Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336846 - app-crypt/gnupg-2.0.16-r1 passphrase iteration count causes pkcs12 certificate failure
Summary: app-crypt/gnupg-2.0.16-r1 passphrase iteration count causes pkcs12 certificat...
Status: VERIFIED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High major (vote)
Assignee: Crypto team [DISABLED]
URL: http://marc.info/?l=gnupg-users&m=126...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-11 17:38 UTC by MickKi
Modified: 2010-10-19 19:34 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2010-09-11 17:38:46 UTC
As the URL discusses there seems to be a regression bug since gnupg-2.0.14 which causes gpg-agent to fail when importing or using a SSL Certificate, if the passphrase is changed in any way.  A typical error message is shown here:
=======================================
$ gpgsm --import comodo_cert.p12 
gpgsm: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default
gpgsm: gpg-protect-tool: 1224 bytes of 3DES encrypted text
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-1'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-15'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-2'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-3'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-4'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-5'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-6'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-7'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-8'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `ISO-8859-9'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `KOI8-R'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `IBM437'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `IBM850'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `EUC-JP'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: decryption failed; trying charset `BIG5'
gpgsm: gpg-protect-tool: password too long
gpgsm: gpg-protect-tool: data error at "decrypted-text", offset 980593747
gpgsm: gpg-protect-tool: error at "bag-sequence", offset 15
gpgsm: gpg-protect-tool: error parsing or decrypting the PKCS-12 file
gpgsm: error running `/usr/libexec/gpg-protect-tool': exit status 2
gpgsm: total number processed: 0
secmem usage: 0/16384 bytes in 0 blocks
=======================================

If the certificate is imported using gpgsm --import without changing the passphrase it works fine thereafter, as long as the previously altered .gnupg/private-keys-v1.d/XXXXX....XXXXX.key of the certificate is first removed.

The URL offers a patch by Werner Koch.
-- 
Regards,
Mick

Reproducible: Always

Steps to Reproduce:
1. Export SSL certificate from browser (after obtained from Comodo)
2. Select secret_passphrase-1 to secure it for export.
3. Import certificate into gpgsm and enter secret_passphrase-1 to unlock it.
4. When requested enter secret_passphrase-2 and confirm to secure it in the gpg-agent.
5. gpg-agent fails.

The passphrase will also fail if it is changed, after the certificate has been imported.



$ gpgsm --version
gpgsm (GnuPG) 2.0.16
libgcrypt 1.4.5
libksba 1.0.7
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Cipher: 3DES, AES, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECDSA
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL

$ gpg --version
gpg (GnuPG) 2.0.16
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), 
        AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12), 
        CAMELLIA256 (S13)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), 
      SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-10-19 01:19:01 UTC
The email you link was already fixed in 2.0.15. I've personally verified that the new code from the patch is in 2.0.16.

Please retest or take it to the upstream mailing list.
Comment 2 MickKi 2010-10-19 19:25:45 UTC
Thanks Robin, 

I wonder if I had left an older private key in .gnupg/private-keys-v1.d/XXXXX....XXXXX.key and that was causing the problem?  I just tested changing the passphrase and I do not have a problem with it anymore.
-- 
Regards,
Mick
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-10-19 19:34:48 UTC
Possibly. Unless you can reproduce it on .16, this is closed for now.