[svn] dirmngr - r334 - in trunk: . doc src

svn author wk cvs at cvs.gnupg.org
Tue Dec 15 19:08:39 CET 2009 

Author: wk
Date: 2009-12-15 19:08:39 +0100 (Tue, 15 Dec 2009)
New Revision: 334

Modified:
   trunk/ChangeLog
   trunk/NEWS
   trunk/configure.ac
   trunk/doc/dirmngr.texi
   trunk/src/ChangeLog
   trunk/src/dirmngr.c
   trunk/src/dirmngr.h
   trunk/src/validate.c
Log:
Add option --ignore-cert-extension.
Set dirmngr version to 1.1.0.


Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/ChangeLog	2009-12-15 18:08:39 UTC (rev 334)
@@ -1,3 +1,10 @@
+2009-12-15  Werner Koch  <wk at g10code.com>
+
+	* configure.ac: Set version number to 1.1 due to the switch to
+	the new libassuan API.
+	(NEED_LIBASSUAN_VERSION): Set to 2.0 because 1.1.0 will not be
+	released.
+
 2009-11-05  Marcus Brinkmann  <marcus at g10code.de>
 
 	* tests/test-dirmngr.c (start_dirmngr): Update use

Modified: trunk/src/ChangeLog
===================================================================
--- trunk/src/ChangeLog	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/src/ChangeLog	2009-12-15 18:08:39 UTC (rev 334)
@@ -1,3 +1,10 @@
+2009-12-15  Werner Koch  <wk at g10code.com>
+
+	* dirmngr.c: Add option --ignore-cert-extension.
+	(parse_rereadable_options): Implement.
+	* dirmngr.h (opt): Add IGNORED_CERT_EXTENSIONS.
+	* validate.c (unknown_criticals): Handle ignored extensions.
+
 2009-12-08  Marcus Brinkmann  <marcus at g10code.de>
 
 	* dirmngr-client.c (start_dirmngr): Convert posix FDs to assuan fds.

Modified: trunk/NEWS
===================================================================
--- trunk/NEWS	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/NEWS	2009-12-15 18:08:39 UTC (rev 334)
@@ -1,4 +1,4 @@
-Noteworthy changes in version 1.0.4
+Noteworthy changes in version 1.1.0
 ------------------------------------------------
 
  * Fixed a resource problem with LDAP CRLs.
@@ -7,7 +7,9 @@
 
  * Made "dirmngr-client --url --load-crl URL" work.
 
+ * New option --ignore-cert-extension.
 
+
 Noteworthy changes in version 1.0.3 (2009-06-17)
 ------------------------------------------------
 

Modified: trunk/configure.ac
===================================================================
--- trunk/configure.ac	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/configure.ac	2009-12-15 18:08:39 UTC (rev 334)
@@ -27,7 +27,7 @@
 # Remember to change the version number immediately *after* a release.
 # Set my_issvn to "yes" for non-released code.  Remember to run an
 # "svn up" and "autogen.sh" right before creating a distribution.
-m4_define([my_version], [1.0.4])
+m4_define([my_version], [1.1.0])
 m4_define([my_issvn], [yes])
 
 m4_define([svn_revision], m4_esyscmd([echo -n $( (svn info 2>/dev/null \
@@ -42,7 +42,7 @@
 NEED_LIBGCRYPT_VERSION=1.4.0
 
 NEED_LIBASSUAN_API=2
-NEED_LIBASSUAN_VERSION=1.1.0
+NEED_LIBASSUAN_VERSION=2.0.0
 
 NEED_KSBA_API=1
 NEED_KSBA_VERSION=1.0.2

Modified: trunk/doc/dirmngr.texi
===================================================================
--- trunk/doc/dirmngr.texi	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/doc/dirmngr.texi	2009-12-15 18:08:39 UTC (rev 334)
@@ -557,6 +557,17 @@
 Do not return more that @var{n} items in one query.  The default is
 10.
 
+ at item --ignore-cert-extension @var{oid}
+ at opindex ignore-cert-extension
+Add @var{oid} to the list of ignored certificate extensions.  The
+ at var{oid} is expected to be in dotted decimal form, like
+ at code{2.5.29.3}.  This option may be used more than once.  Critical
+flagged certificate extensions matching one of the OIDs in the list
+are treated as if they are actually handled and thus the certificate
+won't be rejected due to an unknown critical extension.  Use this
+option with care because extensions are usually flagged as critical
+for a reason.
+
 @end table
 
 

Modified: trunk/src/dirmngr.c
===================================================================
--- trunk/src/dirmngr.c	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/src/dirmngr.c	2009-12-15 18:08:39 UTC (rev 334)
@@ -114,6 +114,7 @@
   oSocketName,
   oLDAPWrapperProgram,
   oHTTPWrapperProgram,
+  oIgnoreCertExtension,
 aTest };
 
 
@@ -195,10 +196,10 @@
   { oLDAPWrapperProgram, "ldap-wrapper-program", 2, "@"},
   { oHTTPWrapperProgram, "http-wrapper-program", 2, "@"},
   { oHonorHTTPProxy,     "honor-http-proxy", 0, "@" },
+  { oIgnoreCertExtension,"ignore-cert-extension", 2, "@"},
 
-  { 302, NULL, 0, N_(
-  "@\n(See the \"info\" manual for a complete listing of all commands and options)\n"
-                    )},
+  { 302, NULL, 0, N_("@\n(See the \"info\" manual for a complete listing "
+                     "of all commands and options)\n")},
 
   { 0, NULL, 0, NULL }
 };
@@ -464,6 +465,7 @@
           xfree (opt.ocsp_signer);
           opt.ocsp_signer = tmp;
         }
+      FREE_STRLIST (opt.ignored_cert_extensions);
       return 1;
     }
 
@@ -515,6 +517,10 @@
 
     case oMaxReplies: opt.max_replies = pargs->r.ret_int; break;
 
+    case oIgnoreCertExtension:
+      add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
+      break;
+
     default:
       return 0; /* Not handled. */
     }

Modified: trunk/src/dirmngr.h
===================================================================
--- trunk/src/dirmngr.h	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/src/dirmngr.h	2009-12-15 18:08:39 UTC (rev 334)
@@ -98,6 +98,11 @@
   int ignore_ocsp_service_url; /* Ignore OCSP service URLs as given in
                                   the certificate.  */
 
+  /* A list of certificate extension OIDs which are ignored so that
+     one can claim that a critical extension has been handled.  One
+     OID per string.  */
+  strlist_t ignored_cert_extensions;
+
   int allow_ocsp;     /* Allow using OCSP. */
 
   int max_replies;

Modified: trunk/src/validate.c
===================================================================
--- trunk/src/validate.c	2009-12-08 04:22:38 UTC (rev 333)
+++ trunk/src/validate.c	2009-12-15 18:08:39 UTC (rev 334)
@@ -78,6 +78,8 @@
   };
   int i, idx, crit;
   const char *oid;
+  int unsupported;
+  strlist_t sl;
   gpg_error_t err, rc;
 
   rc = 0;
@@ -88,8 +90,22 @@
         continue;
       for (i=0; known[i] && strcmp (known[i],oid); i++)
         ;
-      if (!known[i])
+      unsupported = !known[i];
+
+      /* If this critical extension is not supported, check the list
+         of to be ignored extensions to see whether we claim that it
+         is supported.  */
+      if (unsupported && opt.ignored_cert_extensions)
         {
+          for (sl=opt.ignored_cert_extensions;
+               sl && strcmp (sl->d, oid); sl = sl->next)
+            ;
+          if (sl)
+            unsupported = 0;
+        }
+
+      if (unsupported)
+        {
           log_error (_("critical certificate extension %s is not supported"),
                      oid);
           rc = gpg_error (GPG_ERR_UNSUPPORTED_CERT);

More information about the Gnupg-commits mailing list