Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


bernhard at intevation

Apr 2, 2009, 5:28 AM

Post #1 of 9 (1430 views)
Permalink
gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root
Something is wrong with
CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
Corporation,C=US,serial#: 01A5
http://www.telesec.de/service/GTE-CyberTrust-Global-Root.der

gpgsm 2.0.11 can import, but not use it.
The GPG_ERR_NO_VALUE is not conclusive.
What is going on?

See the following session:


rm -r dot.gnupg/
mkdir dot.gnupg
LANGUAGE=C GPGHOME=dot.gnupg gpgsm --no-common-certs-import --list-keys
gpgsm: keybox `/home/bernhard/tmp/dot.gnupg/pubring.kbx' created
LANGUAGE=C GPGHOME=dot.gnupg gpgsm --list-keys
LANGUAGE=C GPGHOME=dot.gnupg gpgsm --import GTE-CyberTrust-Global-Root.der
gpgsm: total number processed: 1
gpgsm: imported: 1
LANGUAGE=C GPGHOME=dot.gnupg gpgsm --list-keys
/home/bernhard/tmp/dot.gnupg/pubring.kbx
----------------------------------------
ID: 0x367EF474
S/N: 01A5
Issuer: /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions,
Inc./O=GTE Corporation/C=US
Subject: /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions,
Inc./O=GTE Corporation/C=US
validity: 1998-08-13 00:29:00 through 2018-08-13 23:59:00
key type: 1024 bit RSA
chain length: none
fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74

LANGUAGE=C GPGHOME=dot.gnupg gpgsm -e -r
97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
gpgsm: can't encrypt to
`97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74': No value
LANGUAGE=C GPGHOME=dot.gnupg gpgsm -vvv --debug-all -e -r
97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
gpgsm: NOTE: no default option file `X/dot.gnupg/gpgsm.conf'
gpgsm: no key usage specified - assuming all usages
gpgsm: DBG: BEGIN Certificate `target':
gpgsm: DBG: serial: 01A5
gpgsm: DBG: notBefore: 1998-08-13 00:29:00
gpgsm: DBG: notAfter: 2018-08-13 23:59:00
gpgsm: DBG: issuer: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust
Solutions\, Inc.,O=GTE Corporation,C=US
gpgsm: DBG: subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust
Solutions\, Inc.,O=GTE Corporation,C=US
gpgsm: DBG: hash algo: 1.2.840.113549.1.1.4
gpgsm: DBG: SHA1 Fingerprint:
97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
gpgsm: DBG: END Certificate
gpgsm: DBG: connection to agent established
gpgsm: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 33 3A 72 73 61
28 31 3A 73 31 32 38 3A 6D EB 1B 09 E9 5E D9 51 DB 67 22 61 A4 2A 3C 48 77 E3
A0 7C A6 DE 73 A2 14 03 85 3D FB AB 0E 30 C5 83 16 33 81 13 08 9E 7B 34 4E DF
40 C8 74 D7 B9 7D DC F4 76 55 7D 9B 63 54 18 E9 F0 EA F3 5C B1 D9 8B 42 1E B9
C0 95 4E BA FA D5 E2 7C F5 68 61 BF 8E EC 05 97 5F 5B B0 D7 A3 85 34 C4 24 A7
0D 0F 95 93 EF CB 94 D8 9E 1F 9D 5C 85 6D C7 AA AE 4F 1F 22 B5 CD 95 AD BA A7
CC F9 AB 0B 7A 7F 29 29 28 34 3A 68 61 73 68 33 3A 6D 64 35 29 29
gpgsm: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30
20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 E1 B3 4A 19 37 4F C7 10 C6
16 67 B8 2E 8F 1C 2C
DBG: pubkey_verify: algo=1
pkey::
950FA0B6F0509CE87AC788CDDD170E2EB094D01B3D0EF694C08A94C706C89097C8B8641A7A7E6C3C53E1372873607FB29753079F53F96D5894D2AF8D6D886780E6EDB295CF7231CAA51C72BA5C02E76442E7F9A92CD63A0DAC8D42AA240139E69C3F0185570D588745F8D385AA936926857048803F1215C779B41F052F3B6299
pkey:: 10001
sig::
6DEB1B09E95ED951DB672261A42A3C4877E3A07CA6DE73A21403853DFBAB0E30C58316338113089E7B344EDF40C874D7B97DDCF476557D9B635418E9F0EAF35CB1D98B421EB9C0954EBAFAD5E27CF56861BF8EEC05975F5BB0D7A38534C424A70D0F9593EFCB94D89E1F9D5C856DC7AAAE4F1F22B5CD95ADBAA7CCF9AB0B7A7F
hash::
1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003020300C06082A864886F70D020505000410E1B34A19374FC710C61667B82E8F1C2C
gpgsm: DBG: gcry_pk_verify: Success
gpgsm: validation model used: shell
gpgsm: can't encrypt to
`97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74': No value
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/16384 bytes in 0 blocks


--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


bernhard at intevation

Apr 3, 2009, 4:21 AM

Post #2 of 9 (1343 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
Am Donnerstag, 2. April 2009 14:28:20 schrieb Bernhard Reiter:
> Something is wrong with
> CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
> Corporation,C=US,serial#: 01A5
> http://www.telesec.de/service/GTE-CyberTrust-Global-Root.der
>
> gpgsm 2.0.11 can import, but not use it.
> The GPG_ERR_NO_VALUE is not conclusive.
> What is going on?

Looks like some check in gpg-agent rejects that certificate.
gpg-agent[4432.8] DBG: <- ISTRUSTED 97817950D81C9670CC34D809CF794431367EF474
gpg-agent[4432.8] DBG: -> ERR 67108962 Nicht vertrauenswürdig <GPG Agent>
gpgsm: can't encrypt to `GTE': No value

Some user reported that "relax" for the trustlist.txt might help, I am going
to test this next. Already the documentation for what relax does is a bit
fuzzy on this and so is the status message. "Not trusted, failing check"
would be much better. Shall I open an issue for this already?

Note that there are a lot of SMIME users with this certificate around,
though it certainly is not the best certificate someone could get.

> See the following session:
>
>   rm -r dot.gnupg/
>   mkdir dot.gnupg
>   LANGUAGE=C GPGHOME=dot.gnupg gpgsm --no-common-certs-import --list-keys

Typo in the script should have been GNUPGHOME of course (I did set it in the
environement before this is why my typo still gave me the right behaviour..
sorry for the potential confusion.)

Bernhard

--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 3, 2009, 5:20 AM

Post #3 of 9 (1343 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
On Thu, 2 Apr 2009 14:28, bernhard [at] intevation said:
> Something is wrong with
> CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
> Corporation,C=US,serial#: 01A5
> http://www.telesec.de/service/GTE-CyberTrust-Global-Root.der
>
> gpgsm 2.0.11 can import, but not use it.
> The GPG_ERR_NO_VALUE is not conclusive.
> What is going on?

Here are the reasons for this error code:

GPG_ERR_NO_VALUE No value

GNUPG: - A timestamp value is expect but there is none.
KSBA: - A timestamp value is expect but there is none.
- A certificate is missing a required property.
- A CMS object is missing a required property.
- Converting a Distinguised Name to an RFC2253 string failed.

I doubt that this will help you. I'll check the certificate.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 3, 2009, 5:23 AM

Post #4 of 9 (1342 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
On Fri, 3 Apr 2009 13:21, bernhard [at] intevation said:

> Looks like some check in gpg-agent rejects that certificate.
> gpg-agent[4432.8] DBG: <- ISTRUSTED 97817950D81C9670CC34D809CF794431367EF474
> gpg-agent[4432.8] DBG: -> ERR 67108962 Nicht vertrauenswürdig <GPG Agent>

That merely means that the certificate is not in the trustlist.txt.

> Some user reported that "relax" for the trustlist.txt might help, I am going
> to test this next. Already the documentation for what relax does is a bit
> fuzzy on this and so is the status message. "Not trusted, failing check"

This is on purpose, so that we can disable one or the other check
without being required to stick to it with the next release of GnuPG.
The certifictate is broken and relax is just a workaround.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 3, 2009, 5:34 AM

Post #5 of 9 (1347 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
On Thu, 2 Apr 2009 14:28, bernhard [at] intevation said:
> Something is wrong with
> CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
> Corporation,C=US,serial#: 01A5
> http://www.telesec.de/service/GTE-CyberTrust-Global-Root.der

In libksba/tests you find a useful tool for such cases:

$ ./cert-basic GTE-CyberTrust-Global-Root.der
Certificate in `GTE-CyberTrust-Global-Root.der':
serial....: (#01A5# )
issuer....: `CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US'
subject...: `CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US'
notBefore.: 1998-08-13 00:29:00
notAfter..: 2018-08-13 23:59:00
hash algo.: 1.2.840.113549.1.1.4 (md5withRSAEncryption)
cert-basic.c:285: enumerating extensions failed: No value
SubjectKeyIdentifier: none
AuthorityKeyIdentifier: none
cert-basic.c:343: ksba_cert_is_ca failed: No value
KeyUsage: Not specified
ExtKeyUsages: none
CertificatePolicies: none
cert-basic.c:453: ksba_cert_get_crl_dist_point failed: No value
cert-basic.c:472: ksba_cert_get_authority_info_access failed: No value
cert-basic.c:491: ksba_cert_get_subject_info_access failed: No value

"ksba_cert_is_ca failed" is the problem with that certificate. It is a
root certificate but it does not say so in its signedAttributes. Hmmm,
there are no signed attributes at all.

BTW, I consider this a feature of GnuPG: Wouldyou really trust a CA
which issues a root certificate valid for 20 years? That was even
ridiculous back in 1998. The use of MD5 was kind of justified 11 years
ago.

Don't spend any more time on this, you better use plaintext than GTE
Cybertrust "secured" encryption.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


bernhard at intevation

Apr 3, 2009, 6:43 AM

Post #6 of 9 (1341 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
Am Freitag, 3. April 2009 14:20:10 schrieb Werner Koch:
> On Thu,  2 Apr 2009 14:28, bernhard [at] intevation said:
> > Something is wrong with
> > CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
> > Corporation,C=US,serial#: 01A5
> > http://www.telesec.de/service/GTE-CyberTrust-Global-Root.der
> >
> > gpgsm 2.0.11 can import, but not use it.
> > The GPG_ERR_NO_VALUE is not conclusive.
> > What is going on?
>
> Here are the reasons for this error code:
>
> GPG_ERR_NO_VALUE                No value
>
>     GNUPG:  - A timestamp value is expect but there is none.
>     KSBA:   - A timestamp value is expect but there is none.
>             - A certificate is missing a required property.
>             - A CMS object is missing a required property.
>             - Converting a Distinguised Name to an RFC2253 string failed.
>
> I doubt that this will help you.  I'll check the certificate.

Thanks for the responses, yes, they do help me.

The certificate came out of a real use case and eat up time from real users.
The message "No value" is not enough for them and not for their supporting
administrators to get the idea that the certificate is to blame
(as compared to other setting, e.g. validation and so on).

So even if the result would be as simple as "Certificate failing basic
consistency checks" this would be very helpful. Then they could look up the
documentation which could potentially read like

The CMS implementation does a number of basic consistency checks
before using a certificate. For 2.0.11 these checks for instance are about
a) certificate length > X years
b) no use of MD5
c)..
The exact check parameters are subject to change for each version, if your
certificate fails you should consult an expert. If you are the expert,
check the source code or user ./cert-basic from libksba/tests

Bernhard
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 3, 2009, 7:17 AM

Post #7 of 9 (1337 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
On Fri, 3 Apr 2009 15:43, bernhard [at] intevation said:

> consistency checks" this would be very helpful. Then they could look up the
> documentation which could potentially read like

> The CMS implementation does a number of basic consistency checks
> before using a certificate. For 2.0.11 these checks for instance are about
> a) certificate length > X years
[...]

Basically you want a complete description of every error case in GnuPG.
That is not going to happenn given the sheer amount of checks we do.
There is this --audit feature I am working on and if this certain error
will occur more often, it makes sense to add specific support for this.

FWIW, I started to write a list of error code usages in GnuPG et al.
This will take quite some time to finish but eventualy if provide a
useful cross reference.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


bernhard at intevation

Apr 6, 2009, 12:58 AM

Post #8 of 9 (1334 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
Am Freitag, 3. April 2009 16:17:18 schrieb Werner Koch:
> On Fri,  3 Apr 2009 15:43, bernhard [at] intevation said:
> > consistency checks" this would be very helpful. Then they could look up
> > the documentation which could potentially read like
> >
> >    The CMS implementation does a number of basic consistency checks
> >    before using a certificate. For 2.0.11 these checks for instance are
> > about a) certificate length > X years
>
>      [...]
>
> Basically you want a complete description of every error case in GnuPG.
> That is not going to happenn given the sheer amount of checks we do.

First I want a useful overview message, that states that the problem actually
is within the internal certificate checks (and not with the chain or the CRLs
or so).

Having an idea which kind of stuff is checked is a potential other step.

> There is this --audit feature I am working on and if this certain error
> will occur more often, it makes sense to add specific support for this.

Given that I have it twice in real support cases, having a "bad" certificate
is a common case.

> FWIW, I started to write a list of error code usages in GnuPG et al.
> This will take quite some time to finish but eventualy if provide a
> useful cross reference.

Sounds useful!
Bernhard


--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 7, 2009, 3:19 AM

Post #9 of 9 (1311 views)
Permalink
Re: gpgsm: Cert trouble GPG_ERR_NO_VALUE for GTE CyberTrust Global Root [In reply to]
On Mon, 6 Apr 2009 09:58, bernhard [at] intevation said:

> First I want a useful overview message, that states that the problem actually
> is within the internal certificate checks (and not with the chain or the CRLs
> or so).

Nope, you can't view an X.509 certifciate without considering the
certifciates of the issuer. And no, there is no problem with the
certifciate check - gpgsm merely rejects it as bogus.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.