1 |
In the last two weeks I renewed an SSL certificate from Comodo for |
2 |
email usage. This time round Kleopatra is having problems with |
3 |
recognising the passphrase I use. |
4 |
|
5 |
I partially suspect a gnupg bug here probably relating to mime |
6 |
characters, but I am not sure how to troubleshoot it. This is a |
7 |
sequence of events that show how the problem occurs: |
8 |
|
9 |
I export the SSL cert from Firefox as a pkcs12 file. It asks for a |
10 |
passphrase to encrypt it with. It will accept my passphrase and saves |
11 |
the exported .p12 bundle as a file on my hard drive. Then I try to |
12 |
import this into Kleopatra. This is what I have come across here: |
13 |
|
14 |
If I have used a short passphrase when exporting from Firefox (say 8 |
15 |
characters long) there's no problem importing it into Kleopatra. |
16 |
If I use a long passphrase then it fails every time: |
17 |
|
18 |
"Please enter a passphrase to unprotect the PKCS#12 object." |
19 |
p4ssPhr4se |
20 |
"An error occurred while trying to import the certificate - Decryption failed." |
21 |
|
22 |
The log shows: |
23 |
====================================== |
24 |
[2010-05-12T19:51:45] Log cleared |
25 |
6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the |
26 |
secret key: Bad passphrase |
27 |
6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key |
28 |
6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad |
29 |
passphrase |
30 |
6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad |
31 |
passphrase <GPG Agent> |
32 |
4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad |
33 |
passphrase <GPG Agent> |
34 |
4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad |
35 |
passphrase <GPG Agent> |
36 |
4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE |
37 |
4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection |
38 |
[client at fd 4 disconnected] |
39 |
5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF] |
40 |
6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF] |
41 |
6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6 terminated |
42 |
[client at fd 5 disconnected] |
43 |
====================================== |
44 |
|
45 |
Now, as I said above if I use a short passphrase to encrypt the |
46 |
certificate bundle when exporting it from Firefox, I manage to import |
47 |
it into Kleopatra and then I can re-encrypt it with either with the |
48 |
same short passphrase or with a longer passphrase. Kleopatra will |
49 |
accept any length at that stage and import it happily. However, even |
50 |
if I import it into Kleopatra I can't use it thereafter! Every time I |
51 |
try to use it in Kmail to sign/encrypt/decrypt a message it will fail |
52 |
when I enter the passphrase. :-( |
53 |
|
54 |
I have tried to convert the exported pkcs12 file into a pem bundle, |
55 |
but Kleopatra then fails to import it right from the start with a BER |
56 |
error - it doesn't even ask for a passphrase to decrypt it: |
57 |
====================================== |
58 |
[2010-05-07T22:24:22] Log cleared |
59 |
[client at fd 4 connected] |
60 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan |
61 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg |
62 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config: |
63 |
/home/michael/.gnupg/gpgsm.conf |
64 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo: |
65 |
/tmp/gpg-yRFiu9/S.gpg-agent:13728:1 |
66 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set] |
67 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy |
68 |
Guard's S/M server 2.0.14 ready |
69 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0 |
70 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK |
71 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1 |
72 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK |
73 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21 |
74 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK |
75 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT |
76 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped |
77 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped |
78 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c skipped |
79 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped |
80 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a skipped |
81 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d skipped |
82 |
4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0 |
83 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0 |
84 |
0 0 0 0 0 0 0 0 0 0 |
85 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error <KSBA> |
86 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE |
87 |
4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection |
88 |
[client at fd 4 disconnected] |
89 |
====================================== |
90 |
|
91 |
Any idea why Kleopatra fails with this new Comodo certificate? It |
92 |
had/has no problem using the expired certificate by the same CA (of |
93 |
course it is shown as expired now). How could I troubleshoot this |
94 |
thing? |
95 |
|
96 |
Some things I have tried so far: |
97 |
|
98 |
I have imported and used this SSL cert on a webmail client (Horde) and |
99 |
had no problem with it. |
100 |
|
101 |
I have also tried the same SSL cert on two different Gentoo PCs (one |
102 |
x86 and one amd64) but both fail in the way described above. |
103 |
|
104 |
Running openssl pkcs12 -in cert_file.p12 seems to work fine and |
105 |
displays the priv key and cert bundle on the terminal, without any |
106 |
problem, irrespective of the length of passphrase. |
107 |
|
108 |
I have visually compared the output on the terminal between expired |
109 |
and new certificates and cannot see a difference. |
110 |
|
111 |
Anything else I could try? |
112 |
-- |
113 |
Regards, |
114 |
Mick |