Private key not found exception (PGP, ASP.NET, XSP)

[polterguy]

Howdy, I've got this web app running on xsp web server/ubuntu, where I've implemented a GnuPGContext derived class as you show in the readme file;

public class PfGnuPGContext : GnuPGContext
{
    protected override string GetPasswordForKey (PgpSecretKey key)
    {
        return "password";
    }

    [ActiveEvent (Name = "pf.core.application-start")]
    private static void pf_core_application_start (ApplicationContext context, ActiveEventArgs e)
    {
        CryptographyContext.Register (typeof (PfGnuPGContext));
    }

    [ActiveEvent (Name = "pf.crypto.pgp.sign")]
    private static void pf_crypto_pgp_sign (ApplicationContext context, ActiveEventArgs e)
    {
        var entity = e.Args.Get<MimeEntity> (context);
        using (var ctx = new PfGnuPGContext ()) {
            var result = MultipartSigned.Create (
                ctx, 
                new MailboxAddress ("John Doe", "xxx@xxx.com"), 
                DigestAlgorithm.Sha1,
                entity);
        }
    }
}

Now the "pf_core_application_start" method above is basically called from Global.asax.cs when app starts, and I have verified it is invoked. And I am of course using a real email address, name and password, which I know I have a private key for, and certificate, which was created in Thunderbird using "Enigmail", but when invoked, on the line "MultipartSigned.Create", I get a "The private key could not be found" exception ...?

I've check, and the "ctx.SecretKeyRingPath" seems to be pointing in the right direction, I've tripple checked the email address, name and password (my password sink isn't even called btw), and I cannot figure out where I go wrong ...?

The last point in the stack trace, where the exception is raised, is "OpenPgpContext.GetSigningKey" ...

Suggestions ...?

[jstedfast]

If you could step through the OpenPgpContext.GetSigningKey() method, that would be the best.

I'm going to assume that the logic that matches the email address is working correctly (although it's possible that it's not) and that one of the other checks is more likely to be the issue.

There are 3 checks that the code does and any one of them may be wrong:

if (!key.IsSigningKey)
    continue;

var pubkey = key.PublicKey;
if (pubkey.IsRevoked ())
    continue;

and thirdly:

long seconds = pubkey.GetValidSeconds ();
if (seconds != 0) {
    var expires = pubkey.CreationTime.AddSeconds ((double) seconds);
    if (expires >= DateTime.Now)
        continue;
}

I assume that your pgp key is probably not revoked or expired, but it might be that the code is miscalculating the expiration date and so the check fails when it shouldn't.

[polterguy]

Howdy,

I never got to debug that method, I did however create another key/certificate, but this time with KGpg, and it worked. I suspect that probably Enigmail is doing something wrong when creating a key/certificate. either that, or that it for some reasons wouldn't handle a xxx@gmail.com address. If you wish to test it, you can create a key/certificate with the Enigmail plugin for Thunderbird, and see if you can reproduce it locally for yourself.

BTW, I followed the "wizard" when starting Enigmail for the first time when creating my gmail.com key/certificate. It did however work when using my certificate/key for signing emails from Thunderbird ...

BTW, how do I explicitly choose an explicit key when for instance signing a message, and I don't want to use "email lookups", but rather use the exact fingerprint (for instance) ...?

I tried doing as the FAQ told me, which is to create a SecureMailboxAddress, but regardless of what I set the "name" and "email" to, it couldn't find me certificate even though I gave it the correct fingerprint ...?

[jstedfast]

Yea, it looks like I never implemented the fingerprint lookup for PGP. I'll look into doing that.

[jstedfast]

I had the logic backwards for checking expiration. I also added support for fingerprint lookups for PGP.

[polterguy]

Great!!
You're the Champ :)