[kleopatra] [Bug 381919] Kleopatra fails to validate S/MIME signed msgs with MPG CA in the cert chain
Achim Bohnet
bugzilla_noreply at kde.org
Fri Jun 15 13:35:03 BST 2018
https://bugs.kde.org/show_bug.cgi?id=381919
--- Comment #10 from Achim Bohnet <ach at mpe.mpg.de> ---
Next go:
The DFN CA and MPG CA in the chain of my personal zertificate as the Issuers:
a) DN: CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
b) DN: CN=MPG CA,O=Max-Planck-Gesellschaft,C=DE
There are 2 certificates in my pubring matching the string (a) and (b)
(well, (a) matches 3 but one is revoked) both of them are valid until Jul 2019.
The two variants differ in that the older one uses SHA1 (valid since ~ 2006/7)
as the hash algorithm and the other uses SHA256 (valid since 2014).
I've deleted the SHA1 variant of DFN CA - G01 and(!) MPG CA - G01 and now
the kmail accepts E-Mail signed by me as valid. I can even sent e-mails
signed by me, without disabling CRL checks in kmail settings. Yeah!
So my cert has an IssuerString MPG CA ... matching an SHA1 cert and SHA256
cert. DITTO for the MPG CA ... cert itself that has the DFN issuer value
mathing also 2 valid cert (one SHA1 one SHA256).
So AFAIU the problematic spot is:
4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 <- INQUIRE SENDCERT
/CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
4 - 2018-06-15 09:31:02 gpgsm[14885]: certificate not found: Mehrdeutiger
Name
4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 -> CAN
4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_10 <- ERR 167772217 Fehlendes
Zertifikat <Dirmngr>
4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 -> D
crt:i:2048:1:856D3B2E89D15A59:20140527T145346:20190709T235900:17A4248A6BC150::CN=DFN-Verein
PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE::cC:::%0Afpr:::::::::
4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 -> OK
4 - 2018-06-15 09:31:02 gpgsm[14885]: DBG: chan_404 <- BYE
gpgsm is 2.1.11-6ubuntu2.1 and kmail is v18.04.1 (from 16.04/Neon User with
5.13)
So my conclusion is FWIW: the DN is not unique, so 2 matches are found. (Ditto
for the DFN CA G01) and validating signatures and sending of signed/encryped
Mail in kmail fails.
What confuses me is that Thunderbird on the same system does not complain.
Maybe kmail should use Subject instead DN? Or thunderbird is buggy or ... well
I don't know.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Kdepim-bugs
mailing list