Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
Debugging dirmngr (gpg --locate-key)
gnupg-devel at gnupg
Mar 28, 2019, 12:57 PM
Post #1 of 4 (407 views)
Permalink
Hello,

I'm trying to debug why the following doesn't fetch the key via WKD:

$ gpg --locate-key torvalds@kernel.org
gpg: error retrieving 'torvalds@kernel.org' via WKD: No data
gpg: error reading key: No data

While naive curl for the WKD URL works:

$ curl -sSL
https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x
| gpg --import
gpg: key 79BE3E4300411886: public key "Linus Torvalds
<torvalds@kernel.org>" imported

I tried debug lookup flags but it doesn't print any useful info:

$ gpg --debug lookup -vvv --locate-key torvalds@kernel.org
gpg: using character set 'utf-8'
gpg: enabled debug flags: lookup
gpg: using pgp trust model
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search 0: SUBSTR: 'torvalds@kernel.org'
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF
gpg: error retrieving 'torvalds@kernel.org' via Local: No public key
gpg: error retrieving 'torvalds@kernel.org' via WKD: No data
gpg: error reading key: No data
gpg: secmem usage: 0/32768 bytes in 0 blocks

Are there any other flags or config options that can be enabled to see
the lookup step by step and check why this fails?

(For the record locating my own key via my e-mail address works but as I
don't control kernel.org I can't check what URLs is GPG trying to access).

I tried this with GnuPG 2.2.12 and 2.2.14.

Thank you in advance!

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: Debugging dirmngr (gpg --locate-key) [ In reply to ]
aheinecke at gnupg
Mar 29, 2019, 1:30 AM
Post #2 of 4 (406 views)
Permalink
Hi,

On Thursday 28 March 2019 20:57:21 CET Wiktor Kwapisiewicz via Gnupg-devel
wrote:
> I'm trying to debug why the following doesn't fetch the key via WKD:

The debugging for WKD happens with dirmngr.

I have the following in my dirmngr.conf:

debug-level guru
log-file /tmp/dirmngr.log

Then after the locate key (kill dirmngr after changing the config)
I see in that log:

2019-03-29 09:18:06 dirmngr[6907.6] URL 'https://kernel.org/.well-known/
openpgpkey/policy' redirected to 'https://www.kernel.org/.well-known/
openpgpkey/policy' (301)
2019-03-29 09:18:06 dirmngr[6907.6] redirection changed to 'https://
www.kernel.org/.well-known/openpgpkey/policy'
2019-03-29 09:18:06 dirmngr[6907.6] DBG: http.c:request:
2019-03-29 09:18:06 dirmngr[6907.6] DBG: >> GET /.well-known/openpgpkey/policy
HTTP/1.0\r\n
2019-03-29 09:18:06 dirmngr[6907.6] DBG: >> Host: www.kernel.org\r\n
2019-03-29 09:18:06 dirmngr[6907.6] DBG: http.c:request-header:
2019-03-29 09:18:06 dirmngr[6907.6] DBG: >> \r\n
2019-03-29 09:18:06 dirmngr[6907.6] DBG: http.c:response:
2019-03-29 09:18:06 dirmngr[6907.6] DBG: >> HTTP/1.1 404 Not Found\r\n
2019-03-29 09:18:06 dirmngr[6907.6] http.c:RESP: 'Server: nginx'
2019-03-29 09:18:06 dirmngr[6907.6] http.c:RESP: 'Date: Fri, 29 Mar 2019
08:18:06 GMT'
2019-03-29 09:18:06 dirmngr[6907.6] http.c:RESP: 'Content-Type: text/html'
2019-03-29 09:18:06 dirmngr[6907.6] http.c:RESP: 'Content-Length: 162'
2019-03-29 09:18:06 dirmngr[6907.6] http.c:RESP: 'Connection: close'
2019-03-29 09:18:06 dirmngr[6907.6] http.c:RESP: ''
2019-03-29 09:18:06 dirmngr[6907.6] error accessing 'https://
www.kernel.org/.well-known/openpgpkey/policy': http status 404

And if I directly force dirmngr to fetch anyway via:

gpg-connect-agent --dirmngr
> WKD_GET torvalds@kernel.org

I get:

2019-03-29 09:24:12 dirmngr[31781.6] URL 'https://kernel.org/.well-known/
openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds' redirected to
'https://mirrors.edge.kernel.org/pub/.well-known/openpgpkey/hu/
pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds' (302)
2019-03-29 09:24:12 dirmngr[31781.6] redirection changed to 'https://
mirrors.edge.kernel.org/.well-known/openpgpkey/hu/
pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds'
2019-03-29 09:24:13 dirmngr[31781.6] DBG: http.c:request:
2019-03-29 09:24:13 dirmngr[31781.6] DBG: >> GET /.well-known/openpgpkey/hu/
pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds HTTP/1.0\r\n
2019-03-29 09:24:13 dirmngr[31781.6] DBG: >> Host: mirrors.edge.kernel.org\r\n
2019-03-29 09:24:13 dirmngr[31781.6] DBG: http.c:request-header:
2019-03-29 09:24:13 dirmngr[31781.6] DBG: >> \r\n
2019-03-29 09:24:13 dirmngr[31781.6] DBG: http.c:response:
2019-03-29 09:24:13 dirmngr[31781.6] DBG: >> HTTP/1.1 404 Not Found\r\n
2019-03-29 09:24:13 dirmngr[31781.6] http.c:RESP: 'Server: nginx'
2019-03-29 09:24:13 dirmngr[31781.6] http.c:RESP: 'Date: Fri, 29 Mar 2019
08:24:13 GMT'
2019-03-29 09:24:13 dirmngr[31781.6] http.c:RESP: 'Content-Type: text/html'
2019-03-29 09:24:13 dirmngr[31781.6] http.c:RESP: 'Content-Length: 311'
2019-03-29 09:24:13 dirmngr[31781.6] http.c:RESP: 'Connection: close'
2019-03-29 09:24:13 dirmngr[31781.6] http.c:RESP: ''
2019-03-29 09:24:13 dirmngr[31781.6] error accessing 'https://
mirrors.edge.kernel.org/.well-known/openpgpkey/hu/
pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds': http status 404
2019-03-29 09:24:13 dirmngr[31781.6] command 'WKD_GET' failed: No data


So it is missing a policy file and the redirect goes to:

https://mirrors.edge.kernel.org/pub/.well-known/openpgpkey/hu/
pf113mfnx1f3eb1yiwhsipa91xfc7o4x?torvalds

While dirmngr after the redirect queries:
https://mirrors.edge.kernel.org/.well-known/openpgpkey/hu/
pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds

Without the "pub". This is why curl / wget work but not dirmngr.

Best Regards,
Andre
--
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board@gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799

Attached Files:

Re: Debugging dirmngr (gpg --locate-key) [ In reply to ]
gnupg-devel at gnupg
Mar 29, 2019, 2:07 AM
Post #3 of 4 (406 views)
Permalink
On 29.03.2019 09:30, Andre Heinecke wrote:
> (...)
> Without the "pub". This is why curl / wget work but not dirmngr.

Wow, excellent analysis Andre, as usual, thank you! I'll bookmark your
instructions as I bet they'll come in handy in the future...

As far as I know this change, that requires strict path match was done
to avoid a specific vulnerability.

Do you think it would be reasonable to put that requirement in the Web
Key Directory [0] spec? This way other implementations can also be
adjusted so that WKD works consistently across different software.

Kind regards,
Wiktor

[0]: https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/

--
https://metacode.biz/@wiktor

Attached Files:

Re: Debugging dirmngr (gpg --locate-key) [ In reply to ]
wk at gnupg
Mar 29, 2019, 5:04 AM
Post #4 of 4 (406 views)
Permalink
On Fri, 29 Mar 2019 10:07, gnupg-devel@gnupg.org said:

> As far as I know this change, that requires strict path match was done
> to avoid a specific vulnerability.

Cross site request forgery. The fear is that if you are on a site which
uses only IP based authentication to access internal services of your
site (e.g. a dedicated host to control the lightning of your building)
an attacker can control that internal service by sending you a redirect
to that host. Your dirmngr would than contact that internal host and
access will be granted because the request comes from inside your own
network.

I consider this quite far fetched but we better protect against this. See
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000858

> Do you think it would be reasonable to put that requirement in the Web
> Key Directory [0] spec? This way other implementations can also be
> adjusted so that WKD works consistently across different software.

Yes, I think this is useful.

However, there is a second problem with kernel.org: They do not provide
the (possible empty) policy file. This is a problem for two reasons:

If dirmngr looks up a key for one domain and does not find one, it will
test for the presence of the policy file. If no policy file is found
either, further WKD request to this domain are not performed until a
restart of dirmnngr or until the domain is kicked out of dirmngr's hash
table with domain names [1].

Testing for domains supporting the web key directory does not work
because it is based on the presence of the policy file.

$ gpg-wks-client --with-colons --supported gnupg.org posteo.de kernel.org
gnupg.org:1:1::0:0:0:
posteo.de:1:1::0:1:1:
kernel.org:0:0::
! !- Submitting keys supported
!--- Lookup supported



Shalom-Salam,

Werner



[1] We still need to add time based removal of domains.

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal