On Saturday 19 April 2008, Mick wrote: > Hi All, > > I am trying to import an SSL certificate into gpgsm/kleopatra and I cannot > seem to be able to make it work: > > 1. Trying the CLI gives me: > ========================================= > $ > gpgsm --import > /media/sda/Personal/OpenSSL/Comodo/michael_email_comodo_080419.p12 gpgsm: > gpgsm: GPG_TTY has not been set - using maybe bogus default gpgsm: > gpg-protect-tool: 1224 bytes of 3DES encrypted text > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-1' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-15' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-2' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-3' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-4' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-5' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-6' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-7' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-8' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-9' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `KOI8-R' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `IBM437' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `IBM850' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `EUC-JP' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: decryption failed; trying charset `BIG5' > gpgsm: gpg-protect-tool: password too long > gpgsm: gpg-protect-tool: data error at "decrypted-text", offset 2951359603 > gpgsm: gpg-protect-tool: error at "bag-sequence", offset 15 > gpgsm: gpg-protect-tool: error parsing or decrypting the PKCS-12 file > gpgsm: error running `/usr/libexec/gpg-protect-tool': exit status 2 > gpgsm: total number processed: 0 > secmem usage: 0/16384 bytes in 0 blocks > ========================================= > > If I import/export the cert from Firefox, then I can import it in > Konqueror. However, when I try to import it in Kleopatra it fails after I > enter my cert passphrase. I managed to import the cert in Kleopatra > without the private key. As you understand that's no good for me because I > cannot sign emails with it (it doesn't show up on the list of certs). > > Any ideas how I could make this work? I can't recall having such problems > with the CACert.org certificates (or if I did I can't recall what's the > fix!).
There seem to be two problems with gpgsm, probably bugs - or perhaps design limitations? 1. gpgsm cannot import the complete pkcs12 bundle. This needs to be broken down and imported separately as the public key (cert) and the private key. Whether this compromises safety (having an unencrypted private key on your drive) is a moot point, but makes me think that GnuPG is a much better solution than SSL certs for emails at least. 2. Long passphrases seem to generate the above error. So, if you come across the same error try generating your key with a smaller passpphrase, or edit it with openssl pkcs options. HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
