S/MIME which certificate format

Werner Koch wk at gnupg.org
Tue May 13 15:32:56 CEST 2025 

On Thu,  8 May 2025 09:51, Werner Koch said:

> Please send me the PKCS7.p7b file again by private mail and gzip it
> first to avoid any problems.

Thanks.  That file is a certs-only CMS object.  It is base64 encoded w/o
the header lines.  After converting this to binary I get:

  $ gpgsm -v --import ~/tmp/PKCS7_m.p7
  [...]
  gpgsm: certificate imported
  gpgsm: certificate is good
  gpgsm: certificate imported
  gpgsm: certificate is good
  gpgsm: certificate imported
  gpgsm: certificate is good
  gpgsm: certificate is good
  gpgsm: certificate imported
  gpgsm: no subject found in certificate
  gpgsm: total number processed: 4
  gpgsm:               imported: 4
  [GNUPG:] FAILURE gpgsm-exit 50331649

Thus all certificates where imported but due to a missing subject in of
of it, gpgsm returns with an error (the code is General Error).  A gpgsm
-k gives (with some redaction):

          S/N: 01
       Issuer: /CN=AAA Certificate Services/O=Comodo CA Limited/L=Salford/ST=Greater Manchester/C=GB
      Subject: [Same as /CN=AAA Certificate Services/O=Comodo CA Limited/L=Salford/ST=Greater Manchester/C=GB

          S/N: 3972443AF922B751D7D36C10DD313595
        (dec): 76359301477803385872276235234032301461
       Issuer: /CN=AAA Certificate Services/O=Comodo CA Limited/L=Salford/ST=Greater Manchester/C=GB
      Subject: /CN=USERTrust RSA Certification Authority/O=The USERTRUST Network/L=Jersey City/ST=New Jersey/C=US

          S/N: 4D942C10D43BE09409C5812D3A2B064F
       Issuer: /CN=USERTrust RSA Certification Authority/O=The USERTRUST Network/L=Jersey City/ST=New Jersey/C=US
      Subject: /CN=Sectigo RSA Client Authentication and Secure Email CA/O=Sectigo Limited/L=Salford/ST=Greater Manchester/C=GB

           ID: 0x520AB3F9
          S/N: 00CDB882CF52A4258A4CB6FA03C415DDBD
       Issuer: /CN=Sectigo RSA Client Authentication and Secure Email CA/O=Sectigo Limited/L=Salford/ST=Greater Manchester/C=GB
      Subject: [Error - No name]
          aka: <mail address redacted - wk>

Because gpgsm does by default only detect armored and binary data you
need to tell it that the input is base64 only:

  $ gpgsm -v --import --assume-base64 ~/tmp/PKCS7_m.p7b

That will yield the same result as my import from the binary version.

Takeaway is that we can handle an empty subject but that return an
error.  I just fixed this for for master and 2.4.
See https://dev.gnupg.org/T7171

Auto detecting plain base64 will not be implemented (in your sample this
is just one long line).



Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250513/729337a1/attachment.sig>

More information about the Gnupg-users mailing list