sm: New option --ignore-cert-with-oid.

* sm/gpgsm.c (oIgnoreCertWithOID): New.
(opts): Add option.
(main): Store its value.
* sm/call-agent.c (learn_cb): Test against that list.
--

doc/gpgsm.texi

@@ -676,6 +676,16 @@ This option adjusts the compliance mode "de-vs" for stricter key size
 requirements.  For example, a value of 3000 turns rsa2048 and dsa2048
 keys into non-VS-NfD compliant keys.
 
+@item --ignore-cert-with-oid @var{oid}
+@opindex ignore-cert-with-oid
+Add @var{oid} to the list of OIDs to be checked while reading
+certificates from smartcards. The @var{oid} is expected to be in
+dotted decimal form, like @code{2.5.29.3}.  This option may be used
+more than once.  As of now certificates with an extended key usage
+matching one of those OIDs are ignored during a @option{--learn-card}
+operation and not imported.  This option can help to keep the local
+key database clear of unneeded certificates stored on smartcards.
+
 @item --faked-system-time @var{epoch}
 @opindex faked-system-time
 This option is only useful for testing; it sets the system time back or

sm/call-agent.c

@@ -989,6 +989,8 @@ learn_cb (void *opaque, const void *buffer, size_t length)
   char *buf;
   ksba_cert_t cert;
   int rc;
+  char *string, *p, *pend;
+  strlist_t sl;
 
   if (parm->error)
     return 0;
@@ -1025,6 +1027,35 @@ learn_cb (void *opaque, const void *buffer, size_t length)
       return 0;
     }
 
+  /* Ignore certificates matching certain extended usage flags.  */
+  rc = ksba_cert_get_ext_key_usages (cert, &string);
+  if (!rc)
+    {
+      p = string;
+      while (p && (pend=strchr (p, ':')))
+        {
+          *pend++ = 0;
+          for (sl=opt.ignore_cert_with_oid;
+               sl && strcmp (sl->d, p); sl = sl->next)
+            ;
+          if (sl)
+            {
+              if (opt.verbose)
+                log_info ("certificate ignored due to OID %s\n", sl->d);
+              goto leave;
+            }
+          p = pend;
+          if ((p = strchr (p, '\n')))
+            p++;
+        }
+    }
+  else if (gpg_err_code (rc) != GPG_ERR_NO_DATA)
+    log_error (_("error getting key usage information: %s\n"),
+               gpg_strerror (rc));
+  xfree (string);
+  string = NULL;
+
+
   /* We do not store a certifciate with missing issuers as ephemeral
      because we can assume that the --learn-card command has been used
      on purpose.  */
@@ -1045,6 +1076,9 @@ learn_cb (void *opaque, const void *buffer, size_t length)
         }
     }
 
+ leave:
+  xfree (string);
+  string = NULL;
   ksba_cert_release (cert);
   init_membuf (parm->data, 4096);
   return 0;

sm/gpgsm.c

@@ -198,6 +198,7 @@ enum cmd_and_opt_values {
   oNoRandomSeedFile,
   oNoCommonCertsImport,
   oIgnoreCertExtension,
+  oIgnoreCertWithOID,
   oNoAutostart
  };
 
@@ -290,6 +291,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_s (oCompliance, "compliance",   "@"),
   ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
   ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
+  ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
   ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
   ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
   ARGPARSE_s_s (oDirmngrProgram, "dirmngr-program", "@"),
@@ -1383,6 +1385,10 @@ main ( int argc, char **argv)
           add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
           break;
 
+        case oIgnoreCertWithOID:
+          add_to_strlist (&opt.ignore_cert_with_oid, pargs.r.ret_str);
+          break;
+
         case oNoAutostart: opt.autostart = 0; break;
 
         case oCompliance:

sm/gpgsm.h

@@ -139,6 +139,10 @@ struct
      OID per string.  */
   strlist_t ignored_cert_extensions;
 
+  /* A list of OIDs which will be used to ignore certificates with
+   * sunch an OID during --learn-card.  */
+  strlist_t ignore_cert_with_oid;
+
   enum gnupg_compliance_mode compliance;
 } opt;