/MIME
dkg created T4892: gpgsm --gen-key with existing key from "ssh-add" fails.
Thu, Mar 26, 2:05 AM · Bug Report, S/MIME

Wed, Mar 25

werner created T4891: Support CBOR content in gpgsm.
Wed, Mar 25, 12:54 PM · Feature Request, gnupg, S/MIME

Tue, Mar 24

gniibe added a comment to T4098: GpgSM: Add ECC support (Option to create an X.509/ECDSA key).

There are two code paths to generate key: gpgsm_genkey and gpgsm_gencertreq_tty. Latter is partially supported with card key.
Firstly, I'm going to work for T4888.

Tue, Mar 24, 6:32 AM · Feature Request, S/MIME
gniibe created T4888: GpgSM: Support ECC key generation by gpgsm_genkey.
Tue, Mar 24, 6:30 AM · Feature Request, S/MIME
gniibe changed the status of T4013: Certificate requests generated from Ed25519 keys are not compliant with draft-ietf-curdle-pkix from Open to Testing.

This should work well with libksba master and gnupg/sm master.

Tue, Mar 24, 3:35 AM · Testing, S/MIME, Feature Request, libksba
gniibe changed the status of T4092: Certificate requests generated from card-based ECDSA keys are incorrectly marked as RSA-signed from Open to Testing.

The commits in 2019 (for libksba and gnupg/sm) handles the problem (of key generation using card).

Tue, Mar 24, 3:32 AM · Testing, Feature Request, S/MIME

Fri, Mar 20

werner closed T4536: dirmngr fails to find OCSP signer certificate when responder is identified with key ID as Resolved.
Fri, Mar 20, 5:59 PM · S/MIME, gnupg (gpg22), Bug Report
werner closed T4847: "gpgsm: invalid radix64 character 2d skipped" when trying to import a PEM file with DOS line endings (CR+LF) as Resolved.
Fri, Mar 20, 5:59 PM · gnupg (gpg22), S/MIME, Bug Report
dkg added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

That option does the same as --disable-dirmngr which in trun has the same effect as disable-crl-checks

Fri, Mar 20, 4:49 PM · Not A Bug, S/MIME, gpgme
dkg added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

@werner wrote:

Fri, Mar 20, 4:45 PM · Not A Bug, S/MIME, gpgme
aheinecke added a comment to T4884: PKCS #15 support in gpgsm.

The return value that was mapped to invalid value was "SW_WRONG_LENGTH" so I tested using the codepath for the SW_EXACT_LENGTH sw return value, too and it worked for readcert.

Fri, Mar 20, 3:52 PM · scd, S/MIME
aheinecke created T4884: PKCS #15 support in gpgsm.
Fri, Mar 20, 12:27 PM · scd, S/MIME
aheinecke added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

Sample how GpgOL handles this: https://dev.gnupg.org/source/gpgol/browse/master/src/keycache.cpp;6f5f48c3d60e0af52f1a9f0e51f60ee653eeeb31$269

Fri, Mar 20, 11:03 AM · Not A Bug, S/MIME, gpgme
aheinecke added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

I think what you're saying that there is *no way* to use GPGME in offline mode to validate x.509 certificates, and this is by design. Am I understanding that right?

Fri, Mar 20, 11:00 AM · Not A Bug, S/MIME, gpgme
werner added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

After disabling the CRL check again in gpgsm.conf

Fri, Mar 20, 8:56 AM · Not A Bug, S/MIME, gpgme

Thu, Mar 19

dkg added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

I see no difference between the last two example stanzas that show you running ../run-verify. Are they supposed to have different output?

Thu, Mar 19, 10:58 PM · Not A Bug, S/MIME, gpgme
dkg added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

I'm aware of the metadata leakage risks of OCSP, and i share your concerns about them.

Thu, Mar 19, 10:14 PM · Not A Bug, gnupg (gpg22), S/MIME
werner added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

OCSP can't be the default because it enables a web bug. The responder immediately sees when a signature is verified or a data is encrypted to a certificate.

Thu, Mar 19, 7:00 PM · Not A Bug, gnupg (gpg22), S/MIME
dkg added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

If CRLs or OCSP are a MUST in a given profile, and the cert chain has OCSP but no CRL, it seems like that profile should then try OCSP, rather than failing.

Thu, Mar 19, 6:53 PM · Not A Bug, gnupg (gpg22), S/MIME
werner added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

That option does the same as --disable-dirmngr which in trun has the same effect as disable-crl-checks; see gnupg/sm/server.c#option_handler. If you want to check the validity of the cert you check the TRUST status lines. This is what gpgme does for you. An example is gpgme.tests/gpgsm/t-verify. You can run the tests also manually, I do this as follows:

Thu, Mar 19, 6:25 PM · Not A Bug, S/MIME, gpgme
dkg added a comment to T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.

I think what you're saying that there is *no way* to use GPGME in offline mode to validate x.509 certificates, and this is by design. Am I understanding that right?

Thu, Mar 19, 5:25 PM · Not A Bug, S/MIME, gpgme
werner edited projects for T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs., added: Not A Bug; removed Bug Report.
Thu, Mar 19, 1:07 PM · Not A Bug, gnupg (gpg22), S/MIME
werner edited projects for T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set, added: Not A Bug; removed Bug Report.

I can see no bug here. See my comment over at T4881.

Thu, Mar 19, 1:06 PM · Not A Bug, S/MIME, gpgme
werner added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

If you want OCSP you need to enable it. CRLs or OCSP are a MUST under the profile we developed gpgsm. This is why --disable-crl-checks by default is not possible. There are lot of interesting things you will come across if you start to use S/MIME. For example you also need to care about the algorithms used for intermediate certificates used to sign CRLs - they need to comply to the policy as well. Or the rarely used PSS padding we encounter sometimes and which is not supported and will probably not be supported

Thu, Mar 19, 11:56 AM · Not A Bug, gnupg (gpg22), S/MIME
dkg created T4883: gpgme X.509 certificates have unknown validity in offline mode unless `disable-crl-checks` is set.
Thu, Mar 19, 2:25 AM · Not A Bug, S/MIME, gpgme

Wed, Mar 18

dkg added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

I thought i'd try with other certificates. I started with the one from this website. It also fails to validate unless i supply --disable-crl-checks, apparently because the immediate issuer (the Let's Encrypt CA) doesn't offer CRLs, only OCSP responders. Perhaps --disable-crl-checks should be the default, or at least if there is no CRL available there shouldn't be a failure by default:

Wed, Mar 18, 10:38 PM · Not A Bug, gnupg (gpg22), S/MIME
dkg added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

Aha, i can get it to say f if i use --disable-crl-checks:

Wed, Mar 18, 10:30 PM · Not A Bug, gnupg (gpg22), S/MIME
dkg added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

i didn't know that, thanks. i'm now seeing i (which i think means "invalid") in the same configuration:

Wed, Mar 18, 9:36 PM · Not A Bug, gnupg (gpg22), S/MIME
werner added a comment to T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..

Add --with-validation to check the validity of a certificate in a listing.

Wed, Mar 18, 9:07 PM · Not A Bug, gnupg (gpg22), S/MIME
dkg created T4881: "User ID" (Subject, subjectAltName) validity is inaccurate in gpgsm with sample certs..
Wed, Mar 18, 8:55 PM · Not A Bug, gnupg (gpg22), S/MIME