Problems with cert validation via CRL

David Gray deg at davidegray.com
Wed Feb 22 02:03:19 CET 2017 

You were correct, Peter.  I haven't had a chance to verify on Ubuntu yet, but 
on Windows the following steps did the trick:

- there was no 'trusted-certs' directory in my existing home directory 
(C:\users\dave\appdata\Roaming\gnupg\), so I created one.  I also went ahead 
and created a 'logs' directory.
- I added the line "log-file 
C:\Users\dave\AppData\Roaming\gnupg\logs\dirmngrlog.txt" to my dirmngr.conf 
file to capture what I wanted
- I saved a copy of the root cert with fingerprint 
02FAF3E291435468607857694DF5E45B68851868 to a DER-encoded file with .crt 
extension to the 'trusted-certs' directory.
- I executed the 'gpgsm --list-keys --with-validation --debug-all' command, 
and all keys were shown to be good.

I've attached the debug output from the command as well as the dirmngrlog.txt 
file that was generated in case it is of interest.  (As an aside, you may 
notice that I've installed version 2.1.18 since the last output was provided). 
I don't fully understand everything that is shown in these files, but it sure 
seems to me like you were exactly right - dirmngr did not know to trust that 
root cert, so it couldn't verify that the CRL was signed by a trustworthy 
party.  Once I told dirmngr that the root cert could be trusted, it could 
verify the CRL.  I've since been able to encrypt data using this key, so 
things are looking good.

I can't thank you enough - this has been extremely helpful.

Thanks!

Dave







-----Original Message-----
From: Peter Lebbing [mailto:peter at digitalbrains.com]
Sent: Tuesday, February 21, 2017 10:13 AM
To: David Gray <deg at davidegray.com>; NIIBE Yutaka <gniibe at fsij.org>
Cc: gnupg-users at gnupg.org
Subject: Re: Problems with cert validation via CRL

On 21/02/17 13:20, David Gray wrote:
> I'm no expert, but when I look at the debug info (attached to original
> email), it appears that gpgsm is able to get the crl that my cert
> points to but it may be having trouble parsing it.

Reading that part made me think it couldn't find the issuer of the CRL:

> dirmngr[3184.0]: error fetching certificate by subject: Configuration
> error
> dirmngr[3184.0]: CRL issuer certificate
> {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found

When I fetch the CRL we're talking about, OpenSSL tells me about it:

> Certificate Revocation List (CRL):
>         Version 2 (0x1)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
> Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
>         Last Update: Feb 20 16:07:34 2017 GMT
>         Next Update: Feb 24 16:07:34 2017 GMT
>         CRL extensions:
>             X509v3 Authority Key Identifier:
>
> keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>
>             X509v3 CRL Number:
>                 822

The issuer is the certificate that gpgsm knows about:

> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
> CN=AddTrust External CA Root
>         Validity
>             Not Before: Dec 22 00:00:00 2014 GMT
>             Not After : May 30 10:48:38 2020 GMT
>         Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
> Limited, CN=COMODO SHA-256 Client Authentication and Secure Email CA [...]
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
>
> keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>
>             X509v3 Subject Key Identifier:
>
> 92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
> [...]
> SHA1
> Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:8
> 9

I suspect that even though gpgsm knows about it, dirmngr might not, hence the 
failing CRL verification. I think you need to feed the certificate to dirmngr 
as well.

Whether this is actually the reason you're having problems, I don't know.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: windows-listkeys-withvalidation-02212017-success.txt
URL: </pipermail/attachments/20170221/70fe22ca/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dirmngrlog.txt
URL: </pipermail/attachments/20170221/70fe22ca/attachment-0003.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4803 bytes
Desc: not available
URL: </pipermail/attachments/20170221/70fe22ca/attachment-0001.bin>

More information about the Gnupg-users mailing list