From bcf446b70ca58ac1497269f047fba9ddb3d62e96 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 3 Feb 2022 14:14:14 +0100 Subject: [PATCH] sm: New option --ignore-cert-with-oid. * sm/gpgsm.c (oIgnoreCertWithOID): New. (opts): Add option. (main): Store its value. * sm/call-agent.c (learn_cb): Test against that list. -- --- doc/gpgsm.texi | 10 ++++++++++ sm/call-agent.c | 34 ++++++++++++++++++++++++++++++++++ sm/gpgsm.c | 6 ++++++ sm/gpgsm.h | 4 ++++ 4 files changed, 54 insertions(+) diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 9363ec21d..39ec52331 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -676,6 +676,16 @@ This option adjusts the compliance mode "de-vs" for stricter key size requirements. For example, a value of 3000 turns rsa2048 and dsa2048 keys into non-VS-NfD compliant keys. +@item --ignore-cert-with-oid @var{oid} +@opindex ignore-cert-with-oid +Add @var{oid} to the list of OIDs to be checked while reading +certificates from smartcards. The @var{oid} is expected to be in +dotted decimal form, like @code{2.5.29.3}. This option may be used +more than once. As of now certificates with an extended key usage +matching one of those OIDs are ignored during a @option{--learn-card} +operation and not imported. This option can help to keep the local +key database clear of unneeded certificates stored on smartcards. + @item --faked-system-time @var{epoch} @opindex faked-system-time This option is only useful for testing; it sets the system time back or diff --git a/sm/call-agent.c b/sm/call-agent.c index a5b17e9c4..0c271d9ba 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -989,6 +989,8 @@ learn_cb (void *opaque, const void *buffer, size_t length) char *buf; ksba_cert_t cert; int rc; + char *string, *p, *pend; + strlist_t sl; if (parm->error) return 0; @@ -1025,6 +1027,35 @@ learn_cb (void *opaque, const void *buffer, size_t length) return 0; } + /* Ignore certificates matching certain extended usage flags. */ + rc = ksba_cert_get_ext_key_usages (cert, &string); + if (!rc) + { + p = string; + while (p && (pend=strchr (p, ':'))) + { + *pend++ = 0; + for (sl=opt.ignore_cert_with_oid; + sl && strcmp (sl->d, p); sl = sl->next) + ; + if (sl) + { + if (opt.verbose) + log_info ("certificate ignored due to OID %s\n", sl->d); + goto leave; + } + p = pend; + if ((p = strchr (p, '\n'))) + p++; + } + } + else if (gpg_err_code (rc) != GPG_ERR_NO_DATA) + log_error (_("error getting key usage information: %s\n"), + gpg_strerror (rc)); + xfree (string); + string = NULL; + + /* We do not store a certifciate with missing issuers as ephemeral because we can assume that the --learn-card command has been used on purpose. */ @@ -1045,6 +1076,9 @@ learn_cb (void *opaque, const void *buffer, size_t length) } } + leave: + xfree (string); + string = NULL; ksba_cert_release (cert); init_membuf (parm->data, 4096); return 0; diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 8ee0e18c1..e70e2aaff 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -198,6 +198,7 @@ enum cmd_and_opt_values { oNoRandomSeedFile, oNoCommonCertsImport, oIgnoreCertExtension, + oIgnoreCertWithOID, oNoAutostart }; @@ -290,6 +291,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oCompliance, "compliance", "@"), ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"), ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"), + ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"), ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"), ARGPARSE_s_s (oAgentProgram, "agent-program", "@"), ARGPARSE_s_s (oDirmngrProgram, "dirmngr-program", "@"), @@ -1383,6 +1385,10 @@ main ( int argc, char **argv) add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str); break; + case oIgnoreCertWithOID: + add_to_strlist (&opt.ignore_cert_with_oid, pargs.r.ret_str); + break; + case oNoAutostart: opt.autostart = 0; break; case oCompliance: diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 21c677ebe..fce2767d5 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -139,6 +139,10 @@ struct OID per string. */ strlist_t ignored_cert_extensions; + /* A list of OIDs which will be used to ignore certificates with + * sunch an OID during --learn-card. */ + strlist_t ignore_cert_with_oid; + enum gnupg_compliance_mode compliance; } opt;