My Page

Forum: help-en

Monitor Forum | Start New Thread Start New Thread
RE: Cannot decrypt using GPGSM - No Secret Key [ reply ]
By: Bernhard Reiter on 2017-07-04 07:50
Hi Themis,

good question, at least the root-CA would need to have a private key imported. :)
(But for most use cases of Gpg4win it is not relevant,at it is a rare case that you would want to run a root CA. If you would direct trust, you could more easily use OpenPGP instead of CMS.)

As there are many CMS related standards, I do not know them all by heart.
My idea would be: Maybe the standard demands an issuer for all certificates at least the certs I've seen always had one, even if it was the cert itself (root certificate).

The other idea is that it is a defect.
My suggestion: Try this with gpgsm for a modern GnuPG (2.1.21) on GNU/Linux and then ask on gnupg-users@ and next on gnupg-devel@.

Best Regards,

RE: Cannot decrypt using GPGSM - No Secret Key [ reply ]
By: Themis` Zarotiadis on 2017-07-04 07:30
Thank you very much Bernhard for your answer. I must say that this is what I also have understood, reading many similar articles, so I tried to:

gpgsm --import privatekey.pem

but what I get is an error importing due to "No issuer" for my private key.
And that's ahat puzzles me, Shouldnt I be able for test/dev reasons be able to create a private, public key pair, self-sign the certificate and import it and use the public key for encryption and the private key for decryption? Why the private needs an issuer?!


RE: Cannot decrypt using GPGSM - No Secret Key [ reply ]
By: Bernhard Reiter on 2017-07-03 14:00
Hi Themis,

a precondition for CMS crypto operations is that
gpgsm --list-secret-keys
shows your private key, so please import it first (and the corresponding pubkey).

Note that you must configure the certificate chain properly for production usage,
see https://wiki.gnupg.org/X.509, otherwise use the option `--disable-crl-checks`.


Cannot decrypt using GPGSM - No Secret Key [ reply ]
By: Themis` Zarotiadis on 2017-07-03 09:57
Hi to all,

On a folder I have:
1. a private RSA 2048 key (privatekey.pem)
2. the public key exported form the private key (publickey.pem)
3. the X.509 Certificate (mycert.pem) that is also imported with the command:
gpgsm --import mycert.pem

Also this certificate is listed correctly when I issue command:
gpgsm -k (let's say that the email is ab@ab.com and the CN=AB)

I also have one simple data.txt file containing some text.

When I issue the encrypt command:
gpgsm -r ab@ab.com -o data_enc.txt --armor --encrypt data.txt
I get the encrypted text. Perfect!

But when I try to decrypt, using:
gpgsm -o data_dcr.txt --decrypt data.txt
I get an error:

gpgsm: DBG: recp 0 - issuer: `1.2.840.113549.1.9.1=#747A4065642E636F6D,CN=AB,O=Internet Widgits Pty Ltd,ST=Some-State,C=GR'
gpgsm: DBG: recp 0 - serial: 00A2506CB9E81EB5E8
gpgsm: error decrypting session key: No secret key
gpgsm: decrypting session key failed: No secret key
gpgsm: message decryption failed: No secret key <GpgSM>

Needless to say that
gpgsm --list-secret-keys just returns

So the point is, I caannot figure out how to decrypt the file using gpgsm.
Tried also to import privatekey.pem but got "no issuer..." which is normal for the private key...

Also if i use same keys private, public to encrypt/decrypt using OpenSSL (same x.509) everything works fine.

Thank you all in advance for any answers.

This site is hosted by Intevation GmbH