diff --git a/NEWS b/NEWS index 30e333b6d..9facb4448 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,8 @@ Noteworthy changes in version 2.2.42 (unreleased) * gpgsm: Also announce AES256-CBC in signatures. [rGaa397fdcdb21] + * dirmngr: New option --ignore-crl-extensions. [T6545] + Release-info: https://dev.gnupg.org/T6307 diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index 354f9b693..05c506650 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -2356,10 +2356,19 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader) for (idx=0; !(err=ksba_crl_get_extension (crl, idx, &oid, &critical, NULL, NULL)); idx++) { + strlist_t sl; + if (!critical || !strcmp (oid, oidstr_authorityKeyIdentifier) || !strcmp (oid, oidstr_crlNumber) ) continue; + + for (sl=opt.ignored_crl_extensions; + sl && strcmp (sl->d, oid); sl = sl->next) + ; + if (sl) + continue; /* Is in ignored list. */ + log_error (_("unknown critical CRL extension %s\n"), oid); log_info ("(CRL='%s')\n", url); if (!err2) diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index a94257e5c..21b32c71a 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -146,6 +146,7 @@ enum cmd_and_opt_values { oHTTPWrapperProgram, oIgnoreCert, oIgnoreCertExtension, + oIgnoreCRLExtension, oUseTor, oNoUseTor, oKeyServer, @@ -222,6 +223,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"), ARGPARSE_s_s (oIgnoreCert,"ignore-cert", "@"), ARGPARSE_s_s (oIgnoreCertExtension,"ignore-cert-extension", "@"), + ARGPARSE_s_s (oIgnoreCRLExtension,"ignore-crl-extension", "@"), ARGPARSE_header ("Network", N_("Network related options")), @@ -704,6 +706,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.ignored_certs = tmp; } FREE_STRLIST (opt.ignored_cert_extensions); + FREE_STRLIST (opt.ignored_crl_extensions); http_register_tls_ca (NULL); FREE_STRLIST (hkp_cacert_filenames); FREE_STRLIST (opt.keyserver); @@ -815,6 +818,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str); break; + case oIgnoreCRLExtension: + add_to_strlist (&opt.ignored_crl_extensions, pargs->r.ret_str); + break; + case oUseTor: tor_mode = TOR_MODE_FORCE; break; diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index dd9f605da..a6cddf807 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -131,6 +131,11 @@ struct OID per string. */ strlist_t ignored_cert_extensions; + /* A list of CRL extension OIDs which are ignored so that one can + * claim that a critical extension has been handled. One OID per + * string. */ + strlist_t ignored_crl_extensions; + /* Allow expired certificates in the cache. */ int debug_cache_expired_certs; diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index f9da5f090..7ff296ded 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -594,6 +594,15 @@ won't be rejected due to an unknown critical extension. Use this option with care because extensions are usually flagged as critical for a reason. +@item --ignore-crl-extension @var{oid} +@opindex ignore-crl-extension +Add @var{oid} to the list of ignored CRL extensions. The @var{oid} is +expected to be in dotted decimal form. Critical flagged CRL +extensions matching one of the OIDs in the list are treated as if they +are actually handled and thus the certificate won't be rejected due to +an unknown critical extension. Use this option with care because +extensions are usually flagged as critical for a reason. + @item --ignore-cert @var{fpr}|@var{file} @opindex ignore-cert Entirely ignore certificates with the fingerprint @var{fpr}. As an