1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

sm: New option --ignore-cert-with-oid.

* sm/gpgsm.c (oIgnoreCertWithOID): New.
(opts): Add option.
(main): Store its value.
* sm/call-agent.c (learn_cb): Test against that list.
This commit is contained in:
Werner Koch 2022-02-03 14:14:14 +01:00
parent b2cedc108d
commit e23dc755fa
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
4 changed files with 54 additions and 0 deletions

View File

@ -699,6 +699,16 @@ This option adjusts the compliance mode "de-vs" for stricter key size
requirements. For example, a value of 3000 turns rsa2048 and dsa2048 requirements. For example, a value of 3000 turns rsa2048 and dsa2048
keys into non-VS-NfD compliant keys. keys into non-VS-NfD compliant keys.
@item --ignore-cert-with-oid @var{oid}
@opindex ignore-cert-with-oid
Add @var{oid} to the list of OIDs to be checked while reading
certificates from smartcards. The @var{oid} is expected to be in
dotted decimal form, like @code{2.5.29.3}. This option may be used
more than once. As of now certificates with an extended key usage
matching one of those OIDs are ignored during a @option{--learn-card}
operation and not imported. This option can help to keep the local
key database clear of unneeded certificates stored on smartcards.
@item --faked-system-time @var{epoch} @item --faked-system-time @var{epoch}
@opindex faked-system-time @opindex faked-system-time
This option is only useful for testing; it sets the system time back or This option is only useful for testing; it sets the system time back or

View File

@ -1032,6 +1032,8 @@ learn_cb (void *opaque, const void *buffer, size_t length)
char *buf; char *buf;
ksba_cert_t cert; ksba_cert_t cert;
int rc; int rc;
char *string, *p, *pend;
strlist_t sl;
if (parm->error) if (parm->error)
return 0; return 0;
@ -1068,6 +1070,35 @@ learn_cb (void *opaque, const void *buffer, size_t length)
return 0; return 0;
} }
/* Ignore certificates matching certain extended usage flags. */
rc = ksba_cert_get_ext_key_usages (cert, &string);
if (!rc)
{
p = string;
while (p && (pend=strchr (p, ':')))
{
*pend++ = 0;
for (sl=opt.ignore_cert_with_oid;
sl && strcmp (sl->d, p); sl = sl->next)
;
if (sl)
{
if (opt.verbose)
log_info ("certificate ignored due to OID %s\n", sl->d);
goto leave;
}
p = pend;
if ((p = strchr (p, '\n')))
p++;
}
}
else if (gpg_err_code (rc) != GPG_ERR_NO_DATA)
log_error (_("error getting key usage information: %s\n"),
gpg_strerror (rc));
xfree (string);
string = NULL;
/* We do not store a certifciate with missing issuers as ephemeral /* We do not store a certifciate with missing issuers as ephemeral
because we can assume that the --learn-card command has been used because we can assume that the --learn-card command has been used
on purpose. */ on purpose. */
@ -1088,6 +1119,9 @@ learn_cb (void *opaque, const void *buffer, size_t length)
} }
} }
leave:
xfree (string);
string = NULL;
ksba_cert_release (cert); ksba_cert_release (cert);
init_membuf (parm->data, 4096); init_membuf (parm->data, 4096);
return 0; return 0;

View File

@ -203,6 +203,7 @@ enum cmd_and_opt_values {
oNoRandomSeedFile, oNoRandomSeedFile,
oNoCommonCertsImport, oNoCommonCertsImport,
oIgnoreCertExtension, oIgnoreCertExtension,
oIgnoreCertWithOID,
oAuthenticode, oAuthenticode,
oAttribute, oAttribute,
oChUid, oChUid,
@ -302,6 +303,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oCompliance, "compliance", "@"), ARGPARSE_s_s (oCompliance, "compliance", "@"),
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"), ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"), ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"), ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
ARGPARSE_s_s (oAgentProgram, "agent-program", "@"), ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"), ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"),
@ -1427,6 +1429,10 @@ main ( int argc, char **argv)
add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str); add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
break; break;
case oIgnoreCertWithOID:
add_to_strlist (&opt.ignore_cert_with_oid, pargs.r.ret_str);
break;
case oAuthenticode: opt.authenticode = 1; break; case oAuthenticode: opt.authenticode = 1; break;
case oAttribute: case oAttribute:

View File

@ -151,6 +151,10 @@ struct
OID per string. */ OID per string. */
strlist_t ignored_cert_extensions; strlist_t ignored_cert_extensions;
/* A list of OIDs which will be used to ignore certificates with
* sunch an OID during --learn-card. */
strlist_t ignore_cert_with_oid;
enum gnupg_compliance_mode compliance; enum gnupg_compliance_mode compliance;
/* Enable creation of authenticode signatures. */ /* Enable creation of authenticode signatures. */