mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Add option --ignore-cert-extension
This commit is contained in:
parent
a4556ffbd4
commit
4135599f7c
4
NEWS
4
NEWS
@ -9,7 +9,9 @@ Noteworthy changes in version 2.0.14
|
||||
|
||||
* The GPGSM --audit-log feature is now more complete.
|
||||
|
||||
* Support DNS lookups for SRV, PKA and CERT on W32.
|
||||
* GPG now supports DNS lookups for SRV, PKA and CERT on W32.
|
||||
|
||||
* New GPGSM option --ignore-cert-extension.
|
||||
|
||||
|
||||
Noteworthy changes in version 2.0.13 (2009-09-04)
|
||||
|
@ -446,7 +446,16 @@ use of the chain model. The chain model is also used if an option in
|
||||
the @file{trustlist.txt} or an attribute of the certificate requests it.
|
||||
However the standard model (shell) is in that case always tried first.
|
||||
|
||||
|
||||
@item --ignore-cert-extension @var{oid}
|
||||
@opindex ignore-cert-extension
|
||||
Add @var{oid} to the list of ignored certificate extensions. The
|
||||
@var{oid} is expected to be in dotted decimal form, like
|
||||
@code{2.5.29.3}. This option may used more than once. Critical
|
||||
flagged certificate extensions matching one of the OIDs in the list
|
||||
are treated as if they are actually handled and thus the certificate
|
||||
won't be rejected due to an unknown critical extension. Use this
|
||||
option with care because extensions are usually flagged as critical
|
||||
for a reason.
|
||||
|
||||
@end table
|
||||
|
||||
|
@ -1,3 +1,9 @@
|
||||
2009-12-10 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpgsm.c: Add option --ignore-cert-extension.
|
||||
* gpgsm.h (opt): Add field IGNORED_CERT_EXTENSIONS.
|
||||
* certchain.c (unknown_criticals): Handle ignored extensions,
|
||||
|
||||
2009-12-03 Werner Koch <wk@g10code.com>
|
||||
|
||||
From trunk:
|
||||
|
@ -229,6 +229,8 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
|
||||
int rc = 0, i, idx, crit;
|
||||
const char *oid;
|
||||
gpg_error_t err;
|
||||
int unsupported;
|
||||
strlist_t sl;
|
||||
|
||||
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
|
||||
&oid, &crit, NULL, NULL));idx++)
|
||||
@ -237,7 +239,20 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
|
||||
continue;
|
||||
for (i=0; known[i] && strcmp (known[i],oid); i++)
|
||||
;
|
||||
if (!known[i])
|
||||
unsupported = !known[i];
|
||||
|
||||
/* If this critical extension is not supoported, check the list
|
||||
of to be ignored extensions to se whether we claim that it is
|
||||
supported. */
|
||||
if (unsupported && opt.ignored_cert_extensions)
|
||||
{
|
||||
for (sl=opt.ignored_cert_extensions;
|
||||
sl && strcmp (sl->d, oid); sl = sl->next)
|
||||
;
|
||||
if (sl)
|
||||
unsupported = 0;
|
||||
}
|
||||
if (unsupported)
|
||||
{
|
||||
do_list (1, listmode, fp,
|
||||
_("critical certificate extension %s is not supported"),
|
||||
|
@ -176,7 +176,8 @@ enum cmd_and_opt_values {
|
||||
oDisablePubkeyAlgo,
|
||||
oIgnoreTimeConflict,
|
||||
oNoRandomSeedFile,
|
||||
oNoCommonCertsImport
|
||||
oNoCommonCertsImport,
|
||||
oIgnoreCertExtension
|
||||
};
|
||||
|
||||
|
||||
@ -376,6 +377,7 @@ static ARGPARSE_OPTS opts[] = {
|
||||
ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
|
||||
ARGPARSE_s_n (oNoRandomSeedFile, "no-random-seed-file", "@"),
|
||||
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
|
||||
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
|
||||
|
||||
/* Command aliases. */
|
||||
ARGPARSE_c (aListKeys, "list-key", "@"),
|
||||
@ -1381,6 +1383,10 @@ main ( int argc, char **argv)
|
||||
}
|
||||
break;
|
||||
|
||||
case oIgnoreCertExtension:
|
||||
add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
|
||||
break;
|
||||
|
||||
default:
|
||||
pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR;
|
||||
break;
|
||||
|
@ -134,8 +134,13 @@ struct
|
||||
runtime. */
|
||||
|
||||
struct keyserver_spec *keyserver;
|
||||
} opt;
|
||||
|
||||
/* A list of certificate extension OIDs which are ignored so that
|
||||
one can claim that a critical extension has been handled. One
|
||||
OID per string. */
|
||||
strlist_t ignored_cert_extensions;
|
||||
|
||||
} opt;
|
||||
|
||||
/* Debug values and macros. */
|
||||
#define DBG_X509_VALUE 1 /* debug x.509 data reading/writing */
|
||||
|
Loading…
x
Reference in New Issue
Block a user