[svn] GnuPG - r5223 - in branches/STABLE-BRANCH-2-0: . doc sm

svn author wk cvs at cvs.gnupg.org
Thu Dec 10 14:00:09 CET 2009 

Author: wk
Date: 2009-12-10 14:00:09 +0100 (Thu, 10 Dec 2009)
New Revision: 5223

Modified:
   branches/STABLE-BRANCH-2-0/NEWS
   branches/STABLE-BRANCH-2-0/doc/gpgsm.texi
   branches/STABLE-BRANCH-2-0/sm/ChangeLog
   branches/STABLE-BRANCH-2-0/sm/certchain.c
   branches/STABLE-BRANCH-2-0/sm/gpgsm.c
   branches/STABLE-BRANCH-2-0/sm/gpgsm.h
Log:
Add option --ignore-cert-extension


Modified: branches/STABLE-BRANCH-2-0/sm/ChangeLog
===================================================================
--- branches/STABLE-BRANCH-2-0/sm/ChangeLog	2009-12-09 15:56:45 UTC (rev 5222)
+++ branches/STABLE-BRANCH-2-0/sm/ChangeLog	2009-12-10 13:00:09 UTC (rev 5223)
@@ -1,3 +1,9 @@
+2009-12-10  Werner Koch  <wk at g10code.com>
+
+	* gpgsm.c: Add option --ignore-cert-extension.
+	* gpgsm.h (opt): Add field IGNORED_CERT_EXTENSIONS.
+	* certchain.c (unknown_criticals): Handle ignored extensions,
+
 2009-12-03  Werner Koch  <wk at g10code.com>
 
 	From trunk:

Modified: branches/STABLE-BRANCH-2-0/NEWS
===================================================================
--- branches/STABLE-BRANCH-2-0/NEWS	2009-12-09 15:56:45 UTC (rev 5222)
+++ branches/STABLE-BRANCH-2-0/NEWS	2009-12-10 13:00:09 UTC (rev 5223)
@@ -9,9 +9,11 @@
 
  * The GPGSM --audit-log feature is now more complete.
 
- * Support DNS lookups for SRV, PKA and CERT on W32.
+ * GPG now supports DNS lookups for SRV, PKA and CERT on W32.
 
+ * New GPGSM option --ignore-cert-extension.
 
+
 Noteworthy changes in version 2.0.13 (2009-09-04)
 -------------------------------------------------
 

Modified: branches/STABLE-BRANCH-2-0/doc/gpgsm.texi
===================================================================
--- branches/STABLE-BRANCH-2-0/doc/gpgsm.texi	2009-12-09 15:56:45 UTC (rev 5222)
+++ branches/STABLE-BRANCH-2-0/doc/gpgsm.texi	2009-12-10 13:00:09 UTC (rev 5223)
@@ -446,8 +446,17 @@
 the @file{trustlist.txt} or an attribute of the certificate requests it.
 However the standard model (shell) is in that case always tried first.
 
+ at item --ignore-cert-extension @var{oid}
+ at opindex ignore-cert-extension
+Add @var{oid} to the list of ignored certificate extensions.  The
+ at var{oid} is expected to be in dotted decimal form, like
+ at code{2.5.29.3}.  This option may used more than once.  Critical
+flagged certificate extensions matching one of the OIDs in the list
+are treated as if they are actually handled and thus the certificate
+won't be rejected due to an unknown critical extension.  Use this
+option with care because extensions are usually flagged as critical
+for a reason.
 
-
 @end table
 
 @c *******************************************

Modified: branches/STABLE-BRANCH-2-0/sm/certchain.c
===================================================================
--- branches/STABLE-BRANCH-2-0/sm/certchain.c	2009-12-09 15:56:45 UTC (rev 5222)
+++ branches/STABLE-BRANCH-2-0/sm/certchain.c	2009-12-10 13:00:09 UTC (rev 5223)
@@ -229,6 +229,8 @@
   int rc = 0, i, idx, crit;
   const char *oid;
   gpg_error_t err;
+  int unsupported;
+  strlist_t sl;
 
   for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
                                              &oid, &crit, NULL, NULL));idx++)
@@ -237,8 +239,21 @@
         continue;
       for (i=0; known[i] && strcmp (known[i],oid); i++)
         ;
-      if (!known[i])
+      unsupported = !known[i];
+
+      /* If this critical extension is not supoported, check the list
+         of to be ignored extensions to se whether we claim that it is
+         supported.  */
+      if (unsupported && opt.ignored_cert_extensions)
         {
+          for (sl=opt.ignored_cert_extensions;
+               sl && strcmp (sl->d, oid); sl = sl->next)
+            ;
+          if (sl)
+            unsupported = 0;
+        }
+      if (unsupported)
+        {
           do_list (1, listmode, fp,
                    _("critical certificate extension %s is not supported"),
                    oid);

Modified: branches/STABLE-BRANCH-2-0/sm/gpgsm.c
===================================================================
--- branches/STABLE-BRANCH-2-0/sm/gpgsm.c	2009-12-09 15:56:45 UTC (rev 5222)
+++ branches/STABLE-BRANCH-2-0/sm/gpgsm.c	2009-12-10 13:00:09 UTC (rev 5223)
@@ -176,7 +176,8 @@
   oDisablePubkeyAlgo,
   oIgnoreTimeConflict,
   oNoRandomSeedFile,
-  oNoCommonCertsImport
+  oNoCommonCertsImport,
+  oIgnoreCertExtension
  };
 
 
@@ -376,6 +377,7 @@
   ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
   ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
   ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
+  ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
 
   /* Command aliases.  */
   ARGPARSE_c (aListKeys, "list-key", "@"),  
@@ -1381,6 +1383,10 @@
 	  }
 	  break;
 
+        case oIgnoreCertExtension:
+          add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
+          break;
+
         default: 
           pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR; 
           break;

Modified: branches/STABLE-BRANCH-2-0/sm/gpgsm.h
===================================================================
--- branches/STABLE-BRANCH-2-0/sm/gpgsm.h	2009-12-09 15:56:45 UTC (rev 5222)
+++ branches/STABLE-BRANCH-2-0/sm/gpgsm.h	2009-12-10 13:00:09 UTC (rev 5223)
@@ -134,9 +134,14 @@
                                runtime. */
 
   struct keyserver_spec *keyserver;
+
+  /* A list of certificate extension OIDs which are ignored so that
+     one can claim that a critical extension has been handled.  One
+     OID per string.  */
+  strlist_t ignored_cert_extensions;
+
 } opt;
 
-
 /* Debug values and macros.  */
 #define DBG_X509_VALUE    1	/* debug x.509 data reading/writing */
 #define DBG_MPI_VALUE	  2	/* debug mpi details */

More information about the Gnupg-commits mailing list