summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2022-02-03 14:14:14 +0100
committerWerner Koch <wk@gnupg.org>2022-02-03 14:17:10 +0100
commite23dc755fa725877ce96eb5a6a6f5788457267f4 (patch)
treed0c1a1c26a0e2424fe91f4266b4216eb8a2dd7f2
parentgpg: Fix for -Wformat when using uint64_t. (diff)
downloadgnupg2-e23dc755fa725877ce96eb5a6a6f5788457267f4.tar.xz
gnupg2-e23dc755fa725877ce96eb5a6a6f5788457267f4.zip
sm: New option --ignore-cert-with-oid.
* sm/gpgsm.c (oIgnoreCertWithOID): New. (opts): Add option. (main): Store its value. * sm/call-agent.c (learn_cb): Test against that list.
-rw-r--r--doc/gpgsm.texi10
-rw-r--r--sm/call-agent.c34
-rw-r--r--sm/gpgsm.c6
-rw-r--r--sm/gpgsm.h4
4 files changed, 54 insertions, 0 deletions
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index ee5a63861..8c139c7d4 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -699,6 +699,16 @@ This option adjusts the compliance mode "de-vs" for stricter key size
requirements. For example, a value of 3000 turns rsa2048 and dsa2048
keys into non-VS-NfD compliant keys.
+@item --ignore-cert-with-oid @var{oid}
+@opindex ignore-cert-with-oid
+Add @var{oid} to the list of OIDs to be checked while reading
+certificates from smartcards. The @var{oid} is expected to be in
+dotted decimal form, like @code{2.5.29.3}. This option may be used
+more than once. As of now certificates with an extended key usage
+matching one of those OIDs are ignored during a @option{--learn-card}
+operation and not imported. This option can help to keep the local
+key database clear of unneeded certificates stored on smartcards.
+
@item --faked-system-time @var{epoch}
@opindex faked-system-time
This option is only useful for testing; it sets the system time back or
diff --git a/sm/call-agent.c b/sm/call-agent.c
index 868497e0d..6373829e8 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -1032,6 +1032,8 @@ learn_cb (void *opaque, const void *buffer, size_t length)
char *buf;
ksba_cert_t cert;
int rc;
+ char *string, *p, *pend;
+ strlist_t sl;
if (parm->error)
return 0;
@@ -1068,6 +1070,35 @@ learn_cb (void *opaque, const void *buffer, size_t length)
return 0;
}
+ /* Ignore certificates matching certain extended usage flags. */
+ rc = ksba_cert_get_ext_key_usages (cert, &string);
+ if (!rc)
+ {
+ p = string;
+ while (p && (pend=strchr (p, ':')))
+ {
+ *pend++ = 0;
+ for (sl=opt.ignore_cert_with_oid;
+ sl && strcmp (sl->d, p); sl = sl->next)
+ ;
+ if (sl)
+ {
+ if (opt.verbose)
+ log_info ("certificate ignored due to OID %s\n", sl->d);
+ goto leave;
+ }
+ p = pend;
+ if ((p = strchr (p, '\n')))
+ p++;
+ }
+ }
+ else if (gpg_err_code (rc) != GPG_ERR_NO_DATA)
+ log_error (_("error getting key usage information: %s\n"),
+ gpg_strerror (rc));
+ xfree (string);
+ string = NULL;
+
+
/* We do not store a certifciate with missing issuers as ephemeral
because we can assume that the --learn-card command has been used
on purpose. */
@@ -1088,6 +1119,9 @@ learn_cb (void *opaque, const void *buffer, size_t length)
}
}
+ leave:
+ xfree (string);
+ string = NULL;
ksba_cert_release (cert);
init_membuf (parm->data, 4096);
return 0;
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index b95edf83b..61dd86aab 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -203,6 +203,7 @@ enum cmd_and_opt_values {
oNoRandomSeedFile,
oNoCommonCertsImport,
oIgnoreCertExtension,
+ oIgnoreCertWithOID,
oAuthenticode,
oAttribute,
oChUid,
@@ -302,6 +303,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oCompliance, "compliance", "@"),
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
+ ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"),
@@ -1427,6 +1429,10 @@ main ( int argc, char **argv)
add_to_strlist (&opt.ignored_cert_extensions, pargs.r.ret_str);
break;
+ case oIgnoreCertWithOID:
+ add_to_strlist (&opt.ignore_cert_with_oid, pargs.r.ret_str);
+ break;
+
case oAuthenticode: opt.authenticode = 1; break;
case oAttribute:
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 0dfd56daf..6dc5927b7 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -151,6 +151,10 @@ struct
OID per string. */
strlist_t ignored_cert_extensions;
+ /* A list of OIDs which will be used to ignore certificates with
+ * sunch an OID during --learn-card. */
+ strlist_t ignore_cert_with_oid;
+
enum gnupg_compliance_mode compliance;
/* Enable creation of authenticode signatures. */