| Summary: | Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain | ||
|---|---|---|---|
| Product: | [Applications] kleopatra | Reporter: | Achim Bohnet <ach> |
| Component: | general | Assignee: | Andre Heinecke <aheinecke> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | normal | CC: | kdepim-bugs, mutz |
| Priority: | NOR | ||
| Version: | 3.1.0 | ||
| Target Milestone: | --- | ||
| Platform: | Other | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: |
example mail that has a correct signature, not validated by kmail
Trust chain More infos about the involved CA in trust chain Test Msg in Thunderbird Test Msg in Kmail Info about the whole trust chain |
||
Created attachment 106419 [details]
Trust chain
Created attachment 106420 [details]
More infos about the involved CA in trust chain
Created attachment 108060 [details]
Test Msg in Thunderbird
Thunderbird trust that this mail is not altered
Created attachment 108061 [details]
Test Msg in Kmail
Kmail says not enough information available.
But as shows the complete trust chain is in kleopatra.
Created attachment 108062 [details]
Info about the whole trust chain
Trust chain info is available. Never the less kmail says: no status informatin available.
(Thunderbird and Apply mail tell me Msg is trustworthy, for all, including kmail/kleopatr I loaded my cert and the trust chain file)
FWIW I can decrypt an email I sent to myself, but signature check fails with no status informatin available) Here I think the relevant part of the kleopatra log: 4 - 2017-09-27 20:48:12 gpgsm[7370]: detached signature 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_95 -> S NEWSIG 4 - 2017-09-27 20:48:12 gpgsm[7370]: Signatur erzeugt am 2017-09-21 11:34:22 mittels Zertifikat ID 0xA15353E8 4 - 2017-09-27 20:48:12 gpgsm[7370]: Datei `/home/achim/.gnupg/policies.txt' kann nicht geöffnet werden: Datei oder Verzeichnis nicht gefunden 4 - 2017-09-27 20:48:12 gpgsm[7370]: Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_10 <- # Home: /home/achim/.gnupg 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_10 <- # Config: /home/achim/.gnupg/dirmngr.conf 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_10 <- OK Dirmngr 2.1.11 at your service 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- # Home: /home/achim/.gnupg 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- # Config: /home/achim/.gnupg/dirmngr.conf 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK Dirmngr 2.1.11 at your service 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: connection to the dirmngr established 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> GETINFO version 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- D 2.1.11 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> OPTION audit-events=1 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> LDAPSERVER ldap.pca.dfn.de:0::: 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> ISVALID C87B47CB198E371981D5A9C3926F5BCF6A5290D7.1AFE56DB930CEF 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- INQUIRE SENDCERT 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> [ 44 20 30 82 05 80 30 82 04 68 a0 03 02 01 02 02 ...(982 byte(s) skipped) ] 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> [ 44 20 07 30 01 86 27 68 74 74 70 3a 2f 2f 6f 63 ...(444 byte(s) skipped) ] 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> END 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- INQUIRE SENDCERT /1.2.840.113549.1.9.1=#6D70672D6361406D70672E6465,CN=MPG CA,O=Max-Planck-Gesellschaft,C=DE 4 - 2017-09-27 20:48:12 gpgsm[7370]: certificate not found: Mehrdeutiger Name 4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> CAN 4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_11 <- ERR 167772217 Fehlendes Zertifikat <Dirmngr> 4 - 2017-09-27 20:48:13 gpgsm[7370]: certificate #1AFE56DB930CEF/1.2.840.113549.1.9.1=#6D70672D6361406D70672E6465,CN=MPG CA,O=Max-Planck-Gesellschaft,C=DE 4 - 2017-09-27 20:48:13 gpgsm[7370]: Die CRL konnte nicht geprüft werden: Nicht gefunden 4 - 2017-09-27 20:48:13 gpgsm[7370]: Benutztes Gültigkeitsmodell: Schale 4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_95 -> S GOODSIG BB76E8A1B47AD3C579E402C571473BE1A15353E8 /CN=Achim Bohnet/OU=Max-Planck-Institut fuer extraterrestrische Physik/O=Max-Planck-Gesellschaft/C=DE 4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_95 -> S VALIDSIG BB76E8A1B47AD3C579E402C571473BE1A15353E8 2017-09-21 20170921T113422 20190308T135315 0 0 1 8 00 4 - 2017-09-27 20:48:13 gpgsm[7370]: invalid certification chain: Nicht gefunden 4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_95 -> S TRUST_UNDEFINED 27 More information about the MPG CA: https://info.pca.dfn.de/mpg-ca/index.html I give up. I thought I once saw that the MPG CA had a valid and a revoked Cert. (but I can't find it anymore :-( ) Maybe that's the reason for the failure but I've no clue how to prove it :-( DIRTY unsecure WORKAROUND: Kmail allows in settings -> configure kmail-> security -> tab s/mime validation: enable never consult an CRL Now signature validation works and I could even send for the first time signed and/or encrypted E-mails with kmail. This confirms my suspect from comment 8, that the problem is with an older revoked Certificate of MPG CA. So somehow either kleopatra or kmail fails to handle this case properly. I wish I could remember how and where I once found the info about the revoked certificate of the MPG CA to sent more details. But I don't remember and failed to find it again :-( Next go: The DFN CA and MPG CA in the chain of my personal zertificate as the Issuers: a) DN: CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE b) DN: CN=MPG CA,O=Max-Planck-Gesellschaft,C=DE There are 2 certificates in my pubring matching the string (a) and (b) (well, (a) matches 3 but one is revoked) both of them are valid until Jul 2019. The two variants differ in that the older one uses SHA1 (valid since ~ 2006/7) as the hash algorithm and the other uses SHA256 (valid since 2014). I've deleted the SHA1 variant of DFN CA - G01 and(!) MPG CA - G01 and now the kmail accepts E-Mail signed by me as valid. I can even sent e-mails signed by me, without disabling CRL checks in kmail settings. Yeah! So my cert has an IssuerString MPG CA ... matching an SHA1 cert and SHA256 cert. DITTO for the MPG CA ... cert itself that has the DFN issuer value mathing also 2 valid cert (one SHA1 one SHA256). So AFAIU the problematic spot is: 4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 <- INQUIRE SENDCERT /CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE 4 - 2018-06-15 09:31:02 gpgsm[14885]: certificate not found: Mehrdeutiger Name 4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 -> CAN 4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 <- ERR 167772217 Fehlendes Zertifikat <Dirmngr> 4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 -> D crt:i:2048:1:856D3B2E89D15A59:20140527T145346:20190709T235900:17A4248A6BC150::CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE::cC:::%0Afpr::::::::: 4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 -> OK 4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 <- BYE gpgsm is 2.1.11-6ubuntu2.1 and kmail is v18.04.1 (from 16.04/Neon User with 5.13) So my conclusion is FWIW: the DN is not unique, so 2 matches are found. (Ditto for the DFN CA G01) and validating signatures and sending of signed/encryped Mail in kmail fails. What confuses me is that Thunderbird on the same system does not complain. Maybe kmail should use Subject instead DN? Or thunderbird is buggy or ... well I don't know. Oh, I was wrong. The subject of the 2 MPG CA certs are identical too. So looks like copying my .gnupg/ dir since years introduced a subtle bug with the two identical DN in my cert chain. DN and subject are identical. ID, S/N and sha1_fpr, md5_fpr are different Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you! Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone! |
Created attachment 106418 [details] example mail that has a correct signature, not validated by kmail Kmail fails to validate msg signed with MPG CA in the certificate chain. Apple Mail, Thunderbird and Exchange all accept them as valid (example attached). Other S/MIME trust chain work work without problems as expected.