Re: gpgsm certificate validity
On Tue, 23 Aug 2011 09:39, y...@yyy.id.lv said: > For some certificates gpgsm asks during import, whether to trust them > (and if confirmed, add entry to trustlist.txt automatically). Is it > possible to make gpgsm to ask whether to trust it, for any certificate? It does that for all proper certificates. We can't handle all kinds of bogus root certificates; there is a reason why PKIX demands certain certificate attributes. Actually we do handle another kind of those certs: For qualified signatures, some countries issue root certificates which would not pass the usual checks - thus if such a root certificate is listed in the qualified.txt file, we do the relaxed checking but OTOH annoy you with additional prompts. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.23. 10:07, Werner Koch wrote: > On Mon, 22 Aug 2011 18:05, y...@yyy.id.lv said: > >> So, order of certificate hashes, relative of certificate order in >> keyring, is critically important? > No. You need to make sure to not use lines of more than ~255 > characters. Check that your editor didn't reflow a comment block or > similar. > Re-tested today and it worked in more than one order. Probably issues in yesterday were some sort of temporary glitch. So, currently, importing a root certificate into gpgsm's keyring is a 2 stage process: 1. gpgsm --import _certificate_ 2. edit trustlist.txt file, to add imported certificates hash (to make it trusted (useable)). For some certificates gpgsm asks during import, whether to trust them (and if confirmed, add entry to trustlist.txt automatically). Is it possible to make gpgsm to ask whether to trust it, for any certificate? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 18:05, y...@yyy.id.lv said: > So, order of certificate hashes, relative of certificate order in > keyring, is critically important? No. You need to make sure to not use lines of more than ~255 characters. Check that your editor didn't reflow a comment block or similar. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.22. 17:31, Werner Koch wrote: > On Mon, 22 Aug 2011 15:27, y...@yyy.id.lv said: > >> This certificate does not have BasicConstraints, maybe this is a cause >> of error? > Quite likely. That is required for CA certifciates. > >> Is it possible to override check for BasicConstraints? Is it a bug? > Try adding the relax keyword to the entry in ~/.gnuypg/trustlist.txt . > That eventually fixed it. Thanks. There were some errors, along the way, though: Trustlist.txt initially contained only hash of second certificate (with BasicConstraints). Added hash of other certificate (the one without BasicConstraints) and now on ALL certificates gpgsm -k --with-validation --disable-crl-checks produces error [certificate is bad: Line too long]. In this case, first line in trustlist.txt was for second certificate in keyring and second line was for first certificate in keyring. Swapping these lines in trustlist.txt, fixed it. So, order of certificate hashes, relative of certificate order in keyring, is critically important? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 15:27, y...@yyy.id.lv said: > This certificate does not have BasicConstraints, maybe this is a cause > of error? Quite likely. That is required for CA certifciates. > Is it possible to override check for BasicConstraints? Is it a bug? Try adding the relax keyword to the entry in ~/.gnuypg/trustlist.txt . Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.22. 15:18, yyy wrote: > On 2011.08.22. 15:03, Werner Koch wrote: >> On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: >> >>> How to verify if a certificate (in keyring) is valid? >> gpgsm -k --with-validation USERID >> >> without USERID all certifciates are validated. In case you want to skip >> CRL checks, add the option --disable-crl-checks. > This produced error: > [certificate is bad: No value] > Rest of data about certificate, were fine (ID, S/N, Issuer, Subject, > validity, key type, chain length, fingerprint) > > What does it means? Attempts to encrypt to this USERID also produced > error "No value" Few more updates. If using gpgsm -k --with-validation (without providing an USERID), it also provides fingerprint: 81:4A:73:CC:AB:BC:41:Dgpgsm: dirmngr cache-only key lookup failed : Not found 3:D7:99:0F:A3:C0:75:AB:E0:D5:6C:AE:DD That certificate is a self signed certificate and it seems, that gpgsm is trying to find it in some external file (not in keyring) In addition to --with-validation, used --disable-crl-checks, --disable-policy-checks, but these did not change anything Also, searching google for "[certificate is bad: No value]", produced one result from this list, from 2006 http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023160.html (google result) further in that thread, there were a message http://lists.gnupg.org/pipermail/gnupg-devel/2006-September/023175.html This certificate does not have BasicConstraints, maybe this is a cause of error? Imported another root certificate, this had BasicConstraints set, import of it went differently, there were popup asking if i want to trust it (when importing first certificate, it did not ask anything) For that certificate, gpgsm -k --with-validation --disable-crl-checks went without errors Encryption using such IDs, worked. So, the main problem seems to be (lack of) presence of BasicConstraints in certificate. Is it possible to override check for BasicConstraints? Is it a bug? --ignore-cert-extensions <> cannot be used, because the problem is lack of presence of extension, not presence of extension. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: > How to verify if a certificate (in keyring) is valid? gpgsm -k --with-validation USERID without USERID all certifciates are validated. In case you want to skip CRL checks, add the option --disable-crl-checks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On 2011.08.22. 15:03, Werner Koch wrote: > On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: > >> How to verify if a certificate (in keyring) is valid? > gpgsm -k --with-validation USERID > > without USERID all certifciates are validated. In case you want to skip > CRL checks, add the option --disable-crl-checks. This produced error: [certificate is bad: No value] Rest of data about certificate, were fine (ID, S/N, Issuer, Subject, validity, key type, chain length, fingerprint) What does it means? Attempts to encrypt to this USERID also produced error "No value" ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users