In the last two weeks I renewed an SSL certificate from Comodo for email usage. This time round Kleopatra is having problems with recognising the passphrase I use.
I partially suspect a gnupg bug here probably relating to mime characters, but I am not sure how to troubleshoot it. This is a sequence of events that show how the problem occurs: I export the SSL cert from Firefox as a pkcs12 file. It asks for a passphrase to encrypt it with. It will accept my passphrase and saves the exported .p12 bundle as a file on my hard drive. Then I try to import this into Kleopatra. This is what I have come across here: If I have used a short passphrase when exporting from Firefox (say 8 characters long) there's no problem importing it into Kleopatra. If I use a long passphrase then it fails every time: "Please enter a passphrase to unprotect the PKCS#12 object." p4ssPhr4se "An error occurred while trying to import the certificate - Decryption failed." The log shows: ====================================== [2010-05-12T19:51:45] Log cleared 6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the secret key: Bad passphrase 6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key 6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad passphrase 6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad passphrase <GPG Agent> 4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad passphrase <GPG Agent> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad passphrase <GPG Agent> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection [client at fd 4 disconnected] 5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF] 6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF] 6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6 terminated [client at fd 5 disconnected] ====================================== Now, as I said above if I use a short passphrase to encrypt the certificate bundle when exporting it from Firefox, I manage to import it into Kleopatra and then I can re-encrypt it with either with the same short passphrase or with a longer passphrase. Kleopatra will accept any length at that stage and import it happily. However, even if I import it into Kleopatra I can't use it thereafter! Every time I try to use it in Kmail to sign/encrypt/decrypt a message it will fail when I enter the passphrase. :-( I have tried to convert the exported pkcs12 file into a pem bundle, but Kleopatra then fails to import it right from the start with a BER error - it doesn't even ask for a passphrase to decrypt it: ====================================== [2010-05-07T22:24:22] Log cleared [client at fd 4 connected] 4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config: /home/michael/.gnupg/gpgsm.conf 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo: /tmp/gpg-yRFiu9/S.gpg-agent:13728:1 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set] 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy Guard's S/M server 2.0.14 ready 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error <KSBA> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection [client at fd 4 disconnected] ====================================== Any idea why Kleopatra fails with this new Comodo certificate? It had/has no problem using the expired certificate by the same CA (of course it is shown as expired now). How could I troubleshoot this thing? Some things I have tried so far: I have imported and used this SSL cert on a webmail client (Horde) and had no problem with it. I have also tried the same SSL cert on two different Gentoo PCs (one x86 and one amd64) but both fail in the way described above. Running openssl pkcs12 -in cert_file.p12 seems to work fine and displays the priv key and cert bundle on the terminal, without any problem, irrespective of the length of passphrase. I have visually compared the output on the terminal between expired and new certificates and cannot see a difference. Anything else I could try? -- Regards, Mick
