[PATCH scute] Add option to return leaf certificate only.

Damien Goutte-Gattat dgouttegattat at incenp.org
Fri Sep 16 04:05:52 CEST 2022


* src/options.h (_scute_opt_t): Add no_chain.
* src/readconf.c (_scute_read_conf): Set no_chain.
* src/agent.c (scute_gpgsm_get_cert): Ask for chain of certificates
depending on no_chain value.
--

The default behaviour of Scute of returning the full certificate
chain, when it obtains the certificate from GpgSM, may cause various
issues in client applications, some of which seemingly only expect a
single certificate. Thus we make that behaviour configurable.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
---
 doc/scute.texi | 5 +++++
 src/gpgsm.c    | 3 +--
 src/options.h  | 1 +
 src/readconf.c | 5 ++++-
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/doc/scute.texi b/doc/scute.texi
index 29be08c..742b858 100644
--- a/doc/scute.texi
+++ b/doc/scute.texi
@@ -214,6 +214,11 @@ This is a hack to ignore a request to use native threads instead of
 user provided callbacks.  Should only be used with caution if there is
 no easy way to fix the caller or until we have fixed Scute.
 
+ at item no-chain
+ at opindex no-chain
+By default, when Scute is asked for a certificate, it returns the
+requested certificate along with the chain of signing certificates.
+This option makes Scute return only the leaf certificate.
 
 @end table
 
diff --git a/src/gpgsm.c b/src/gpgsm.c
index 53bbef8..ef180ca 100644
--- a/src/gpgsm.c
+++ b/src/gpgsm.c
@@ -118,7 +118,7 @@ scute_gpgsm_get_cert (key_info_t kinfo, cert_get_cb_t cert_get_cb, void *hook)
   search.found = false;
   search.cert_get_cb = cert_get_cb;
   search.hook = hook;
-  search.with_chain = false;
+  search.with_chain = !_scute_opt.no_chain;
   search.kinfo = kinfo;
 
   DEBUG (DBG_INFO, "scute_gpgsm_get_cert: keyref='%s'", kinfo->keyref);
@@ -136,7 +136,6 @@ scute_gpgsm_get_cert (key_info_t kinfo, cert_get_cb_t cert_get_cb, void *hook)
     }
 
   DEBUG (DBG_INFO, "scute_gpgsm_get_cert: falling back to gpgsm");
-  search.with_chain = true;
   err = scute_gpgsm_search_certs (KEYLIST_BY_GRIP, kinfo->grip,
                                   search_cb, &search);
   return err;
diff --git a/src/options.h b/src/options.h
index d545da9..787af5e 100644
--- a/src/options.h
+++ b/src/options.h
@@ -26,6 +26,7 @@ typedef struct {
   char *user;
   int debug_flags;
   int assume_single_threaded;
+  int no_chain;
 } _scute_opt_t;
 
 extern _scute_opt_t _scute_opt;
diff --git a/src/readconf.c b/src/readconf.c
index 94f967c..80a92a5 100644
--- a/src/readconf.c
+++ b/src/readconf.c
@@ -53,13 +53,15 @@ my_strusage (int level)
 void
 _scute_read_conf (void)
 {
-  enum { oNull = 500, oUser, oDebug, oLogfile, oAssumeSingleThreaded };
+  enum { oNull = 500, oUser, oDebug, oLogfile, oAssumeSingleThreaded,
+         oNoChain };
   gpgrt_opt_t opts[] =
     {
      ARGPARSE_s_s(oUser, "user", NULL ),
      ARGPARSE_s_s(oDebug, "debug", NULL),
      ARGPARSE_s_s(oLogfile, "log-file", NULL),
      ARGPARSE_s_n(oAssumeSingleThreaded, "assume-single-threaded", NULL),
+     ARGPARSE_s_n(oNoChain, "no-chain", NULL),
      ARGPARSE_end()
     };
   int dummy_argc = 0;
@@ -82,6 +84,7 @@ _scute_read_conf (void)
         case oAssumeSingleThreaded:
           _scute_opt.assume_single_threaded = 1;
           break;
+        case oNoChain: _scute_opt.no_chain = 1; break;
         case ARGPARSE_CONFFILE: break;
         default : pargs.err = ARGPARSE_PRINT_WARNING; break;
 	}
-- 
2.35.3




More information about the Gnupg-devel mailing list