dirmngr: New option --ignore-crl-extensions.

* dirmngr/dirmngr.c (oIgnoreCRLExtension): New.
(opts): Add --ignore-crl-extension.
(parse_rereadable_options): Add to list/
* dirmngr/dirmngr.h (opt): Add ignored_crl_extensions.
* dirmngr/crlcache.c (crl_cache_insert): Implement option.
--

This option is is useful for debugging problems with new CRL
extensions.  It is similar to --ignore-cert-extension.

GnuPG-bug-id: 6545

NEWS

@@ -26,6 +26,8 @@ Noteworthy changes in version 2.2.42 (unreleased)
 
   * gpgsm: Also announce AES256-CBC in signatures.  [rGaa397fdcdb21]
 
+  * dirmngr: New option --ignore-crl-extensions.  [T6545]
+
   Release-info: https://dev.gnupg.org/T6307
 
 

dirmngr/crlcache.c

@@ -2356,10 +2356,19 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader)
   for (idx=0; !(err=ksba_crl_get_extension (crl, idx, &oid, &critical,
                                               NULL, NULL)); idx++)
     {
+      strlist_t sl;
+
       if (!critical
           || !strcmp (oid, oidstr_authorityKeyIdentifier)
           || !strcmp (oid, oidstr_crlNumber) )
         continue;
+
+      for (sl=opt.ignored_crl_extensions;
+           sl && strcmp (sl->d, oid); sl = sl->next)
+        ;
+      if (sl)
+        continue;  /* Is in ignored list.  */
+
       log_error (_("unknown critical CRL extension %s\n"), oid);
       log_info ("(CRL='%s')\n", url);
       if (!err2)

dirmngr/dirmngr.c

@@ -146,6 +146,7 @@ enum cmd_and_opt_values {
   oHTTPWrapperProgram,
   oIgnoreCert,
   oIgnoreCertExtension,
+  oIgnoreCRLExtension,
   oUseTor,
   oNoUseTor,
   oKeyServer,
@@ -222,6 +223,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
   ARGPARSE_s_s (oIgnoreCert,"ignore-cert", "@"),
   ARGPARSE_s_s (oIgnoreCertExtension,"ignore-cert-extension", "@"),
+  ARGPARSE_s_s (oIgnoreCRLExtension,"ignore-crl-extension", "@"),
 
 
   ARGPARSE_header ("Network", N_("Network related options")),
@@ -704,6 +706,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
           opt.ignored_certs = tmp;
         }
       FREE_STRLIST (opt.ignored_cert_extensions);
+      FREE_STRLIST (opt.ignored_crl_extensions);
       http_register_tls_ca (NULL);
       FREE_STRLIST (hkp_cacert_filenames);
       FREE_STRLIST (opt.keyserver);
@@ -815,6 +818,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
       add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
       break;
 
+    case oIgnoreCRLExtension:
+      add_to_strlist (&opt.ignored_crl_extensions, pargs->r.ret_str);
+      break;
+
     case oUseTor:
       tor_mode = TOR_MODE_FORCE;
       break;

dirmngr/dirmngr.h

@@ -131,6 +131,11 @@ struct
      OID per string.  */
   strlist_t ignored_cert_extensions;
 
+  /* A list of CRL extension OIDs which are ignored so that one can
+   * claim that a critical extension has been handled.  One OID per
+   * string.  */
+  strlist_t ignored_crl_extensions;
+
   /* Allow expired certificates in the cache.  */
   int debug_cache_expired_certs;
 

doc/dirmngr.texi

@@ -594,6 +594,15 @@ won't be rejected due to an unknown critical extension.  Use this
 option with care because extensions are usually flagged as critical
 for a reason.
 
+@item --ignore-crl-extension @var{oid}
+@opindex ignore-crl-extension
+Add @var{oid} to the list of ignored CRL extensions.  The @var{oid} is
+expected to be in dotted decimal form.  Critical flagged CRL
+extensions matching one of the OIDs in the list are treated as if they
+are actually handled and thus the certificate won't be rejected due to
+an unknown critical extension.  Use this option with care because
+extensions are usually flagged as critical for a reason.
+
 @item --ignore-cert @var{fpr}|@var{file}
 @opindex ignore-cert
 Entirely ignore certificates with the fingerprint @var{fpr}.  As an