gpgsm: New option --compatibility-flags.

* sm/gpgsm.c (oCompatibilityFlags): New option. (compatibility_flags): new. (main): Parse and print them in verbose mode. * sm/gpgsm.h (opt): Add field compat_glags.: (COMPAT_ALLOW_KA_TO_ENCR): New. * sm/keylist.c (print_capabilities): Take care of the new flag. * sm/certlist.c (cert_usage_p): Ditto.
2024-12-22 10:19:57 +01:00 · 2022-06-13 17:46:40 +02:00 · 2022-06-13 17:46:40 +02:00 · f0b373cec9
commit f0b373cec9
parent ce63eaa4f8
5 changed files with 76 additions and 9 deletions
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -733,6 +733,14 @@ Include ephemeral flagged keys in the output of key listings.  Note
 that they are included anyway if the key specification for a listing
 is given as fingerprint or keygrip.
@item --compatibility-flags @var{flags}
@opindex compatibility-flags
 Set compatibility flags to work around problems due to non-compliant
 certificates or data.  The @var{flags} are given as a comma separated
 list of flag names and are OR-ed together.  The special flag "none"
 clears the list and allows to start over with an empty list.  To get a
 list of available flags the sole word "help" can be used.
@item --debug-level @var{level}
@opindex debug-level
 Select the debug level for investigating problems. @var{level} may be
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -51,9 +51,11 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent)
 {
  gpg_error_t err;
  unsigned int use;
  unsigned int encr_bits, sign_bits;
  char *extkeyusages;
  int have_ocsp_signing = 0;
  err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
  if (gpg_err_code (err) == GPG_ERR_NO_DATA)
    err = 0; /* no policy given */
@ -157,10 +159,13 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent)
      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
    }
-  if ((use & ((mode&1)?
+  encr_bits = (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT);
-              (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
+  if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR))
-              (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
+    encr_bits |= KSBA_KEYUSAGE_KEY_AGREEMENT;
-      )
+
  sign_bits = (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION);
  if ((use & ((mode&1)? encr_bits : sign_bits)))
    return 0;
  if (!silent)
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -210,6 +210,7 @@ enum cmd_and_opt_values {
  oUseKeyboxd,
  oKeyboxdProgram,
  oRequireCompliance,
  oCompatibilityFlags,
  oNoAutostart
 };
@ -442,6 +443,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_s (oLCmessages, "lc-messages", "@"),
  ARGPARSE_s_s (oXauthority, "xauthority", "@"),
  ARGPARSE_s_s (oChUid, "chuid", "@"),
  ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"),
  ARGPARSE_header (NULL, ""),  /* Stop the header group.  */
@ -479,6 +481,14 @@ static struct debug_flags_s debug_flags [] =
  };
 /* The list of compatibility flags.  */
 static struct compatibility_flags_s compatibility_flags [] =
  {
    { COMPAT_ALLOW_KA_TO_ENCR, "allow-ka-to-encr" },
    { 0, NULL }
  };
 /* Global variable to keep an error count. */
 int gpgsm_errors_seen = 0;
@ -1271,6 +1281,15 @@ main ( int argc, char **argv)
        case oDebugIgnoreExpiration: opt.ignore_expiration = 1; break;
        case oDebugForceECDHSHA1KDF: opt.force_ecdh_sha1kdf = 1; break;
        case oCompatibilityFlags:
          if (parse_compatibility_flags (pargs.r.ret_str, &opt.compat_flags,
                                         compatibility_flags))
            {
              pargs.r_opt = ARGPARSE_INVALID_ARG;
              pargs.err = ARGPARSE_PRINT_ERROR;
            }
          break;
        case oStatusFD:
            ctrl.status_fd = translate_sys2libc_fd_int (pargs.r.ret_int, 1);
            break;
@ -1584,6 +1603,8 @@ main ( int argc, char **argv)
  gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
  set_debug ();
  if (opt.verbose) /* Print the compatibility flags.  */
    parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags);
  gnupg_set_compliance_extra_info (opt.min_rsa_length);
  /* Although we always use gpgsm_exit, we better install a regular
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -176,6 +176,9 @@ struct
   * HEX_OR_FILENAME.  The actual value needs to be encoded as a SET OF
   * attribute values.  */
  strlist_t attributes;
  /* Compatibility flags (COMPAT_FLAG_xxxx).  */
  unsigned int compat_flags;
 } opt;
 /* Debug values and macros.  */
@ -199,6 +202,18 @@ struct
 #define DBG_CLOCK   (opt.debug & DBG_CLOCK_VALUE)
 #define DBG_LOOKUP  (opt.debug & DBG_LOOKUP_VALUE)
 /* Compatibility flags */
 /* Telesec RSA cards produced for NRW in 2022 came with only the
 * keyAgreement bit set.  This flag allows there use for encryption
 * anyway.  Example cert:
 *    Issuer: /CN=DOI CA 10a/OU=DOI/O=PKI-1-Verwaltung/C=DE
 * key usage: digitalSignature nonRepudiation keyAgreement
 *  policies: 1.3.6.1.4.1.7924.1.1:N:
 */
 #define COMPAT_ALLOW_KA_TO_ENCR   1
 /* Forward declaration for an object defined in server.c */
 struct server_local_s;
--- a/sm/keylist.c
+++ b/sm/keylist.c
@ -304,9 +304,11 @@ print_capabilities (ksba_cert_t cert, estream_t fp)
 {
  gpg_error_t err;
  unsigned int use;
  unsigned int is_encr, is_sign, is_cert;
  size_t buflen;
  char buffer[1];
  err = ksba_cert_get_user_data (cert, "is_qualified",
                                 &buffer, sizeof (buffer), &buflen);
  if (!err && buflen)
@ -338,17 +340,33 @@ print_capabilities (ksba_cert_t cert, estream_t fp)
      return;
    }
  is_encr = is_sign = is_cert = 0;
  if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
    is_encr = 1;
  if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
    is_sign = 1;
  if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
    is_cert = 1;
  /* We need to returned the faked key usage to frontends so that they
   * can select the right key.  Note that we don't do this for the
   * human readable keyUsage.  */
  if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR)
      && (use & KSBA_KEYUSAGE_KEY_AGREEMENT))
    is_encr = 1;
  if (is_encr)
    es_putc ('e', fp);
-  if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
+  if (is_sign)
    es_putc ('s', fp);
-  if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
+  if (is_cert)
    es_putc ('c', fp);
-  if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
+  if (is_encr)
    es_putc ('E', fp);
-  if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
+  if (is_sign)
    es_putc ('S', fp);
-  if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
+  if (is_cert)
    es_putc ('C', fp);
 }