mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
sm: New option --ignore-cert-with-oid.
* sm/gpgsm.c (oIgnoreCertWithOID): New. (opts): Add option. (main): Store its value. * sm/call-agent.c (learn_cb): Test against that list.
This commit is contained in:
parent
b2cedc108d
commit
e23dc755fa
@ -699,6 +699,16 @@ This option adjusts the compliance mode "de-vs" for stricter key size
|
|||||||
requirements. For example, a value of 3000 turns rsa2048 and dsa2048
|
requirements. For example, a value of 3000 turns rsa2048 and dsa2048
|
||||||
keys into non-VS-NfD compliant keys.
|
keys into non-VS-NfD compliant keys.
|
||||||
|
|
||||||
|
@item --ignore-cert-with-oid @var{oid}
|
||||||
|
@opindex ignore-cert-with-oid
|
||||||
|
Add @var{oid} to the list of OIDs to be checked while reading
|
||||||
|
certificates from smartcards. The @var{oid} is expected to be in
|
||||||
|
dotted decimal form, like @code{2.5.29.3}. This option may be used
|
||||||
|
more than once. As of now certificates with an extended key usage
|
||||||
|
matching one of those OIDs are ignored during a @option{--learn-card}
|
||||||
|
operation and not imported. This option can help to keep the local
|
||||||
|
key database clear of unneeded certificates stored on smartcards.
|
||||||
|
|
||||||
@item --faked-system-time @var{epoch}
|
@item --faked-system-time @var{epoch}
|
||||||
@opindex faked-system-time
|
@opindex faked-system-time
|
||||||
This option is only useful for testing; it sets the system time back or
|
This option is only useful for testing; it sets the system time back or
|
||||||
|
@ -1032,6 +1032,8 @@ learn_cb (void *opaque, const void *buffer, size_t length)
|
|||||||
char *buf;
|
char *buf;
|
||||||
ksba_cert_t cert;
|
ksba_cert_t cert;
|
||||||
int rc;
|
int rc;
|
||||||
|
char *string, *p, *pend;
|
||||||
|
strlist_t sl;
|
||||||
|
|
||||||
if (parm->error)
|
if (parm->error)
|
||||||
return 0;
|
return 0;
|
||||||
@ -1068,6 +1070,35 @@ learn_cb (void *opaque, const void *buffer, size_t length)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Ignore certificates matching certain extended usage flags. */
|
||||||
|
rc = ksba_cert_get_ext_key_usages (cert, &string);
|
||||||
|
if (!rc)
|
||||||
|
{
|
||||||
|
p = string;
|
||||||
|
while (p && (pend=strchr (p, ':')))
|
||||||
|
{
|
||||||
|
*pend++ = 0;
|
||||||
|
for (sl=opt.ignore_cert_with_oid;
|
||||||
|
sl && strcmp (sl->d, p); sl = sl->next)
|
||||||
|
;
|
||||||
|
if (sl)
|
||||||
|
{
|
||||||
|
if (opt.verbose)
|
||||||
|
log_info ("certificate ignored due to OID %s\n", sl->d);
|
||||||
|
goto leave;
|
||||||
|
}
|
||||||
|
p = pend;
|
||||||
|
if ((p = strchr (p, '\n')))
|
||||||
|
p++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (gpg_err_code (rc) != GPG_ERR_NO_DATA)
|
||||||
|
log_error (_("error getting key usage information: %s\n"),
|
||||||
|
gpg_strerror (rc));
|
||||||
|
xfree (string);
|
||||||
|
string = NULL;
|
||||||
|
|
||||||
|
|
||||||
/* We do not store a certifciate with missing issuers as ephemeral
|
/* We do not store a certifciate with missing issuers as ephemeral
|
||||||
because we can assume that the --learn-card command has been used
|
because we can assume that the --learn-card command has been used
|
||||||
on purpose. */
|
on purpose. */
|
||||||
@ -1088,6 +1119,9 @@ learn_cb (void *opaque, const void *buffer, size_t length)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
leave:
|
||||||
|
xfree (string);
|
||||||
|
string = NULL;
|
||||||
ksba_cert_release (cert);
|
ksba_cert_release (cert);
|
||||||
init_membuf (parm->data, 4096);
|
init_membuf (parm->data, 4096);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -203,6 +203,7 @@ enum cmd_and_opt_values {
|
|||||||
oNoRandomSeedFile,
|
oNoRandomSeedFile,
|
||||||
oNoCommonCertsImport,
|
oNoCommonCertsImport,
|
||||||
oIgnoreCertExtension,
|
oIgnoreCertExtension,
|
||||||
|
oIgnoreCertWithOID,
|
||||||
oAuthenticode,
|
oAuthenticode,
|
||||||
oAttribute,
|
oAttribute,
|
||||||
oChUid,
|
oChUid,
|
||||||
@ -302,6 +303,7 @@ static gpgrt_opt_t opts[] = {
|
|||||||
ARGPARSE_s_s (oCompliance, "compliance", "@"),
|
ARGPARSE_s_s (oCompliance, "compliance", "@"),
|
||||||
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
|
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
|
||||||
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
|
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
|
||||||
|
ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
|
||||||
ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
|
ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
|
||||||
ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
|
ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
|
||||||
ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"),
|
ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"),
|
||||||
@ -1427,6 +1429,10 @@ main ( int argc, char **argv)
|
|||||||
add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
|
add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case oIgnoreCertWithOID:
|
||||||
|
add_to_strlist (&opt.ignore_cert_with_oid, pargs.r.ret_str);
|
||||||
|
break;
|
||||||
|
|
||||||
case oAuthenticode: opt.authenticode = 1; break;
|
case oAuthenticode: opt.authenticode = 1; break;
|
||||||
|
|
||||||
case oAttribute:
|
case oAttribute:
|
||||||
|
@ -151,6 +151,10 @@ struct
|
|||||||
OID per string. */
|
OID per string. */
|
||||||
strlist_t ignored_cert_extensions;
|
strlist_t ignored_cert_extensions;
|
||||||
|
|
||||||
|
/* A list of OIDs which will be used to ignore certificates with
|
||||||
|
* sunch an OID during --learn-card. */
|
||||||
|
strlist_t ignore_cert_with_oid;
|
||||||
|
|
||||||
enum gnupg_compliance_mode compliance;
|
enum gnupg_compliance_mode compliance;
|
||||||
|
|
||||||
/* Enable creation of authenticode signatures. */
|
/* Enable creation of authenticode signatures. */
|
||||||
|
Loading…
x
Reference in New Issue
Block a user