[gentoo-user] Re: S/MIME passphrase problem with Kleopatra - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Re: S/MIME passphrase problem with Kleopatra
Date:	Sat, 11 Sep 2010 17:45:50
Message-Id:	`201009111844.56963.michaelkintzios@gmail.com`
In Reply to:	[gentoo-user] S/MIME passphrase problem with Kleopatra by Mick

1

On Thursday 13 May 2010 11:08:48 you wrote:

2

> In the last two weeks I renewed an SSL certificate from Comodo for

3

> email usage.  This time round Kleopatra is having problems with

4

> recognising the passphrase I use.

5

>

6

> I partially suspect a gnupg bug here probably relating to mime

7

> characters, but I am not sure how to troubleshoot it.  This is a

8

> sequence of events that show how the problem occurs:

9

>

10

> I export the SSL cert from Firefox as a pkcs12 file.  It asks for a

11

> passphrase to encrypt it with.  It will accept my passphrase and saves

12

> the exported .p12 bundle as a file on my hard drive.  Then I try to

13

> import this into Kleopatra.  This is what I have come across here:

14

>

15

> If I have used a short passphrase when exporting from Firefox (say 8

16

> characters long) there's no problem importing it into Kleopatra.

17

>  If I use a long passphrase then it fails every time:

18

>

19

> "Please enter a passphrase to unprotect the PKCS#12 object."

20

> p4ssPhr4se

21

> "An error occurred while trying to import the certificate - Decryption

22

> failed."

23

>

24

> The log shows:

25

> ======================================

26

> [2010-05-12T19:51:45] Log cleared

27

>   6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the

28

> secret key: Bad passphrase

29

>   6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key

30

>   6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad

31

> passphrase

32

>   6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad

33

> passphrase <GPG Agent>

34

>   4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad

35

> passphrase <GPG Agent>

36

>   4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad

37

> passphrase <GPG Agent>

38

>   4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE

39

>   4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection

40

> [client at fd 4 disconnected]

41

>   5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF]

42

>   6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF]

43

>   6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6

44

> terminated [client at fd 5 disconnected]

45

> ======================================

46

>

47

> Now, as I said above if I use a short passphrase to encrypt the

48

> certificate bundle when exporting it from Firefox, I manage to import

49

> it into Kleopatra and then I can re-encrypt it with either with the

50

> same short passphrase or with a longer passphrase.  Kleopatra will

51

> accept any length at that stage and import it happily.  However, even

52

> if I import it into Kleopatra I can't use it thereafter!  Every time I

53

> try to use it in Kmail to sign/encrypt/decrypt a message it will fail

54

> when I enter the passphrase.  :-(

55

>

56

> I have tried to convert the exported pkcs12 file into a pem bundle,

57

> but Kleopatra then fails to import it right from the start with a BER

58

> error - it doesn't even ask for a passphrase to decrypt it:

59

> ======================================

60

> [2010-05-07T22:24:22] Log cleared

61

> [client at fd 4 connected]

62

>   4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan

63

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg

64

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config:

65

> /home/michael/.gnupg/gpgsm.conf

66

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo:

67

> /tmp/gpg-yRFiu9/S.gpg-agent:13728:1

68

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set]

69

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy

70

> Guard's S/M server 2.0.14 ready

71

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0

72

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK

73

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1

74

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK

75

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21

76

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK

77

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT

78

>   4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d

79

> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a

80

> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c

81

> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d

82

> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a

83

> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d

84

> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0

85

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0

86

> 0 0 0 0 0 0 0 0 0 0

87

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error

88

> <KSBA> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE

89

>   4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection

90

> [client at fd 4 disconnected]

91

> ======================================

92

>

93

> Any idea why Kleopatra fails with this new Comodo certificate?  It

94

> had/has no problem using the expired certificate by the same CA (of

95

> course it is shown as expired now).  How could I troubleshoot this

96

> thing?

97

>

98

> Some things I have tried so far:

99

>

100

> I have imported and used this SSL cert on a webmail client (Horde) and

101

> had no problem with it.

102

>

103

> I have also tried the same SSL cert on two different Gentoo PCs (one

104

> x86 and one amd64) but both fail in the way described above.

105

>

106

> Running openssl pkcs12 -in cert_file.p12 seems to work fine and

107

> displays the priv key and cert bundle on the terminal, without any

108

> problem, irrespective of the length of passphrase.

109

>

110

> I have visually compared the output on the terminal between expired

111

> and new certificates and cannot see a difference.

112

>

113

> Anything else I could try?

114

115

I found what's wrong with it - a regression bug in gnupg-2.0.14, which also 

116

seems to exist in gnupg-2.0.16-r1 that I am running here.

117

118

If the passphrase is changed then the bug manifests and there is no way to use 

119

the certificate again - entering the new passphrase fails.

120

121

The solution is to import the new cert using gpgsm --import, stick to the same 

122

passphrase with which the pkcs12 was secured and things should work 

123

thereafter, as long as you do not change the passphrase.

124

125

See more info here:

126

127

http://marc.info/?l=gnupg-users&m=126451730710129&w=2

128

129

I've raised bug #336846.

130

--

131

Regards,

132

Mick

Gentoo Archives: gentoo-user

Attachments

1	On Thursday 13 May 2010 11:08:48 you wrote:
2	> In the last two weeks I renewed an SSL certificate from Comodo for
3	> email usage. This time round Kleopatra is having problems with
4	> recognising the passphrase I use.
5	>
6	> I partially suspect a gnupg bug here probably relating to mime
7	> characters, but I am not sure how to troubleshoot it. This is a
8	> sequence of events that show how the problem occurs:
9	>
10	> I export the SSL cert from Firefox as a pkcs12 file. It asks for a
11	> passphrase to encrypt it with. It will accept my passphrase and saves
12	> the exported .p12 bundle as a file on my hard drive. Then I try to
13	> import this into Kleopatra. This is what I have come across here:
14	>
15	> If I have used a short passphrase when exporting from Firefox (say 8
16	> characters long) there's no problem importing it into Kleopatra.
17	> If I use a long passphrase then it fails every time:
18	>
19	> "Please enter a passphrase to unprotect the PKCS#12 object."
20	> p4ssPhr4se
21	> "An error occurred while trying to import the certificate - Decryption
22	> failed."
23	>
24	> The log shows:
25	> ======================================
26	> [2010-05-12T19:51:45] Log cleared
27	> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the
28	> secret key: Bad passphrase
29	> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key
30	> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad
31	> passphrase
32	> 6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad
33	> passphrase <GPG Agent>
34	> 4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad
35	> passphrase <GPG Agent>
36	> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad
37	> passphrase <GPG Agent>
38	> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE
39	> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection
40	> [client at fd 4 disconnected]
41	> 5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF]
42	> 6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF]
43	> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6
44	> terminated [client at fd 5 disconnected]
45	> ======================================
46	>
47	> Now, as I said above if I use a short passphrase to encrypt the
48	> certificate bundle when exporting it from Firefox, I manage to import
49	> it into Kleopatra and then I can re-encrypt it with either with the
50	> same short passphrase or with a longer passphrase. Kleopatra will
51	> accept any length at that stage and import it happily. However, even
52	> if I import it into Kleopatra I can't use it thereafter! Every time I
53	> try to use it in Kmail to sign/encrypt/decrypt a message it will fail
54	> when I enter the passphrase. :-(
55	>
56	> I have tried to convert the exported pkcs12 file into a pem bundle,
57	> but Kleopatra then fails to import it right from the start with a BER
58	> error - it doesn't even ask for a passphrase to decrypt it:
59	> ======================================
60	> [2010-05-07T22:24:22] Log cleared
61	> [client at fd 4 connected]
62	> 4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan
63	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg
64	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config:
65	> /home/michael/.gnupg/gpgsm.conf
66	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo:
67	> /tmp/gpg-yRFiu9/S.gpg-agent:13728:1
68	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set]
69	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy
70	> Guard's S/M server 2.0.14 ready
71	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0
72	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK
73	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1
74	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK
75	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21
76	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK
77	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT
78	> 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d
79	> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a
80	> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c
81	> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d
82	> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a
83	> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d
84	> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0
85	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0
86	> 0 0 0 0 0 0 0 0 0 0
87	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error
88	> <KSBA> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE
89	> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection
90	> [client at fd 4 disconnected]
91	> ======================================
92	>
93	> Any idea why Kleopatra fails with this new Comodo certificate? It
94	> had/has no problem using the expired certificate by the same CA (of
95	> course it is shown as expired now). How could I troubleshoot this
96	> thing?
97	>
98	> Some things I have tried so far:
99	>
100	> I have imported and used this SSL cert on a webmail client (Horde) and
101	> had no problem with it.
102	>
103	> I have also tried the same SSL cert on two different Gentoo PCs (one
104	> x86 and one amd64) but both fail in the way described above.
105	>
106	> Running openssl pkcs12 -in cert_file.p12 seems to work fine and
107	> displays the priv key and cert bundle on the terminal, without any
108	> problem, irrespective of the length of passphrase.
109	>
110	> I have visually compared the output on the terminal between expired
111	> and new certificates and cannot see a difference.
112	>
113	> Anything else I could try?
114
115	I found what's wrong with it - a regression bug in gnupg-2.0.14, which also
116	seems to exist in gnupg-2.0.16-r1 that I am running here.
117
118	If the passphrase is changed then the bug manifests and there is no way to use
119	the certificate again - entering the new passphrase fails.
120
121	The solution is to import the new cert using gpgsm --import, stick to the same
122	passphrase with which the pkcs12 was secured and things should work
123	thereafter, as long as you do not change the passphrase.
124
125	See more info here:
126
127	http://marc.info/?l=gnupg-users&m=126451730710129&w=2
128
129	I've raised bug #336846.
130	--
131	Regards,
132	Mick