1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

Add option --ignore-cert-extension

This commit is contained in:
Werner Koch 2009-12-10 13:00:09 +00:00
parent a4556ffbd4
commit 4135599f7c
6 changed files with 48 additions and 5 deletions

4
NEWS
View File

@ -9,7 +9,9 @@ Noteworthy changes in version 2.0.14
* The GPGSM --audit-log feature is now more complete.
* Support DNS lookups for SRV, PKA and CERT on W32.
* GPG now supports DNS lookups for SRV, PKA and CERT on W32.
* New GPGSM option --ignore-cert-extension.
Noteworthy changes in version 2.0.13 (2009-09-04)

View File

@ -446,7 +446,16 @@ use of the chain model. The chain model is also used if an option in
the @file{trustlist.txt} or an attribute of the certificate requests it.
However the standard model (shell) is in that case always tried first.
@item --ignore-cert-extension @var{oid}
@opindex ignore-cert-extension
Add @var{oid} to the list of ignored certificate extensions. The
@var{oid} is expected to be in dotted decimal form, like
@code{2.5.29.3}. This option may used more than once. Critical
flagged certificate extensions matching one of the OIDs in the list
are treated as if they are actually handled and thus the certificate
won't be rejected due to an unknown critical extension. Use this
option with care because extensions are usually flagged as critical
for a reason.
@end table

View File

@ -1,3 +1,9 @@
2009-12-10 Werner Koch <wk@g10code.com>
* gpgsm.c: Add option --ignore-cert-extension.
* gpgsm.h (opt): Add field IGNORED_CERT_EXTENSIONS.
* certchain.c (unknown_criticals): Handle ignored extensions,
2009-12-03 Werner Koch <wk@g10code.com>
From trunk:

View File

@ -229,6 +229,8 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
int rc = 0, i, idx, crit;
const char *oid;
gpg_error_t err;
int unsupported;
strlist_t sl;
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
&oid, &crit, NULL, NULL));idx++)
@ -237,7 +239,20 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
continue;
for (i=0; known[i] && strcmp (known[i],oid); i++)
;
if (!known[i])
unsupported = !known[i];
/* If this critical extension is not supoported, check the list
of to be ignored extensions to se whether we claim that it is
supported. */
if (unsupported && opt.ignored_cert_extensions)
{
for (sl=opt.ignored_cert_extensions;
sl && strcmp (sl->d, oid); sl = sl->next)
;
if (sl)
unsupported = 0;
}
if (unsupported)
{
do_list (1, listmode, fp,
_("critical certificate extension %s is not supported"),

View File

@ -176,7 +176,8 @@ enum cmd_and_opt_values {
oDisablePubkeyAlgo,
oIgnoreTimeConflict,
oNoRandomSeedFile,
oNoCommonCertsImport
oNoCommonCertsImport,
oIgnoreCertExtension
};
@ -376,6 +377,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
ARGPARSE_s_n (oNoRandomSeedFile, "no-random-seed-file", "@"),
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
/* Command aliases. */
ARGPARSE_c (aListKeys, "list-key", "@"),
@ -1381,6 +1383,10 @@ main ( int argc, char **argv)
}
break;
case oIgnoreCertExtension:
add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
break;
default:
pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR;
break;

View File

@ -134,8 +134,13 @@ struct
runtime. */
struct keyserver_spec *keyserver;
} opt;
/* A list of certificate extension OIDs which are ignored so that
one can claim that a critical extension has been handled. One
OID per string. */
strlist_t ignored_cert_extensions;
} opt;
/* Debug values and macros. */
#define DBG_X509_VALUE 1 /* debug x.509 data reading/writing */