1 |
On Thursday 13 May 2010 11:08:48 you wrote: |
2 |
> In the last two weeks I renewed an SSL certificate from Comodo for |
3 |
> email usage. This time round Kleopatra is having problems with |
4 |
> recognising the passphrase I use. |
5 |
> |
6 |
> I partially suspect a gnupg bug here probably relating to mime |
7 |
> characters, but I am not sure how to troubleshoot it. This is a |
8 |
> sequence of events that show how the problem occurs: |
9 |
> |
10 |
> I export the SSL cert from Firefox as a pkcs12 file. It asks for a |
11 |
> passphrase to encrypt it with. It will accept my passphrase and saves |
12 |
> the exported .p12 bundle as a file on my hard drive. Then I try to |
13 |
> import this into Kleopatra. This is what I have come across here: |
14 |
> |
15 |
> If I have used a short passphrase when exporting from Firefox (say 8 |
16 |
> characters long) there's no problem importing it into Kleopatra. |
17 |
> If I use a long passphrase then it fails every time: |
18 |
> |
19 |
> "Please enter a passphrase to unprotect the PKCS#12 object." |
20 |
> p4ssPhr4se |
21 |
> "An error occurred while trying to import the certificate - Decryption |
22 |
> failed." |
23 |
> |
24 |
> The log shows: |
25 |
> ====================================== |
26 |
> [2010-05-12T19:51:45] Log cleared |
27 |
> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to unprotect the |
28 |
> secret key: Bad passphrase |
29 |
> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: failed to read the secret key |
30 |
> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: command pksign failed: Bad |
31 |
> passphrase |
32 |
> 6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: -> ERR 67108875 Bad |
33 |
> passphrase <GPG Agent> |
34 |
> 4 - 2010-05-12 19:52:12 gpgsm[16759]: error creating signature: Bad |
35 |
> passphrase <GPG Agent> |
36 |
> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> ERR 67108875 Bad |
37 |
> passphrase <GPG Agent> |
38 |
> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: <- BYE |
39 |
> 4 - 2010-05-12 19:52:12 gpgsm[16759.0] DBG: -> OK closing connection |
40 |
> [client at fd 4 disconnected] |
41 |
> 5 - 2010-05-12 19:52:12 dirmngr[16760.0] DBG: <- [EOF] |
42 |
> 6 - 2010-05-12 19:52:12 gpg-agent[13563.6] DBG: <- [EOF] |
43 |
> 6 - 2010-05-12 19:52:12 gpg-agent[13563]: handler 0xbf04c0 for fd 6 |
44 |
> terminated [client at fd 5 disconnected] |
45 |
> ====================================== |
46 |
> |
47 |
> Now, as I said above if I use a short passphrase to encrypt the |
48 |
> certificate bundle when exporting it from Firefox, I manage to import |
49 |
> it into Kleopatra and then I can re-encrypt it with either with the |
50 |
> same short passphrase or with a longer passphrase. Kleopatra will |
51 |
> accept any length at that stage and import it happily. However, even |
52 |
> if I import it into Kleopatra I can't use it thereafter! Every time I |
53 |
> try to use it in Kmail to sign/encrypt/decrypt a message it will fail |
54 |
> when I enter the passphrase. :-( |
55 |
> |
56 |
> I have tried to convert the exported pkcs12 file into a pem bundle, |
57 |
> but Kleopatra then fails to import it right from the start with a BER |
58 |
> error - it doesn't even ask for a passphrase to decrypt it: |
59 |
> ====================================== |
60 |
> [2010-05-07T22:24:22] Log cleared |
61 |
> [client at fd 4 connected] |
62 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692]: enabled debug flags: assuan |
63 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Home: ~/.gnupg |
64 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # Config: |
65 |
> /home/michael/.gnupg/gpgsm.conf |
66 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # AgentInfo: |
67 |
> /tmp/gpg-yRFiu9/S.gpg-agent:13728:1 |
68 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> # DirmngrInfo: [not set] |
69 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK GNU Privacy |
70 |
> Guard's S/M server 2.0.14 ready |
71 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION display=:0.0 |
72 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK |
73 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- OPTION enable-audit-log=1 |
74 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK |
75 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- INPUT FD=21 |
76 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK |
77 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- IMPORT |
78 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d |
79 |
> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a |
80 |
> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2c |
81 |
> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d |
82 |
> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 3a |
83 |
> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: invalid radix64 character 2d |
84 |
> skipped 4 - 2010-05-07 22:24:25 gpgsm[14692]: total number processed: 0 |
85 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> S IMPORT_RES 0 0 0 0 |
86 |
> 0 0 0 0 0 0 0 0 0 0 |
87 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> ERR 150995078 BER error |
88 |
> <KSBA> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: <- BYE |
89 |
> 4 - 2010-05-07 22:24:25 gpgsm[14692.0] DBG: -> OK closing connection |
90 |
> [client at fd 4 disconnected] |
91 |
> ====================================== |
92 |
> |
93 |
> Any idea why Kleopatra fails with this new Comodo certificate? It |
94 |
> had/has no problem using the expired certificate by the same CA (of |
95 |
> course it is shown as expired now). How could I troubleshoot this |
96 |
> thing? |
97 |
> |
98 |
> Some things I have tried so far: |
99 |
> |
100 |
> I have imported and used this SSL cert on a webmail client (Horde) and |
101 |
> had no problem with it. |
102 |
> |
103 |
> I have also tried the same SSL cert on two different Gentoo PCs (one |
104 |
> x86 and one amd64) but both fail in the way described above. |
105 |
> |
106 |
> Running openssl pkcs12 -in cert_file.p12 seems to work fine and |
107 |
> displays the priv key and cert bundle on the terminal, without any |
108 |
> problem, irrespective of the length of passphrase. |
109 |
> |
110 |
> I have visually compared the output on the terminal between expired |
111 |
> and new certificates and cannot see a difference. |
112 |
> |
113 |
> Anything else I could try? |
114 |
|
115 |
I found what's wrong with it - a regression bug in gnupg-2.0.14, which also |
116 |
seems to exist in gnupg-2.0.16-r1 that I am running here. |
117 |
|
118 |
If the passphrase is changed then the bug manifests and there is no way to use |
119 |
the certificate again - entering the new passphrase fails. |
120 |
|
121 |
The solution is to import the new cert using gpgsm --import, stick to the same |
122 |
passphrase with which the pkcs12 was secured and things should work |
123 |
thereafter, as long as you do not change the passphrase. |
124 |
|
125 |
See more info here: |
126 |
|
127 |
http://marc.info/?l=gnupg-users&m=126451730710129&w=2 |
128 |
|
129 |
I've raised bug #336846. |
130 |
-- |
131 |
Regards, |
132 |
Mick |