New submission from Marc Mutz <marc@klaralvdalens-datakonsult.se>:
This is what a validating keylisting returns for my old
CN=Marc Mutz,L=org,OU=KMail,O=KDE,C=DE
key that expired June 2003:
(gdb) p *key
$5 = {_refs = 1, revoked = 0, expired = 0, disabled = 0, invalid = 0,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 1,
can_authenticate = 0, _unused = 0, protocol = GPGME_PROTOCOL_CMS,
issuer_serial = 0x8138390 "0B",
issuer_name = 0x817cd80 "CN=Test-ZS3,O=Intevation GmbH,C=DE",
chain_id = 0x8177698 "09AA5F1DE795237656239C9A78536B07E43C15AC",
owner_trust = GPGME_VALIDITY_UNKNOWN, subkeys = 0x8177900,
uids = 0x8199688, _last_subkey = 0x8177900, _last_uid = 0x8171128}
(gdb) p *key->uids
$6 = {next = 0x8171128, revoked = 0, invalid = 1, _unused = 0,
validity = GPGME_VALIDITY_UNKNOWN,
uid = 0x81996ac "CN=Marc Mutz,OU=KMail,O=KDE,L=org,C=DE",
name = 0x81996d2 "", email = 0x81996d2 "", comment = 0x81996d2 "",
signatures = 0x0, _last_keysig = 0x0}
(gdb) p *key->subkeys
$7 = {next = 0x0, revoked = 0, expired = 0, disabled = 0, invalid = 1,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0,
can_authenticate = 0, _unused = 0, pubkey_algo = GPGME_PK_RSA,
length = 1024, keyid = 0x8177914 "528130280665A867",
_keyid = "528130280665A867",
fpr = 0x81997f8 "67348E8ACF3DFBB38121353B528130280665A867",
timestamp = 1042554823, expires = 1058106823}
(gdb) p time(0)
$8 = 1082034803
cf. the values of $8 and $7.expires...
The effect is that all certs are marked as valid in certmanager with the new
validate certs function...
Same goes for revoked certs:
$ gpgsm --list-keys --with-validation C86D3C261BC257877CA44EFB2E6C6ECF0A280532
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
/home/marc/.gnupg/pubring.kbx
-----------------------------
Serial number: 0C
Issuer: /CN=ZS 4/O=Intevation GmbH/C=DE
Subject: /CN=David Faure/O=Klarälvdalens Datakonsult AB/L=Cheval
Blanc/C=SE
aka: dfaure@klaralvdalens-datakonsult.se
validity: 2004-02-18 10:05:42 through 2006-02-17 10:05:42
key usage: digitalSignature nonRepudiation keyEncipherment
fingerprint: C8:6D:3C:26:1B:C2:57:87:7C:A4:4E:FB:2E:6C:6E:CF:0A:28:05:32
gpgsm: no running dirmngr - starting one
can't connect to `/home/marc/.gnupg/log-socket': Connection refused
switching logging to stderr
dirmngr[30273.0x80646b8] DBG: -> OK Dirmngr 0.5.4-cvs at your service
gpgsm: DBG: connection to dirmngr established
dirmngr[30273.0x80646b8] DBG: <- ISVALID
0EFFD19584318700CE22B0528C0E005F722A69A7.0C
dirmngr[30273]: opening cache file
`/home/marc/.gnupg/dirmngr-cache.d/crl-0EFFD19584318700CE22B0528C0E005F722A69A7.db'
dirmngr[30273]: S/N 0C is not valid; reason=00 date=20040224T115352
dirmngr[30273]: command ISVALID failed: Certificate revoked
dirmngr[30273.0x80646b8] DBG: -> ERR 167772254 Certificate revoked <Dirmngr>
[certificate has been revoked]
dirmngr[30273.0x80646b8] DBG: <- ISVALID
7F2A402CBB016A9146D613568C89D3596A4111AA.01
dirmngr[30273]: opening cache file
`/home/marc/.gnupg/dirmngr-cache.d/crl-7F2A402CBB016A9146D613568C89D3596A4111AA.db'
dirmngr[30273]: S/N 01 is valid, it is not listed in the CRL
dirmngr[30273.0x80646b8] DBG: -> OK
gpgsm: no running gpg-agent - starting one
gpg-agent[30274]: Secure memory is not locked into core
gpg-agent[30274]: NOTE: this is a development version!
can't connect to `/home/marc/.gnupg/log-socket': Connection refused
switching logging to stderr
gpg-agent[30274.0x8073b18] DBG: -> OK Your orders please
gpgsm: DBG: connection to agent established
gpg-agent[30274.0x8073b18] DBG: <- RESET
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION display=:0
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION ttyname=/dev/pts/3
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION ttytype=xterm
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION lc-ctype=C
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION lc-messages=C
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- ISTRUSTED
A6935DD34EF3087973C706FC311AA2CCF733765B
gpg-agent[30274.0x8073b18] DBG: -> OK
dirmngr[30273.0x80646b8] DBG: <- ISVALID
7F2A402CBB016A9146D613568C89D3596A4111AA.00
dirmngr[30273]: S/N 00 is valid, it is not listed in the CRL
dirmngr[30273.0x80646b8] DBG: -> OK
[certificate is bad: Certificate revoked]
secmem usage: 1344/16384 bytes in 2 blocks
dirmngr[30273.0x80646b8] DBG: <- [EOF]
yet:
(gdb) p *key
$9 = {_refs = 1, revoked = 0, expired = 0, disabled = 0, invalid = 0,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0,
can_authenticate = 0, _unused = 0, protocol = GPGME_PROTOCOL_CMS,
issuer_serial = 0x81a2578 "0C",
issuer_name = 0x81a0828 "CN=ZS 4,O=Intevation GmbH,C=DE",
chain_id = 0x819a328 "28126047B34F852D9408A968508F21F065E65E44",
owner_trust = GPGME_VALIDITY_UNKNOWN, subkeys = 0x8197fe0,
uids = 0x815bfc8, _last_subkey = 0x8197fe0, _last_uid = 0x81a7d40}
(gdb) p *key->uids
$10 = {next = 0x81a7d40, revoked = 1, invalid = 0, _unused = 0,
validity = GPGME_VALIDITY_UNKNOWN,
uid = 0x815bfec "CN=David Faure,O=Klarälvdalens Datakonsult AB,L=Cheval
Blanc,C=SE", name = 0x815c02e "", email = 0x815c02e "",
comment = 0x815c02e "", signatures = 0x0, _last_keysig = 0x0}
(gdb) p *key->subkeys
$11 = {next = 0x0, revoked = 1, expired = 0, disabled = 0, invalid = 0,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0,
can_authenticate = 0, _unused = 0, pubkey_algo = GPGME_PK_RSA,
length = 1024, keyid = 0x8197ff4 "2E6C6ECF0A280532",
_keyid = "2E6C6ECF0A280532",
fpr = 0x81a96a0 "C86D3C261BC257877CA44EFB2E6C6ECF0A280532",
timestamp = 1077098742, expires = 1140170742}
As you can, in this case, the problem is that gpgme_key_t->revoked is not set,
although gpgme_subkey_t->revoked and gpgme_user_id_t->revoked are.
----------
assignedto: werner
messages: 693
nosy: marc, werner
priority: bug
status: unread
title: gpgme_key_t->expired == false on expired (S/MIME) key with validating keylisting.
topic: GPGME, gpgsm
______________________________________________________
Aegypten issue tracker <aegypten-issues@intevation.de>
<https://intevation.de/roundup/aegypten/issue151>
______________________________________________________
This is what a validating keylisting returns for my old
CN=Marc Mutz,L=org,OU=KMail,O=KDE,C=DE
key that expired June 2003:
(gdb) p *key
$5 = {_refs = 1, revoked = 0, expired = 0, disabled = 0, invalid = 0,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 1,
can_authenticate = 0, _unused = 0, protocol = GPGME_PROTOCOL_CMS,
issuer_serial = 0x8138390 "0B",
issuer_name = 0x817cd80 "CN=Test-ZS3,O=Intevation GmbH,C=DE",
chain_id = 0x8177698 "09AA5F1DE795237656239C9A78536B07E43C15AC",
owner_trust = GPGME_VALIDITY_UNKNOWN, subkeys = 0x8177900,
uids = 0x8199688, _last_subkey = 0x8177900, _last_uid = 0x8171128}
(gdb) p *key->uids
$6 = {next = 0x8171128, revoked = 0, invalid = 1, _unused = 0,
validity = GPGME_VALIDITY_UNKNOWN,
uid = 0x81996ac "CN=Marc Mutz,OU=KMail,O=KDE,L=org,C=DE",
name = 0x81996d2 "", email = 0x81996d2 "", comment = 0x81996d2 "",
signatures = 0x0, _last_keysig = 0x0}
(gdb) p *key->subkeys
$7 = {next = 0x0, revoked = 0, expired = 0, disabled = 0, invalid = 1,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0,
can_authenticate = 0, _unused = 0, pubkey_algo = GPGME_PK_RSA,
length = 1024, keyid = 0x8177914 "528130280665A867",
_keyid = "528130280665A867",
fpr = 0x81997f8 "67348E8ACF3DFBB38121353B528130280665A867",
timestamp = 1042554823, expires = 1058106823}
(gdb) p time(0)
$8 = 1082034803
cf. the values of $8 and $7.expires...
The effect is that all certs are marked as valid in certmanager with the new
validate certs function...
Same goes for revoked certs:
$ gpgsm --list-keys --with-validation C86D3C261BC257877CA44EFB2E6C6ECF0A280532
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
/home/marc/.gnupg/pubring.kbx
-----------------------------
Serial number: 0C
Issuer: /CN=ZS 4/O=Intevation GmbH/C=DE
Subject: /CN=David Faure/O=Klarälvdalens Datakonsult AB/L=Cheval
Blanc/C=SE
aka: dfaure@klaralvdalens-datakonsult.se
validity: 2004-02-18 10:05:42 through 2006-02-17 10:05:42
key usage: digitalSignature nonRepudiation keyEncipherment
fingerprint: C8:6D:3C:26:1B:C2:57:87:7C:A4:4E:FB:2E:6C:6E:CF:0A:28:05:32
gpgsm: no running dirmngr - starting one
can't connect to `/home/marc/.gnupg/log-socket': Connection refused
switching logging to stderr
dirmngr[30273.0x80646b8] DBG: -> OK Dirmngr 0.5.4-cvs at your service
gpgsm: DBG: connection to dirmngr established
dirmngr[30273.0x80646b8] DBG: <- ISVALID
0EFFD19584318700CE22B0528C0E005F722A69A7.0C
dirmngr[30273]: opening cache file
`/home/marc/.gnupg/dirmngr-cache.d/crl-0EFFD19584318700CE22B0528C0E005F722A69A7.db'
dirmngr[30273]: S/N 0C is not valid; reason=00 date=20040224T115352
dirmngr[30273]: command ISVALID failed: Certificate revoked
dirmngr[30273.0x80646b8] DBG: -> ERR 167772254 Certificate revoked <Dirmngr>
[certificate has been revoked]
dirmngr[30273.0x80646b8] DBG: <- ISVALID
7F2A402CBB016A9146D613568C89D3596A4111AA.01
dirmngr[30273]: opening cache file
`/home/marc/.gnupg/dirmngr-cache.d/crl-7F2A402CBB016A9146D613568C89D3596A4111AA.db'
dirmngr[30273]: S/N 01 is valid, it is not listed in the CRL
dirmngr[30273.0x80646b8] DBG: -> OK
gpgsm: no running gpg-agent - starting one
gpg-agent[30274]: Secure memory is not locked into core
gpg-agent[30274]: NOTE: this is a development version!
can't connect to `/home/marc/.gnupg/log-socket': Connection refused
switching logging to stderr
gpg-agent[30274.0x8073b18] DBG: -> OK Your orders please
gpgsm: DBG: connection to agent established
gpg-agent[30274.0x8073b18] DBG: <- RESET
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION display=:0
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION ttyname=/dev/pts/3
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION ttytype=xterm
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION lc-ctype=C
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- OPTION lc-messages=C
gpg-agent[30274.0x8073b18] DBG: -> OK
gpg-agent[30274.0x8073b18] DBG: <- ISTRUSTED
A6935DD34EF3087973C706FC311AA2CCF733765B
gpg-agent[30274.0x8073b18] DBG: -> OK
dirmngr[30273.0x80646b8] DBG: <- ISVALID
7F2A402CBB016A9146D613568C89D3596A4111AA.00
dirmngr[30273]: S/N 00 is valid, it is not listed in the CRL
dirmngr[30273.0x80646b8] DBG: -> OK
[certificate is bad: Certificate revoked]
secmem usage: 1344/16384 bytes in 2 blocks
dirmngr[30273.0x80646b8] DBG: <- [EOF]
yet:
(gdb) p *key
$9 = {_refs = 1, revoked = 0, expired = 0, disabled = 0, invalid = 0,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0,
can_authenticate = 0, _unused = 0, protocol = GPGME_PROTOCOL_CMS,
issuer_serial = 0x81a2578 "0C",
issuer_name = 0x81a0828 "CN=ZS 4,O=Intevation GmbH,C=DE",
chain_id = 0x819a328 "28126047B34F852D9408A968508F21F065E65E44",
owner_trust = GPGME_VALIDITY_UNKNOWN, subkeys = 0x8197fe0,
uids = 0x815bfc8, _last_subkey = 0x8197fe0, _last_uid = 0x81a7d40}
(gdb) p *key->uids
$10 = {next = 0x81a7d40, revoked = 1, invalid = 0, _unused = 0,
validity = GPGME_VALIDITY_UNKNOWN,
uid = 0x815bfec "CN=David Faure,O=Klarälvdalens Datakonsult AB,L=Cheval
Blanc,C=SE", name = 0x815c02e "", email = 0x815c02e "",
comment = 0x815c02e "", signatures = 0x0, _last_keysig = 0x0}
(gdb) p *key->subkeys
$11 = {next = 0x0, revoked = 1, expired = 0, disabled = 0, invalid = 0,
can_encrypt = 1, can_sign = 1, can_certify = 0, secret = 0,
can_authenticate = 0, _unused = 0, pubkey_algo = GPGME_PK_RSA,
length = 1024, keyid = 0x8197ff4 "2E6C6ECF0A280532",
_keyid = "2E6C6ECF0A280532",
fpr = 0x81a96a0 "C86D3C261BC257877CA44EFB2E6C6ECF0A280532",
timestamp = 1077098742, expires = 1140170742}
As you can, in this case, the problem is that gpgme_key_t->revoked is not set,
although gpgme_subkey_t->revoked and gpgme_user_id_t->revoked are.
----------
assignedto: werner
messages: 693
nosy: marc, werner
priority: bug
status: unread
title: gpgme_key_t->expired == false on expired (S/MIME) key with validating keylisting.
topic: GPGME, gpgsm
______________________________________________________
Aegypten issue tracker <aegypten-issues@intevation.de>
<https://intevation.de/roundup/aegypten/issue151>
______________________________________________________