dirmngr: New option --ignore-cert

* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen. (opt): Add field ignored_certs. * dirmngr/dirmngr.c: Add option --ignore-cert (parse_rereadable_options): Handle that option. (parse_ocsp_signer): Rename to ... (parse_fingerprint_item): this and add two args. * dirmngr/certcache.c (put_cert): Ignore all to be igored certs. Change callers to handle the new error return. -- This option is useful as a workaround in case we ill run into other chain validation errors like what we fixed in GnuPG-bug-id: 5639
author: Werner Koch <[email protected]> 2021-10-06 08:31:41 +0000
committer: Werner Koch <[email protected]> 2021-10-06 08:35:51 +0000
commit: 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d (patch)
tree: 7f9240291d53a3b9155394fcb5d6cc5eca14ecc5 /dirmngr/certcache.c
parent: dirmngr: Fix Let's Encrypt certificate chain validation. (diff)
download: gnupg-4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d.tar.gz
gnupg-4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d.zip
1 files changed, 23 insertions, 2 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index a52801b38..7f29ec859 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -262,13 +262,14 @@ clean_cache_slot (cert_item_t ci)
  * fingerprint of the certificate will be stored there.  FPR_BUFFER
  * needs to point to a buffer of at least 20 bytes.  The fingerprint
  * will be stored on success or when the function returns
- * GPG_ERR_DUP_VALUE.  */
+ * GPG_ERR_DUP_VALUE or GPG_ERR_NOT_ENABLED.  */
 static gpg_error_t
 put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
           void *fpr_buffer)
 {
   unsigned char help_fpr_buffer[20], *fpr;
   cert_item_t ci;
+  fingerprint_list_t ignored;
 
   fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer;
 
@@ -317,6 +318,14 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
     }
 
   cert_compute_fpr (cert, fpr);
+  /* Compare against the list of to be ignored certificates.  */
+  for (ignored = opt.ignored_certs; ignored; ignored = ignored->next)
+    if (ignored->binlen == 20 && !memcmp (fpr, ignored->hexfpr, 20))
+      {
+        /* We are configured not to use this certificate.  */
+        return gpg_error (GPG_ERR_NOT_ENABLED);
+      }
+
   for (ci=cert_cache[*fpr]; ci; ci = ci->next)
     if (ci->cert && !memcmp (ci->fpr, fpr, 20))
       return gpg_error (GPG_ERR_DUP_VALUE);
@@ -440,6 +449,8 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass)
               cert_log_subject (_("  subject ="), cert);
             }
         }
+      else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
+        log_info ("certificate '%s' skipped due to configuration\n", fname);
       else
         log_error (_("error loading certificate '%s': %s\n"),
                      fname, gpg_strerror (err));
@@ -510,6 +521,8 @@ load_certs_from_file (const char *fname, unsigned int trustclasses,
       err = put_cert (cert, 1, trustclasses, NULL);
       if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
         log_info (_("certificate '%s' already cached\n"), fname);
+      else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
+        log_info ("certificate '%s' skipped due to configuration\n", fname);
       else if (err)
         log_error (_("error loading certificate '%s': %s\n"),
                    fname, gpg_strerror (err));
@@ -625,6 +638,9 @@ load_certs_from_w32_store (const char *storename)
               if (DBG_X509)
                 log_debug (_("certificate '%s' already cached\n"), storename);
             }
+          else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
+            log_info ("certificate '%s' skipped due to configuration\n",
+                      storename);
           else if (err)
             log_error (_("error loading certificate '%s': %s\n"),
                        storename, gpg_strerror (err));
@@ -852,6 +868,8 @@ cache_cert (ksba_cert_t cert)
     log_info (_("certificate already cached\n"));
   else if (!err)
     log_info (_("certificate cached\n"));
+  else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
+    log_info ("certificate skipped due to configuration\n");
   else
     log_error (_("error caching certificate: %s\n"), gpg_strerror (err));
   return err;
@@ -872,7 +890,10 @@ cache_cert_silent (ksba_cert_t cert, void *fpr_buffer)
   release_cache_lock ();
   if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
     err = 0;
-  if (err)
+
+  if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED)
+    log_info ("certificate skipped due to configuration\n");
+  else if (err)
     log_error (_("error caching certificate: %s\n"), gpg_strerror (err));
   return err;
 }
author	Werner Koch <[email protected]>	2021-10-06 08:31:41 +0000
committer	Werner Koch <[email protected]>	2021-10-06 08:35:51 +0000
commit	4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d (patch)
tree	7f9240291d53a3b9155394fcb5d6cc5eca14ecc5 /dirmngr/certcache.c
parent	dirmngr: Fix Let's Encrypt certificate chain validation. (diff)
download	gnupg-4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d.tar.gz gnupg-4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d.zip