Mailing List Archive

gpgsm: Cannot decrypt with expired certificate for CRL
Hi there,

I’m using gpgsm (GnuPG) 2.2.13. For some reason, a CRL obtained by
dirmngr is signed with an expired certificate. This prevents me
from using my certificate. Here is what happens when I try to decrypt:

$ gpgsm -d mail.p7m
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: can't sign using '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Certificate expired
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: Note: won't be able to encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Certificate expired

Yes, CRLs should not be signed with expired certificates. However,
is the fact that gpgsm prevents me from using my certificate a bug
or a feature?

As workaround I now have disable-crl-checks in my gpgsm.conf.

Should I file a bug report?

Best wishes
Jens

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
On 2019-03-25, Jens Lechtenboerger wrote:

> Hi there,
>
> I’m using gpgsm (GnuPG) 2.2.13. For some reason, a CRL obtained by
> dirmngr is signed with an expired certificate.

I need to correct myself after feedback from our Certificate
Authority: The CRL was not signed with an expired certificate but
with a valid certificate that happens to share the keygrip (Subject
Key Identifier) with an expired one. The lookup by dirmngr lead to
the expired certificate, while also a valid certificate exists.

> [...]
> Yes, CRLs should not be signed with expired certificates. However,
> is the fact that gpgsm prevents me from using my certificate a bug
> or a feature?
>
> As workaround I now have disable-crl-checks in my gpgsm.conf.
>
> Should I file a bug report?

Best wishes
Jens

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
Hello, everyone,

the problem reported by Jens Lechtenboerger is solved:

In this special case my patch that was added to GnuPG 2.2.2, see
<https://dev.gnupg.org/T1644>, did not help because his keyring
contained only the old, revoked certificate and not the new, unrevoked
one. So my patch could not select the newer certificate.

The specific problem with multiple CA certificates with the same key in
the "old" DFN PKI "Global" hierarchy will disappear on July 9th 23:59
UTC because then the root certificate expires.

The general problem that GnuPG has problems handling multiple
certificates with the same key persists (see T1644) , but fixing this
would require a major effort for a quite rare edge case.

Best greetings
--
Rainer Perske
Abteilung Systembetrieb und Leiter der Zertifizierungsstelle (WWUCA)
Zentrum f?r Informationsverarbeitung (Universit?tsrechenzentrum)

Westf?lische Wilhelms-Universit?t
Zentrum f?r Informationsverarbeitung
Rainer Perske
R?ntgenstra?e 7-13
48149 M?nster

Tel.: +49 251 83-31582
Fax.: +49 251 83-31555
E-Mail: rainer.perske@uni-muenster.de
WWW: https://www.uni-muenster.de/ZIV/Mitarbeiter/RainerPerske.shtml
B?ro: Raum 006, R?ntgenstra?e 11
Lageplan: http://wwwuv2.uni-muenster.de/uniplan/?action=spot&gebnr=7474

Zertifizierungsstelle der Universit?t M?nster (WWUCA):
Tel.: +49 251 83-31590
Fax.: +49 251 83-31555
E-Mail: ca@uni-muenster.de
WWW: https://www.uni-muenster.de/WWUCA/

Zentrum f?r Informationsverarbeitung (ZIV):
Tel.: +49 251 83-31600 (Mo-Fr 7:30-17:30 Uhr)
Fax.: +49 251 83-31555
E-Mail: ziv@uni-muenster.de
WWW: https://www.uni-muenster.de/ZIV/
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
On 25/03/2019 16:41, Rainer Perske wrote:
> the problem reported by Jens Lechtenboerger is solved:

But... shouldn't it always be possible to /decrypt/, no matter the
revocation status or expiry or whatnot?

I can understand a certificate being skipped to /encrypt/ to, but it
seems rather drastical to prevent reading any mail encrypted to that key
and stuff like that.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
Hi,

On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
> Yes, CRLs should not be signed with expired certificates. However,
> is the fact that gpgsm prevents me from using my certificate a bug
> or a feature?

For decrypt I would say: It's a bug. You should always be able to decrypt
something for which you have the secret key IMO.

> As workaround I now have disable-crl-checks in my gpgsm.conf.
>
> Should I file a bug report?

Yes please. Ideally with an example certificate chain + test cert attached :-)

Thanks,
Andre

--
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board@gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
On 2019-03-26, Andre Heinecke wrote:

> On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
>> Yes, CRLs should not be signed with expired certificates. However,
>> is the fact that gpgsm prevents me from using my certificate a bug
>> or a feature?
>
> For decrypt I would say: It's a bug. You should always be able to decrypt
> something for which you have the secret key IMO.
>
>> As workaround I now have disable-crl-checks in my gpgsm.conf.
>>
>> Should I file a bug report?
>
> Yes please. Ideally with an example certificate chain + test cert attached :-)

For the record: Deleting the expired CA certificate from my keyring
is another workaround.

I filed a bug: https://dev.gnupg.org/T4431

Creating an example for this seems complicated: A CA with two
certificates using the same key, one expired, one valid. Then, a
CSR signed by that CA. Then, a certificate signed by the CA, with
private key for decryption attempt. I do not want to provide my
private key ;)

Best wishes
Jens

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
On 2019-03-26, Jens Lechtenboerger wrote:

> On 2019-03-26, Andre Heinecke wrote:
>
>> On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
>>> Yes, CRLs should not be signed with expired certificates. However,
>>> is the fact that gpgsm prevents me from using my certificate a bug
>>> or a feature?
>>
>> For decrypt I would say: It's a bug. You should always be able to decrypt
>> something for which you have the secret key IMO.
>>
>>> As workaround I now have disable-crl-checks in my gpgsm.conf.
>>>
>>> Should I file a bug report?
>>
>> Yes please. Ideally with an example certificate chain + test cert attached :-)
>
> For the record: Deleting the expired CA certificate from my keyring
> is another workaround.

That was too fast. The presence or absence of the expired
certificate in my keyring does not matter. The check by dirmngr
fails regardless.

Along the way I also executed this:
$ gpgsm -k --with-validation

This populated ~/.gnupg/crls.d/ with CRLs, which I did not realize.
I guessed that removing the expired certificate solved the problem,
while really those cached CRLs were used. With those present, the
expired certificate can be on the keyring as well.

Best wishes
Jens

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: gpgsm: Cannot decrypt with expired certificate for CRL [ In reply to ]
Hi,

On Monday 25 March 2019 19:25:44 CET Peter Lebbing wrote:
> But... shouldn't it always be possible to /decrypt/, no matter the
> revocation status or expiry or whatnot?

Just for the record, the issue was reported by Jens in a ticket and has been
fixed now: https://dev.gnupg.org/T4431

Regards,
Andre


--
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board@gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799