[gentoo-user] S/MIME passphrase problem with Kleopatra - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user <gentoo-user@l.g.o>
Subject:	[gentoo-user] S/MIME passphrase problem with Kleopatra
Date:	Thu, 13 May 2010 11:06:00
Message-Id:	`AANLkTilUSA5qKzLDG5MBid5dxQWasNLIn2CBzKYRR4CK@mail.gmail.com`

1

In the last two weeks I renewed an SSL certificate from Comodo for

2

email usage.  This time round Kleopatra is having problems with

3

recognising the passphrase I use.

4

5

I partially suspect a gnupg bug here probably relating to mime

6

characters, but I am not sure how to troubleshoot it.  This is a

7

sequence of events that show how the problem occurs:

8

9

I export the SSL cert from Firefox as a pkcs12 file.  It asks for a

10

passphrase to encrypt it with.  It will accept my passphrase and saves

11

the exported .p12 bundle as a file on my hard drive.  Then I try to

12

import this into Kleopatra.  This is what I have come across here:

13

14

If I have used a short passphrase when exporting from Firefox (say 8

15

characters long) there's no problem importing it into Kleopatra.

16

 If I use a long passphrase then it fails every time:

17

18

"Please enter a passphrase to unprotect the PKCS#12 object."

19

p4ssPhr4se

20

"An error occurred while trying to import the certificate - Decryption failed."

21

22

The log shows:

23

======================================

24

[2010-05-12T19:51:45] Log cleared

25

  6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the

26

secret key: Bad passphrase

27

  6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key

28

  6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad

29

passphrase

30

  6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad

31

passphrase <GPG Agent>

32

  4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad

33

passphrase <GPG Agent>

34

  4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad

35

passphrase <GPG Agent>

36

  4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE

37

  4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection

38

[client at fd 4 disconnected]

39

  5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF]

40

  6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF]

41

  6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6 terminated

42

[client at fd 5 disconnected]

43

======================================

44

45

Now, as I said above if I use a short passphrase to encrypt the

46

certificate bundle when exporting it from Firefox, I manage to import

47

it into Kleopatra and then I can re-encrypt it with either with the

48

same short passphrase or with a longer passphrase.  Kleopatra will

49

accept any length at that stage and import it happily.  However, even

50

if I import it into Kleopatra I can't use it thereafter!  Every time I

51

try to use it in Kmail to sign/encrypt/decrypt a message it will fail

52

when I enter the passphrase.  :-(

53

54

I have tried to convert the exported pkcs12 file into a pem bundle,

55

but Kleopatra then fails to import it right from the start with a BER

56

error - it doesn't even ask for a passphrase to decrypt it:

57

======================================

58

[2010-05-07T22:24:22] Log cleared

59

[client at fd 4 connected]

60

  4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan

61

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg

62

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config:

63

/home/michael/.gnupg/gpgsm.conf

64

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo:

65

/tmp/gpg-yRFiu9/S.gpg-agent:13728:1

66

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set]

67

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy

68

Guard's S/M server 2.0.14 ready

69

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0

70

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK

71

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1

72

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK

73

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21

74

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK

75

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT

76

  4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped

77

  4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped

78

  4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c skipped

79

  4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped

80

  4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped

81

  4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped

82

  4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0

83

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0

84

0 0 0 0 0 0 0 0 0 0

85

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error <KSBA>

86

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE

87

  4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection

88

[client at fd 4 disconnected]

89

======================================

90

91

Any idea why Kleopatra fails with this new Comodo certificate?  It

92

had/has no problem using the expired certificate by the same CA (of

93

course it is shown as expired now).  How could I troubleshoot this

94

thing?

95

96

Some things I have tried so far:

97

98

I have imported and used this SSL cert on a webmail client (Horde) and

99

had no problem with it.

100

101

I have also tried the same SSL cert on two different Gentoo PCs (one

102

x86 and one amd64) but both fail in the way described above.

103

104

Running openssl pkcs12 -in cert_file.p12 seems to work fine and

105

displays the priv key and cert bundle on the terminal, without any

106

problem, irrespective of the length of passphrase.

107

108

I have visually compared the output on the terminal between expired

109

and new certificates and cannot see a difference.

110

111

Anything else I could try?

112

--

113

Regards,

114

Mick

Gentoo Archives: gentoo-user

Replies

1	In the last two weeks I renewed an SSL certificate from Comodo for
2	email usage. This time round Kleopatra is having problems with
3	recognising the passphrase I use.
4
5	I partially suspect a gnupg bug here probably relating to mime
6	characters, but I am not sure how to troubleshoot it. This is a
7	sequence of events that show how the problem occurs:
8
9	I export the SSL cert from Firefox as a pkcs12 file. It asks for a
10	passphrase to encrypt it with. It will accept my passphrase and saves
11	the exported .p12 bundle as a file on my hard drive. Then I try to
12	import this into Kleopatra. This is what I have come across here:
13
14	If I have used a short passphrase when exporting from Firefox (say 8
15	characters long) there's no problem importing it into Kleopatra.
16	If I use a long passphrase then it fails every time:
17
18	"Please enter a passphrase to unprotect the PKCS#12 object."
19	p4ssPhr4se
20	"An error occurred while trying to import the certificate - Decryption failed."
21
22	The log shows:
23	======================================
24	[2010-05-12T19:51:45] Log cleared
25	6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the
26	secret key: Bad passphrase
27	6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key
28	6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad
29	passphrase
30	6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad
31	passphrase <GPG Agent>
32	4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad
33	passphrase <GPG Agent>
34	4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad
35	passphrase <GPG Agent>
36	4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE
37	4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection
38	[client at fd 4 disconnected]
39	5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF]
40	6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF]
41	6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6 terminated
42	[client at fd 5 disconnected]
43	======================================
44
45	Now, as I said above if I use a short passphrase to encrypt the
46	certificate bundle when exporting it from Firefox, I manage to import
47	it into Kleopatra and then I can re-encrypt it with either with the
48	same short passphrase or with a longer passphrase. Kleopatra will
49	accept any length at that stage and import it happily. However, even
50	if I import it into Kleopatra I can't use it thereafter! Every time I
51	try to use it in Kmail to sign/encrypt/decrypt a message it will fail
52	when I enter the passphrase. :-(
53
54	I have tried to convert the exported pkcs12 file into a pem bundle,
55	but Kleopatra then fails to import it right from the start with a BER
56	error - it doesn't even ask for a passphrase to decrypt it:
57	======================================
58	[2010-05-07T22:24:22] Log cleared
59	[client at fd 4 connected]
60	4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan
61	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg
62	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config:
63	/home/michael/.gnupg/gpgsm.conf
64	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo:
65	/tmp/gpg-yRFiu9/S.gpg-agent:13728:1
66	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set]
67	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy
68	Guard's S/M server 2.0.14 ready
69	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0
70	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK
71	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1
72	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK
73	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21
74	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK
75	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT
76	4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped
77	4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped
78	4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c skipped
79	4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped
80	4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped
81	4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped
82	4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0
83	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0
84	0 0 0 0 0 0 0 0 0 0
85	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error <KSBA>
86	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE
87	4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection
88	[client at fd 4 disconnected]
89	======================================
90
91	Any idea why Kleopatra fails with this new Comodo certificate? It
92	had/has no problem using the expired certificate by the same CA (of
93	course it is shown as expired now). How could I troubleshoot this
94	thing?
95
96	Some things I have tried so far:
97
98	I have imported and used this SSL cert on a webmail client (Horde) and
99	had no problem with it.
100
101	I have also tried the same SSL cert on two different Gentoo PCs (one
102	x86 and one amd64) but both fail in the way described above.
103
104	Running openssl pkcs12 -in cert_file.p12 seems to work fine and
105	displays the priv key and cert bundle on the terminal, without any
106	problem, irrespective of the length of passphrase.
107
108	I have visually compared the output on the terminal between expired
109	and new certificates and cannot see a difference.
110
111	Anything else I could try?
112	--
113	Regards,
114	Mick