From e23dc755fa725877ce96eb5a6a6f5788457267f4 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 3 Feb 2022 14:14:14 +0100
Subject: [PATCH] sm: New option --ignore-cert-with-oid.

* sm/gpgsm.c (oIgnoreCertWithOID): New.
(opts): Add option.
(main): Store its value.
* sm/call-agent.c (learn_cb): Test against that list.
---
 doc/gpgsm.texi  | 10 ++++++++++
 sm/call-agent.c | 34 ++++++++++++++++++++++++++++++++++
 sm/gpgsm.c      |  6 ++++++
 sm/gpgsm.h      |  4 ++++
 4 files changed, 54 insertions(+)

diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index ee5a63861..8c139c7d4 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -699,6 +699,16 @@ This option adjusts the compliance mode "de-vs" for stricter key size
 requirements.  For example, a value of 3000 turns rsa2048 and dsa2048
 keys into non-VS-NfD compliant keys.
 
+@item --ignore-cert-with-oid @var{oid}
+@opindex ignore-cert-with-oid
+Add @var{oid} to the list of OIDs to be checked while reading
+certificates from smartcards. The @var{oid} is expected to be in
+dotted decimal form, like @code{2.5.29.3}.  This option may be used
+more than once.  As of now certificates with an extended key usage
+matching one of those OIDs are ignored during a @option{--learn-card}
+operation and not imported.  This option can help to keep the local
+key database clear of unneeded certificates stored on smartcards.
+
 @item --faked-system-time @var{epoch}
 @opindex faked-system-time
 This option is only useful for testing; it sets the system time back or
diff --git a/sm/call-agent.c b/sm/call-agent.c
index 868497e0d..6373829e8 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -1032,6 +1032,8 @@ learn_cb (void *opaque, const void *buffer, size_t length)
   char *buf;
   ksba_cert_t cert;
   int rc;
+  char *string, *p, *pend;
+  strlist_t sl;
 
   if (parm->error)
     return 0;
@@ -1068,6 +1070,35 @@ learn_cb (void *opaque, const void *buffer, size_t length)
       return 0;
     }
 
+  /* Ignore certificates matching certain extended usage flags.  */
+  rc = ksba_cert_get_ext_key_usages (cert, &string);
+  if (!rc)
+    {
+      p = string;
+      while (p && (pend=strchr (p, ':')))
+        {
+          *pend++ = 0;
+          for (sl=opt.ignore_cert_with_oid;
+               sl && strcmp (sl->d, p); sl = sl->next)
+            ;
+          if (sl)
+            {
+              if (opt.verbose)
+                log_info ("certificate ignored due to OID %s\n", sl->d);
+              goto leave;
+            }
+          p = pend;
+          if ((p = strchr (p, '\n')))
+            p++;
+        }
+    }
+  else if (gpg_err_code (rc) != GPG_ERR_NO_DATA)
+    log_error (_("error getting key usage information: %s\n"),
+               gpg_strerror (rc));
+  xfree (string);
+  string = NULL;
+
+
   /* We do not store a certifciate with missing issuers as ephemeral
      because we can assume that the --learn-card command has been used
      on purpose.  */
@@ -1088,6 +1119,9 @@ learn_cb (void *opaque, const void *buffer, size_t length)
         }
     }
 
+ leave:
+  xfree (string);
+  string = NULL;
   ksba_cert_release (cert);
   init_membuf (parm->data, 4096);
   return 0;
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index b95edf83b..61dd86aab 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -203,6 +203,7 @@ enum cmd_and_opt_values {
   oNoRandomSeedFile,
   oNoCommonCertsImport,
   oIgnoreCertExtension,
+  oIgnoreCertWithOID,
   oAuthenticode,
   oAttribute,
   oChUid,
@@ -302,6 +303,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oCompliance, "compliance",   "@"),
   ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
   ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
+  ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
   ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
   ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
   ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"),
@@ -1427,6 +1429,10 @@ main ( int argc, char **argv)
           add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
           break;
 
+        case oIgnoreCertWithOID:
+          add_to_strlist (&opt.ignore_cert_with_oid, pargs.r.ret_str);
+          break;
+
         case oAuthenticode: opt.authenticode = 1; break;
 
         case oAttribute:
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 0dfd56daf..6dc5927b7 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -151,6 +151,10 @@ struct
      OID per string.  */
   strlist_t ignored_cert_extensions;
 
+  /* A list of OIDs which will be used to ignore certificates with
+   * sunch an OID during --learn-card.  */
+  strlist_t ignore_cert_with_oid;
+
   enum gnupg_compliance_mode compliance;
 
   /* Enable creation of authenticode signatures.  */