[svn] GnuPG - r5224 - in trunk: . doc sm
svn author wk
cvs at cvs.gnupg.org
Thu Dec 10 14:00:30 CET 2009
Author: wk
Date: 2009-12-10 14:00:30 +0100 (Thu, 10 Dec 2009)
New Revision: 5224
Modified:
trunk/NEWS
trunk/doc/gpgsm.texi
trunk/sm/ChangeLog
trunk/sm/certchain.c
trunk/sm/gpgsm.c
trunk/sm/gpgsm.h
Log:
Add option --cert-extension.
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2009-12-10 13:00:09 UTC (rev 5223)
+++ trunk/sm/ChangeLog 2009-12-10 13:00:30 UTC (rev 5224)
@@ -1,3 +1,9 @@
+2009-12-10 Werner Koch <wk at g10code.com>
+
+ * gpgsm.c: Add option --ignore-cert-extension.
+ * gpgsm.h (opt): Add field IGNORED_CERT_EXTENSIONS.
+ * certchain.c (unknown_criticals): Handle ignored extensions,
+
2009-12-08 Werner Koch <wk at g10code.com>
* keydb.c (keydb_search_kid): Fix code even that it is not used.
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2009-12-10 13:00:09 UTC (rev 5223)
+++ trunk/NEWS 2009-12-10 13:00:30 UTC (rev 5224)
@@ -16,7 +16,9 @@
* Support DNS lookups for SRV, PKA and CERT on W32.
+ * New GPGSM option --ignore-cert-extension.
+
Noteworthy changes in version 2.0.13 (2009-09-04)
-------------------------------------------------
Modified: trunk/doc/gpgsm.texi
===================================================================
--- trunk/doc/gpgsm.texi 2009-12-10 13:00:09 UTC (rev 5223)
+++ trunk/doc/gpgsm.texi 2009-12-10 13:00:30 UTC (rev 5224)
@@ -446,8 +446,17 @@
the @file{trustlist.txt} or an attribute of the certificate requests it.
However the standard model (shell) is in that case always tried first.
+ at item --ignore-cert-extension @var{oid}
+ at opindex ignore-cert-extension
+Add @var{oid} to the list of ignored certificate extensions. The
+ at var{oid} is expected to be in dotted decimal form, like
+ at code{2.5.29.3}. This option may used more than once. Critical
+flagged certificate extensions matching one of the OIDs in the list
+are treated as if they are actually handled and thus the certificate
+won't be rejected due to an unknown critical extension. Use this
+option with care because extensions are usually flagged as critical
+for a reason.
-
@end table
@c *******************************************
Modified: trunk/sm/certchain.c
===================================================================
--- trunk/sm/certchain.c 2009-12-10 13:00:09 UTC (rev 5223)
+++ trunk/sm/certchain.c 2009-12-10 13:00:30 UTC (rev 5224)
@@ -229,6 +229,8 @@
int rc = 0, i, idx, crit;
const char *oid;
gpg_error_t err;
+ int unsupported;
+ strlist_t sl;
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
&oid, &crit, NULL, NULL));idx++)
@@ -237,8 +239,21 @@
continue;
for (i=0; known[i] && strcmp (known[i],oid); i++)
;
- if (!known[i])
+ unsupported = !known[i];
+
+ /* If this critical extension is not supoported, check the list
+ of to be ignored extensions to se whether we claim that it is
+ supported. */
+ if (unsupported && opt.ignored_cert_extensions)
{
+ for (sl=opt.ignored_cert_extensions;
+ sl && strcmp (sl->d, oid); sl = sl->next)
+ ;
+ if (sl)
+ unsupported = 0;
+ }
+ if (unsupported)
+ {
do_list (1, listmode, fp,
_("critical certificate extension %s is not supported"),
oid);
Modified: trunk/sm/gpgsm.c
===================================================================
--- trunk/sm/gpgsm.c 2009-12-10 13:00:09 UTC (rev 5223)
+++ trunk/sm/gpgsm.c 2009-12-10 13:00:30 UTC (rev 5224)
@@ -176,7 +176,8 @@
oDisablePubkeyAlgo,
oIgnoreTimeConflict,
oNoRandomSeedFile,
- oNoCommonCertsImport
+ oNoCommonCertsImport,
+ oIgnoreCertExtension
};
@@ -376,6 +377,7 @@
ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
ARGPARSE_s_n (oNoRandomSeedFile, "no-random-seed-file", "@"),
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
+ ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
/* Command aliases. */
ARGPARSE_c (aListKeys, "list-key", "@"),
@@ -1391,6 +1393,10 @@
}
break;
+ case oIgnoreCertExtension:
+ add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
+ break;
+
default:
pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR;
break;
Modified: trunk/sm/gpgsm.h
===================================================================
--- trunk/sm/gpgsm.h 2009-12-10 13:00:09 UTC (rev 5223)
+++ trunk/sm/gpgsm.h 2009-12-10 13:00:30 UTC (rev 5224)
@@ -134,9 +134,14 @@
runtime. */
struct keyserver_spec *keyserver;
+
+ /* A list of certificate extension OIDs which are ignored so that
+ one can claim that a critical extension has been handled. One
+ OID per string. */
+ strlist_t ignored_cert_extensions;
+
} opt;
-
/* Debug values and macros. */
#define DBG_X509_VALUE 1 /* debug x.509 data reading/writing */
#define DBG_MPI_VALUE 2 /* debug mpi details */
More information about the Gnupg-commits
mailing list