Problem importing S/Mime cert

Hi,
I renewed yesterday my certs with Actalis for S/Mime. Two works fine but third one imports ok in Windows cert store, ok in XCA (openssl) but fails importing to Kleopatra. I says “invalid object”. Triing to do with gpgsm sys:

C:\Users\Usuario\Desktop>gpgsm -v --import pkcs12_C.pfx
gpgsm: 1224 bytes of 3DES encrypted text
gpgsm: decryption failed; trying charset ‘ISO-8859-1’
gpgsm: decryption failed; trying charset ‘ISO-8859-15’
gpgsm: decryption failed; trying charset ‘ISO-8859-2’
gpgsm: decryption failed; trying charset ‘ISO-8859-3’
gpgsm: decryption failed; trying charset ‘ISO-8859-4’
gpgsm: decryption failed; trying charset ‘ISO-8859-5’
gpgsm: decryption failed; trying charset ‘ISO-8859-6’
gpgsm: decryption failed; trying charset ‘ISO-8859-7’
gpgsm: decryption failed; trying charset ‘ISO-8859-8’
gpgsm: decryption failed; trying charset ‘ISO-8859-9’
gpgsm: decryption failed; trying charset ‘KOI8-R’
gpgsm: decryption failed; trying charset ‘IBM437’
gpgsm: decryption failed; trying charset ‘IBM850’
gpgsm: decryption failed; trying charset ‘BIG5’
gpgsm: data error at “decrypted-text”, offset 4260250007
gpgsm: error at “bag-sequence”, offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: cantidad total procesada: 0


But is able to import a public part of the cert exported from windows. Exporting with private key and triing to import also fails.

Any idea?

BR.

Josep M.

Solved (workaround)

Exporting from windows store with private key WITHOUT extended properties and importing to Kleopatra. It worked.

B. R.

Hi Josep,
thanks for report and it is good that it works for you now.

It would be cool to have an example so that we can reproduce
the import problems, CMS can be a lot so it is hard to say what the problem was.

What you could try is to see if you use a different passphrase as transport protection, maybe all ascii. Would one additional -v , so -vv give more infos about what is going on?

Best,
Bernhard

Hi Bernhard,
The cert used was a copy of the received from provider. The pass phrase used to import were all in ASCII. And with --v it says exactly the same.
The enigma was that I received 2 more certs from the same provider that worked fine!
The only thing is some extended property different, but I don’t know which one. It refers only to the private part of the .pfx file.
Sorry but I can’t send you this cert because I tried to obtain another cert revoking this one but I couldn’t.
How can I help you more? Any option to debug more in depth?

BR

Hi Joseph,

you could try to dump the asn structure or use --debug-all to gpgsm to see if there is more interesting stuff (however be careful, --debug-all may contain sensitive information, so do not post it in full.)

Best,
Bernhard

Hi,

How to dump asn structure?
Here --debug-all (without pass phrase)

C:\Users\Usuario\Desktop\certs>gpgsm --debug-all --import PKCS12_C.pfx
gpgsm: leyendo opciones de ‘C:\Users\Usuario\AppData\Roaming\gnupg\gpgsm.conf’
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
gpgsm: DBG: chan_0x0000026c ← OK Pleased to meet you
gpgsm: DBG: connection to agent established
gpgsm: DBG: chan_0x0000026c → RESET
gpgsm: DBG: chan_0x0000026c ← OK
gpgsm: DBG: chan_0x0000026c → GETINFO version
gpgsm: DBG: chan_0x0000026c ← D 2.2.19
gpgsm: DBG: chan_0x0000026c ← OK
gpgsm: DBG: chan_0x0000026c → OPTION allow-pinentry-notify
gpgsm: DBG: chan_0x0000026c ← OK
gpgsm: DBG: chan_0x0000026c → GET_PASSPHRASE --data – X X X Introduzca+frase+contrase├▒a+para+desproteger+el+objeto+PKCS#12.
gpgsm: DBG: chan_0x0000026c ← INQUIRE PINENTRY_LAUNCHED 4852 qt 1.1.1-beta5 - - -
gpgsm: DBG: chan_0x0000026c → END
gpgsm: DBG: chan_0x0000026c ← D --here pass phrase–
gpgsm: DBG: chan_0x0000026c ← OK
gpgsm: 1224 bytes of 3DES encrypted text
gpgsm: decryption failed; trying charset ‘ISO-8859-1’
gpgsm: decryption failed; trying charset ‘ISO-8859-15’
gpgsm: decryption failed; trying charset ‘ISO-8859-2’
gpgsm: decryption failed; trying charset ‘ISO-8859-3’
gpgsm: decryption failed; trying charset ‘ISO-8859-4’
gpgsm: decryption failed; trying charset ‘ISO-8859-5’
gpgsm: decryption failed; trying charset ‘ISO-8859-6’
gpgsm: decryption failed; trying charset ‘ISO-8859-7’
gpgsm: decryption failed; trying charset ‘ISO-8859-8’
gpgsm: decryption failed; trying charset ‘ISO-8859-9’
gpgsm: decryption failed; trying charset ‘KOI8-R’
gpgsm: decryption failed; trying charset ‘IBM437’
gpgsm: decryption failed; trying charset ‘IBM850’
gpgsm: decryption failed; trying charset ‘BIG5’
gpgsm: data error at “decrypted-text”, offset 4266269943
gpgsm: error at “bag-sequence”, offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: cantidad total procesada: 0
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
rndjent stat: collector=00000000 calls=0 bytes=0
secmem usage: 0/16384 bytes in 0 blocks