security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

dirmngr: New option --ignore-cert

Browse source 
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
This commit is contained in:
Werner Koch 2021-10-06 10:31:41 +02:00
parent 6879937885
commit 4b3e9a44b5
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
5 changed files with 98 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

25
dirmngr/certcache.c
View file

@ -262,13 +262,14 @@ clean_cache_slot (cert_item_t ci)
* fingerprint of the certificate will be stored there. FPR_BUFFER
* needs to point to a buffer of at least 20 bytes. The fingerprint
* will be stored on success or when the function returns
* GPG_ERR_DUP_VALUE. */
* GPG_ERR_DUP_VALUE or GPG_ERR_NOT_ENABLED. */
static gpg_error_t
put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
void *fpr_buffer)
{
unsigned char help_fpr_buffer[20], *fpr;
cert_item_t ci;
fingerprint_list_t ignored;
fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer;
@ -317,6 +318,14 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
}
cert_compute_fpr (cert, fpr);
/* Compare against the list of to be ignored certificates. */
for (ignored = opt.ignored_certs; ignored; ignored = ignored->next)
if (ignored->binlen == 20 && !memcmp (fpr, ignored->hexfpr, 20))
{
/* We are configured not to use this certificate. */
return gpg_error (GPG_ERR_NOT_ENABLED);
}
for (ci=cert_cache[*fpr]; ci; ci = ci->next)
if (ci->cert && !memcmp (ci->fpr, fpr, 20))
return gpg_error (GPG_ERR_DUP_VALUE);
@ -440,6 +449,8 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass)
cert_log_subject (_(" subject ="), cert);
}
}
else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
log_info ("certificate '%s' skipped due to configuration\n", fname);
else
log_error (_("error loading certificate '%s': %s\n"),
fname, gpg_strerror (err));
@ -510,6 +521,8 @@ load_certs_from_file (const char *fname, unsigned int trustclasses,
err = put_cert (cert, 1, trustclasses, NULL);
if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
log_info (_("certificate '%s' already cached\n"), fname);
else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
log_info ("certificate '%s' skipped due to configuration\n", fname);
else if (err)
log_error (_("error loading certificate '%s': %s\n"),
fname, gpg_strerror (err));
@ -625,6 +638,9 @@ load_certs_from_w32_store (const char *storename)
if (DBG_X509)
log_debug (_("certificate '%s' already cached\n"), storename);
}
else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
log_info ("certificate '%s' skipped due to configuration\n",
storename);
else if (err)
log_error (_("error loading certificate '%s': %s\n"),
storename, gpg_strerror (err));
@ -852,6 +868,8 @@ cache_cert (ksba_cert_t cert)
log_info (_("certificate already cached\n"));
else if (!err)
log_info (_("certificate cached\n"));
else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
log_info ("certificate skipped due to configuration\n");
else
log_error (_("error caching certificate: %s\n"), gpg_strerror (err));
return err;
@ -872,7 +890,10 @@ cache_cert_silent (ksba_cert_t cert, void *fpr_buffer)
release_cache_lock ();
if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
err = 0;
if (err)
if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
log_info ("certificate skipped due to configuration\n");
else if (err)
log_error (_("error caching certificate: %s\n"), gpg_strerror (err));
return err;
}