[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Bug Janitor Service]

https://bugs.kde.org/show_bug.cgi?id=381919

Bug Janitor Service  changed:

   What|Removed |Added

 Status|NEEDSINFO   |RESOLVED
 Resolution|WAITINGFORINFO  |WORKSFORME

--- Comment #14 from Bug Janitor Service  ---
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Bug Janitor Service]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #13 from Bug Janitor Service  ---
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Justin Zobel]

https://bugs.kde.org/show_bug.cgi?id=381919

Justin Zobel  changed:

   What|Removed |Added

 Resolution|--- |WAITINGFORINFO
 Status|REPORTED|NEEDSINFO

--- Comment #12 from Justin Zobel  ---
Thank you for reporting this issue in KDE software. As it has been a while
since this issue was reported, can we please ask you to see if you can
reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "REPORTED" when
replying. Thank you!

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #11 from Achim Bohnet  ---
Oh, I was wrong.  The subject of the 2 MPG CA certs are identical too.

So looks like copying my .gnupg/ dir since years introduced a subtle bug
with the two identical DN in my cert chain.

DN and subject are identical.  ID, S/N and sha1_fpr, md5_fpr are different

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

Achim Bohnet  changed:

   What|Removed |Added

Version|2.3.0   |3.1.0

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #10 from Achim Bohnet  ---
Next go:

The DFN CA and MPG CA in the chain of my personal zertificate as the Issuers:
a) DN: CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
b) DN: CN=MPG CA,O=Max-Planck-Gesellschaft,C=DE

There are 2 certificates in my pubring matching the string (a) and (b)
(well, (a) matches 3 but one is revoked) both of them are valid until Jul 2019.

The two variants differ in that the older one uses SHA1 (valid since ~ 2006/7)
as the hash algorithm and the other uses SHA256 (valid since  2014).

I've deleted the SHA1 variant of DFN CA - G01 and(!) MPG CA - G01 and now
the kmail accepts E-Mail signed by me as valid.  I can even sent e-mails
signed by me, without disabling CRL checks in kmail settings.  Yeah!

So my cert has an IssuerString MPG CA ... matching an SHA1 cert and SHA256
cert.  DITTO for the MPG CA ... cert itself that has the DFN issuer value
mathing also 2 valid cert (one SHA1 one SHA256).

So AFAIU the problematic spot is:
  4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 <- INQUIRE SENDCERT
/CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
  4 - 2018-06-15 09:31:02 gpgsm[14885]: certificate not found: Mehrdeutiger
Name
  4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 -> CAN
  4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 <- ERR 167772217 Fehlendes
Zertifikat 
  4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 -> D
crt:i:2048:1:856D3B2E89D15A59:20140527T145346:20190709T235900:17A4248A6BC150::CN=DFN-Verein
PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE::cC:::%0Afpr:
  4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 -> OK
  4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 <- BYE

gpgsm is 2.1.11-6ubuntu2.1  and kmail is v18.04.1 (from 16.04/Neon User with
5.13)

So my conclusion is FWIW: the DN is not unique, so 2 matches are found.  (Ditto
for the DFN CA G01) and validating signatures and sending of signed/encryped
Mail in kmail fails.

What confuses me is that Thunderbird on the same system does not complain.
Maybe kmail should use Subject instead DN?  Or thunderbird is buggy or ... well
I don't know.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #9 from Achim Bohnet  ---
DIRTY unsecure WORKAROUND:

Kmail allows in settings -> configure kmail-> security -> tab s/mime
validation:

  enable never consult an CRL

Now signature validation works and I could even send for the first time signed
and/or encrypted E-mails with kmail.

This confirms my suspect from comment 8, that the problem is with an older
revoked Certificate of MPG CA.  So somehow either kleopatra or kmail fails to
handle this case properly.

I wish I could remember how and where I once found the info about the revoked
certificate of the MPG CA to sent more details.  But I don't remember and
failed to find it again :-(

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #8 from Achim Bohnet  ---
I give up.  I thought I once saw that the MPG CA had a valid and a revoked
Cert.
(but I can't find it anymore :-( )   Maybe that's the reason for the failure
but I've no clue how to prove it :-(

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #7 from Achim Bohnet  ---
Here I think the relevant part of the kleopatra log:

4 - 2017-09-27 20:48:12 gpgsm[7370]: detached signature
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_95 -> S NEWSIG
  4 - 2017-09-27 20:48:12 gpgsm[7370]: Signatur erzeugt am 2017-09-21 11:34:22
mittels Zertifikat ID 0xA15353E8
  4 - 2017-09-27 20:48:12 gpgsm[7370]: Datei `/home/achim/.gnupg/policies.txt'
kann nicht geöffnet werden: Datei oder Verzeichnis nicht gefunden
  4 - 2017-09-27 20:48:12 gpgsm[7370]: Hinweis: Die unkritische
Zertifikatsrichtlinie ist nicht erlaubt
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_10 <- # Home:
/home/achim/.gnupg
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_10 <- # Config:
/home/achim/.gnupg/dirmngr.conf
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_10 <- OK Dirmngr 2.1.11 at
your service
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- # Home:
/home/achim/.gnupg
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- # Config:
/home/achim/.gnupg/dirmngr.conf
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK Dirmngr 2.1.11 at
your service
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: connection to the dirmngr
established
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> GETINFO version
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- D 2.1.11
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> OPTION audit-events=1
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> LDAPSERVER
ldap.pca.dfn.de:0:::
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- OK
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> ISVALID
C87B47CB198E371981D5A9C3926F5BCF6A5290D7.1AFE56DB930CEF
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- INQUIRE SENDCERT
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> [ 44 20 30 82 05 80 30
82 04 68 a0 03 02 01 02 02 ...(982 byte(s) skipped) ]
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> [ 44 20 07 30 01 86 27
68 74 74 70 3a 2f 2f 6f 63 ...(444 byte(s) skipped) ]
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> END
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 <- INQUIRE SENDCERT
/1.2.840.113549.1.9.1=#6D70672D6361406D70672E6465,CN=MPG
CA,O=Max-Planck-Gesellschaft,C=DE
  4 - 2017-09-27 20:48:12 gpgsm[7370]: certificate not found: Mehrdeutiger Name
  4 - 2017-09-27 20:48:12 gpgsm[7370]: DBG: chan_11 -> CAN
  4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_11 <- ERR 167772217 Fehlendes
Zertifikat 
  4 - 2017-09-27 20:48:13 gpgsm[7370]: certificate
#1AFE56DB930CEF/1.2.840.113549.1.9.1=#6D70672D6361406D70672E6465,CN=MPG
CA,O=Max-Planck-Gesellschaft,C=DE
  4 - 2017-09-27 20:48:13 gpgsm[7370]: Die CRL konnte nicht geprüft werden:
Nicht gefunden
  4 - 2017-09-27 20:48:13 gpgsm[7370]: Benutztes Gültigkeitsmodell: Schale
  4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_95 -> S GOODSIG
BB76E8A1B47AD3C579E402C571473BE1A15353E8 /CN=Achim
Bohnet/OU=Max-Planck-Institut fuer extraterrestrische
Physik/O=Max-Planck-Gesellschaft/C=DE
  4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_95 -> S VALIDSIG
BB76E8A1B47AD3C579E402C571473BE1A15353E8 2017-09-21 20170921T113422
20190308T135315 0 0 1 8 00
  4 - 2017-09-27 20:48:13 gpgsm[7370]: invalid certification chain: Nicht
gefunden
  4 - 2017-09-27 20:48:13 gpgsm[7370]: DBG: chan_95 -> S TRUST_UNDEFINED 27


More information about the MPG CA: https://info.pca.dfn.de/mpg-ca/index.html

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #6 from Achim Bohnet  ---
FWIW  I can decrypt an email I sent to myself, but signature check fails with
no status informatin available)

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #5 from Achim Bohnet  ---
Created attachment 108062
  --> https://bugs.kde.org/attachment.cgi?id=108062=edit
Info about the whole trust chain

Trust chain info is available.  Never the less kmail says: no status informatin
available.

(Thunderbird and Apply mail tell me Msg is trustworthy, for all, including
kmail/kleopatr I loaded my cert and the trust chain file)

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #4 from Achim Bohnet  ---
Created attachment 108061
  --> https://bugs.kde.org/attachment.cgi?id=108061=edit
Test Msg in Kmail

Kmail says not enough information available.

But as shows the complete trust chain is in kleopatra.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #3 from Achim Bohnet  ---
Created attachment 108060
  --> https://bugs.kde.org/attachment.cgi?id=108060=edit
Test Msg in Thunderbird

Thunderbird trust that this mail is not altered

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #2 from Achim Bohnet  ---
Created attachment 106420
  --> https://bugs.kde.org/attachment.cgi?id=106420=edit
More infos about the involved CA in trust chain

-- 
You are receiving this mail because:
You are watching all bug changes.

[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain

[Achim Bohnet]

https://bugs.kde.org/show_bug.cgi?id=381919

--- Comment #1 from Achim Bohnet  ---
Created attachment 106419
  --> https://bugs.kde.org/attachment.cgi?id=106419=edit
Trust chain

-- 
You are receiving this mail because:
You are watching all bug changes.