Add option --ignore-cert-extension

NEWS

@@ -9,7 +9,9 @@ Noteworthy changes in version 2.0.14
 
  * The GPGSM --audit-log feature is now more complete.
 
- * Support DNS lookups for SRV, PKA and CERT on W32.
+ * GPG now supports DNS lookups for SRV, PKA and CERT on W32.
+
+ * New GPGSM option --ignore-cert-extension.
 
 
 Noteworthy changes in version 2.0.13 (2009-09-04)

doc/gpgsm.texi

@@ -446,7 +446,16 @@ use of the chain model.  The chain model is also used if an option in
 the @file{trustlist.txt} or an attribute of the certificate requests it.
 However the standard model (shell) is in that case always tried first.
 
-
+@item --ignore-cert-extension @var{oid}
+@opindex ignore-cert-extension
+Add @var{oid} to the list of ignored certificate extensions.  The
+@var{oid} is expected to be in dotted decimal form, like
+@code{2.5.29.3}.  This option may used more than once.  Critical
+flagged certificate extensions matching one of the OIDs in the list
+are treated as if they are actually handled and thus the certificate
+won't be rejected due to an unknown critical extension.  Use this
+option with care because extensions are usually flagged as critical
+for a reason.
 
 @end table
 

sm/ChangeLog

@@ -1,3 +1,9 @@
+2009-12-10  Werner Koch  <wk@g10code.com>
+
+	* gpgsm.c: Add option --ignore-cert-extension.
+	* gpgsm.h (opt): Add field IGNORED_CERT_EXTENSIONS.
+	* certchain.c (unknown_criticals): Handle ignored extensions,
+
 2009-12-03  Werner Koch  <wk@g10code.com>
 
 	From trunk:

sm/certchain.c

@@ -229,6 +229,8 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
   int rc = 0, i, idx, crit;
   const char *oid;
   gpg_error_t err;
+  int unsupported;
+  strlist_t sl;
 
   for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
                                              &oid, &crit, NULL, NULL));idx++)
@@ -237,7 +239,20 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
         continue;
       for (i=0; known[i] && strcmp (known[i],oid); i++)
         ;
-      if (!known[i])
+      unsupported = !known[i];
+
+      /* If this critical extension is not supoported, check the list
+         of to be ignored extensions to se whether we claim that it is
+         supported.  */
+      if (unsupported && opt.ignored_cert_extensions)
+        {
+          for (sl=opt.ignored_cert_extensions;
+               sl && strcmp (sl->d, oid); sl = sl->next)
+            ;
+          if (sl)
+            unsupported = 0;
+        }
+      if (unsupported)
         {
           do_list (1, listmode, fp,
                    _("critical certificate extension %s is not supported"),

sm/gpgsm.c

@@ -176,7 +176,8 @@ enum cmd_and_opt_values {
   oDisablePubkeyAlgo,
   oIgnoreTimeConflict,
   oNoRandomSeedFile,
-  oNoCommonCertsImport
+  oNoCommonCertsImport,
+  oIgnoreCertExtension
  };
 
 
@@ -376,6 +377,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
   ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
   ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
+  ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
 
   /* Command aliases.  */
   ARGPARSE_c (aListKeys, "list-key", "@"),  
@@ -1381,6 +1383,10 @@ main ( int argc, char **argv)
 	  }
 	  break;
 
+        case oIgnoreCertExtension:
+          add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
+          break;
+
         default: 
           pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR; 
           break;

sm/gpgsm.h

@@ -134,8 +134,13 @@ struct
                                runtime. */
 
   struct keyserver_spec *keyserver;
-} opt;
 
+  /* A list of certificate extension OIDs which are ignored so that
+     one can claim that a critical extension has been handled.  One
+     OID per string.  */
+  strlist_t ignored_cert_extensions;
+
+} opt;
 
 /* Debug values and macros.  */
 #define DBG_X509_VALUE    1	/* debug x.509 data reading/writing */