1 |
On Saturday 19 April 2008, Mick wrote: |
2 |
> Hi All, |
3 |
> |
4 |
> I am trying to import an SSL certificate into gpgsm/kleopatra and I cannot |
5 |
> seem to be able to make it work: |
6 |
> |
7 |
> 1. Trying the CLI gives me: |
8 |
> ========================================= |
9 |
> $ |
10 |
> gpgsm --import |
11 |
> /media/sda/Personal/OpenSSL/Comodo/michael_email_comodo_080419.p12 gpgsm: |
12 |
> gpgsm: GPG_TTY has not been set - using maybe bogus default gpgsm: |
13 |
> gpg-protect-tool: 1224 bytes of 3DES encrypted text |
14 |
> gpgsm: gpg-protect-tool: password too long |
15 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-1' |
16 |
> gpgsm: gpg-protect-tool: password too long |
17 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-15' |
18 |
> gpgsm: gpg-protect-tool: password too long |
19 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-2' |
20 |
> gpgsm: gpg-protect-tool: password too long |
21 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-3' |
22 |
> gpgsm: gpg-protect-tool: password too long |
23 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-4' |
24 |
> gpgsm: gpg-protect-tool: password too long |
25 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-5' |
26 |
> gpgsm: gpg-protect-tool: password too long |
27 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-6' |
28 |
> gpgsm: gpg-protect-tool: password too long |
29 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-7' |
30 |
> gpgsm: gpg-protect-tool: password too long |
31 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-8' |
32 |
> gpgsm: gpg-protect-tool: password too long |
33 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-9' |
34 |
> gpgsm: gpg-protect-tool: password too long |
35 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `KOI8-R' |
36 |
> gpgsm: gpg-protect-tool: password too long |
37 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `IBM437' |
38 |
> gpgsm: gpg-protect-tool: password too long |
39 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `IBM850' |
40 |
> gpgsm: gpg-protect-tool: password too long |
41 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `EUC-JP' |
42 |
> gpgsm: gpg-protect-tool: password too long |
43 |
> gpgsm: gpg-protect-tool: decryption failed; trying charset `BIG5' |
44 |
> gpgsm: gpg-protect-tool: password too long |
45 |
> gpgsm: gpg-protect-tool: data error at "decrypted-text", offset 2951359603 |
46 |
> gpgsm: gpg-protect-tool: error at "bag-sequence", offset 15 |
47 |
> gpgsm: gpg-protect-tool: error parsing or decrypting the PKCS-12 file |
48 |
> gpgsm: error running `/usr/libexec/gpg-protect-tool': exit status 2 |
49 |
> gpgsm: total number processed: 0 |
50 |
> secmem usage: 0/16384 bytes in 0 blocks |
51 |
> ========================================= |
52 |
> |
53 |
> If I import/export the cert from Firefox, then I can import it in |
54 |
> Konqueror. However, when I try to import it in Kleopatra it fails after I |
55 |
> enter my cert passphrase. I managed to import the cert in Kleopatra |
56 |
> without the private key. As you understand that's no good for me because I |
57 |
> cannot sign emails with it (it doesn't show up on the list of certs). |
58 |
> |
59 |
> Any ideas how I could make this work? I can't recall having such problems |
60 |
> with the CACert.org certificates (or if I did I can't recall what's the |
61 |
> fix!). |
62 |
|
63 |
There seem to be two problems with gpgsm, probably bugs - or perhaps design |
64 |
limitations? |
65 |
|
66 |
1. gpgsm cannot import the complete pkcs12 bundle. This needs to be broken |
67 |
down and imported separately as the public key (cert) and the private key. |
68 |
Whether this compromises safety (having an unencrypted private key on your |
69 |
drive) is a moot point, but makes me think that GnuPG is a much better |
70 |
solution than SSL certs for emails at least. |
71 |
2. Long passphrases seem to generate the above error. So, if you come across |
72 |
the same error try generating your key with a smaller passpphrase, or edit it |
73 |
with openssl pkcs options. |
74 |
|
75 |
HTH. |
76 |
-- |
77 |
Regards, |
78 |
Mick |