gpgsm: New option --compatibility-flags.

* sm/gpgsm.c (oCompatibilityFlags): New option. (compatibility_flags): new. (main): Parse and print them in verbose mode. * sm/gpgsm.h (opt): Add field compat_glags.: (COMPAT_ALLOW_KA_TO_ENCR): New. * sm/keylist.c (print_capabilities): Take care of the new flag. * sm/certlist.c (cert_usage_p): Ditto.
2025-07-02 22:46:30 +02:00 · 2022-06-13 17:46:40 +02:00 · 2022-06-13 17:46:40 +02:00 · f0b373cec9
commit f0b373cec9
parent ce63eaa4f8
5 changed files with 76 additions and 9 deletions
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -51,9 +51,11 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent)
 {
  gpg_error_t err;
  unsigned int use;
+  unsigned int encr_bits, sign_bits;
  char *extkeyusages;
  int have_ocsp_signing = 0;

+
  err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
  if (gpg_err_code (err) == GPG_ERR_NO_DATA)
    err = 0; /* no policy given */
@ -157,10 +159,13 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent)
      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
    }

-  if ((use & ((mode&1)?
-              (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
-              (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
-      )
+  encr_bits = (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT);
+  if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR))
+    encr_bits |= KSBA_KEYUSAGE_KEY_AGREEMENT;
+
+  sign_bits = (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION);
+
+  if ((use & ((mode&1)? encr_bits : sign_bits)))
    return 0;

  if (!silent)