Add option --cert-extension.

2025-07-02 22:46:30 +02:00 · 2009-12-10 13:00:30 +00:00 · 2009-12-10 13:00:30 +00:00 · a51675fabe
commit a51675fabe
parent cd8c8b7af4
6 changed files with 47 additions and 4 deletions
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@ -1,3 +1,9 @@
+2009-12-10  Werner Koch  <wk@g10code.com>
+
+	* gpgsm.c: Add option --ignore-cert-extension.
+	* gpgsm.h (opt): Add field IGNORED_CERT_EXTENSIONS.
+	* certchain.c (unknown_criticals): Handle ignored extensions,
+
 2009-12-08  Werner Koch  <wk@g10code.com>

 	* keydb.c (keydb_search_kid): Fix code even that it is not used.
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -229,6 +229,8 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
  int rc = 0, i, idx, crit;
  const char *oid;
  gpg_error_t err;
+  int unsupported;
+  strlist_t sl;

  for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
                                             &oid, &crit, NULL, NULL));idx++)
@ -237,7 +239,20 @@ unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
        continue;
      for (i=0; known[i] && strcmp (known[i],oid); i++)
        ;
-      if (!known[i])
+      unsupported = !known[i];
+
+      /* If this critical extension is not supoported, check the list
+         of to be ignored extensions to se whether we claim that it is
+         supported.  */
+      if (unsupported && opt.ignored_cert_extensions)
+        {
+          for (sl=opt.ignored_cert_extensions;
+               sl && strcmp (sl->d, oid); sl = sl->next)
+            ;
+          if (sl)
+            unsupported = 0;
+        }
+      if (unsupported)
        {
          do_list (1, listmode, fp,
                   _("critical certificate extension %s is not supported"),
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -176,7 +176,8 @@ enum cmd_and_opt_values {
  oDisablePubkeyAlgo,
  oIgnoreTimeConflict,
  oNoRandomSeedFile,
-  oNoCommonCertsImport
+  oNoCommonCertsImport,
+  oIgnoreCertExtension
 };


@ -376,6 +377,7 @@ static ARGPARSE_OPTS opts[] = {
  ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
  ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
  ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
+  ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),

  /* Command aliases.  */
  ARGPARSE_c (aListKeys, "list-key", "@"),  
@ -1391,6 +1393,10 @@ main ( int argc, char **argv)
 	  }
 	  break;

+        case oIgnoreCertExtension:
+          add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
+          break;
+
        default: 
          pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR; 
          break;
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -134,8 +134,13 @@ struct
                               runtime. */

  struct keyserver_spec *keyserver;
-} opt;

+  /* A list of certificate extension OIDs which are ignored so that
+     one can claim that a critical extension has been handled.  One
+     OID per string.  */
+  strlist_t ignored_cert_extensions;
+
+} opt;

 /* Debug values and macros.  */
 #define DBG_X509_VALUE    1	/* debug x.509 data reading/writing */