[Alpine-info] Signing with S/MIME.
Carlos E. R.
robin.listas at telefonica.net
Sun Nov 19 04:03:33 PST 2023
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
El 2023-11-18 a las 21:48 -0700, Eduardo Chappa escribió:
> On Sun, 19 Nov 2023, Carlos E. R. wrote:
>
>>> -----------------------------
>>> Manage your own certificates
>>> -----------------------------
>>>
>>> Manage Public Certificates
>>> Manage Private Keys
>>> Manage Certificate Authorities
>>
>> I assume these three are for self signed certificates, so they don't apply
>> to me.
>
> They apply to any certificates or keys that you wish to import, so they do
> apply to you.
Oh! Ok. Guess I have a thick day. :-}
The three see the certificates, I don't see errors.
Manage Certificate Authorities:
+++——————————————————
Certificate Information
- ---------------------------------------------------------------------------------------------------------------------------
Certificate Owner Issuer
AC FNMT Usuarios AC RAIZ
FNMT-RCM
Ceres FNMT-RCM
FNMT-RCM ES
ES
Serial Number
45:5f:3a:e1:5c:21:cd:ba:54:4f:82:aa:47:51:eb:db
Validity
Not Before: Oct 28 11:48:58 2014 GMT
Not After: Oct 28 11:48:58 2029 GMT
SHA1 Fingerprint
80:8b:72:e4:3b:57:4c:f5:87:7c:b8:41:a8:df:88:39:6d:38:ab:94
MD5 Fingerprint
7a:92:88:1c:9a:ac:47:b4:3a:da:91:ff:da:ea:7e:8a
Certificate Chain Information
Issued to: AC FNMT Usuarios
\- Signed by: AC RAIZ FNMT-RCM
Certificate validated without errors
——————————————————++-
Manage Public Certificates (private data replaced with ellipsis)
+++——————————————————
Certificate Information
- ---------------------------------------------------------------------------------------------------------------------------
Certificate Owner Issuer
ROBIN...... AC FNMT Usuarios
ROBIN...... Ceres
CARLOS FNMT-RCM
IDCES-..... ES
ES
Serial Number
1b:fd:....
Validity
Not Before: Mar 7 08:37:59 2022 GMT
Not After: Mar 7 08:37:59 2026 GMT
SHA1 Fingerprint
bd:5e:43:...
MD5 Fingerprint
1b:9a:78:...
Certificate Chain Information
Issued to: ROBIN...
\- Signed by: AC FNMT Usuarios
\- Signed by: AC RAIZ FNMT-RCM
Certificate validated without errors
——————————————————++-
Manage Private Keys
(private data replaced with ellipsis)
+++——————————————————
Certificate Information
- ---------------------------------------------------------------------------------------------------------------------------
Certificate Owner Issuer
ROBIN... AC FNMT Usuarios
ROBIN... Ceres
CARLOS FNMT-RCM
IDCES-... ES
ES
Serial Number
1b:fd:a4:...
Validity
Not Before: Mar 7 08:37:59 2022 GMT
Not After: Mar 7 08:37:59 2026 GMT
SHA1 Fingerprint
bd:5e:43:...
MD5 Fingerprint
1b:9a:78:...
Certificate Chain Information
Issued to: ROBIN...
\- Signed by: AC FNMT Usuarios
\- Signed by: AC RAIZ FNMT-RCM
Certificate validated without errors
——————————————————++-
What I don't see is the mail address!
On Thunderbird, it says:
Purposes: E-mail Protection, Client Authentication
>
>>>> MAIL at ADDRESS.key -> ~/.alpine-smime/private/
>>>> MAIL at ADDRESS.crt -> ~/.alpine-smime/public/
>>>> certificate-ca.crt -> ~/.alpine-smime/ca/ (is this name correc?)
>>>
>>> copy MAIL at ADDRESS.crt to ~/.alpine-smime/ca/ also.
>>
>> Ah. Done. But doesn't help.
>
> Have you run alpine with debug to see what more information you can get out
> of the debug?
No, I'm unsure what debug options to use.
>>> Do you mind sharing "ls -lR ~/.alpine-smime" with me if this does not
>>> work?
>>
>> Sure, will mail that in private after this mail.
>
>
> Thank you. I got it. It all looks good.
Ok.
>> Thanks, but still not there...
>>
>> For the record, it fails also in Thunderbird, but in Alpine I don't know
>> yet if I have it configured properly.
>
> Yes, your Alpine is configured correctly. All your permissions are set
> correctly. Although your certificates have information in them that is not
> part of the key or certificate, that information does not matter because it
> is ignored when the certificate is processed, so I am not sure what your
> problem is.
Ok, that's what I needed to know :-)
>
>> same error code as this bug:
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1756413>
>> It seems RSA-PSS certificates are not supported.
>>
>> There's also this:
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1364339>
>
> Not my expertise here, but reading man pages, it looks like RSA-PSS uses
> pkcs#8, while s/mime uses pkcs#7.
>
> https://www.openssl.org/docs/man1.1.1/man7/RSA-PSS.html
>
> https://en.wikipedia.org/wiki/PKCS
>
> I can't imagine these are good news for you. Let me interpret this in a
> different way. It looks like the purpose of your certificate is not for
> s/mime, hence it is not surprising it fails. Since I am not the expert here,
> I'd love to be corrected.
I have no idea.
I don't use this even every year. I used a certificate from this entity
maybe a decade ago with Thunderbird and it worked. It has to be renewed
periodically, so the current incantation is different, and Thunderbird is
different. So I wanted to try Alpine being different software- Knowing
that it is properly configured, if it gives an apparently similar error
indicates that the certificate doesn't work.
And today I have noticed that my email is not listed in the certificate,
despite me asking for it. That could be the reason.
I guess that the error messages from these libraries are not very
informative for the layman.
I can try to get another certificate from another entity for email. I'm
open to suggestions, but the reason I wanted to use this official
certificate is that it includes our National Identification Number, which
is used in many procedures, and identity is verified by an official in an
interview. It is used on the web for tax purposes, so it has to be
verifiable.
But for some reason, my email is not listed in it.
- --
Cheers
Carlos E. R.
(from openSUSE 15.5 (Laicolasse))
-----BEGIN PGP SIGNATURE-----
iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZVn5lRwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVSLMAn17b1g8qqFCcxrAbrxPg
DqDvI84rAKCCzVKZy7jWPx9ABFosjP8MFugTWg==
=4xe9
-----END PGP SIGNATURE-----
More information about the Alpine-info
mailing list