From 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 6 Oct 2021 10:31:41 +0200 Subject: dirmngr: New option --ignore-cert * dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen. (opt): Add field ignored_certs. * dirmngr/dirmngr.c: Add option --ignore-cert (parse_rereadable_options): Handle that option. (parse_ocsp_signer): Rename to ... (parse_fingerprint_item): this and add two args. * dirmngr/certcache.c (put_cert): Ignore all to be igored certs. Change callers to handle the new error return. -- This option is useful as a workaround in case we ill run into other chain validation errors like what we fixed in GnuPG-bug-id: 5639 --- dirmngr/certcache.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) (limited to 'dirmngr/certcache.c') diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c index a52801b38..7f29ec859 100644 --- a/dirmngr/certcache.c +++ b/dirmngr/certcache.c @@ -262,13 +262,14 @@ clean_cache_slot (cert_item_t ci) * fingerprint of the certificate will be stored there. FPR_BUFFER * needs to point to a buffer of at least 20 bytes. The fingerprint * will be stored on success or when the function returns - * GPG_ERR_DUP_VALUE. */ + * GPG_ERR_DUP_VALUE or GPG_ERR_NOT_ENABLED. */ static gpg_error_t put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass, void *fpr_buffer) { unsigned char help_fpr_buffer[20], *fpr; cert_item_t ci; + fingerprint_list_t ignored; fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer; @@ -317,6 +318,14 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass, } cert_compute_fpr (cert, fpr); + /* Compare against the list of to be ignored certificates. */ + for (ignored = opt.ignored_certs; ignored; ignored = ignored->next) + if (ignored->binlen == 20 && !memcmp (fpr, ignored->hexfpr, 20)) + { + /* We are configured not to use this certificate. */ + return gpg_error (GPG_ERR_NOT_ENABLED); + } + for (ci=cert_cache[*fpr]; ci; ci = ci->next) if (ci->cert && !memcmp (ci->fpr, fpr, 20)) return gpg_error (GPG_ERR_DUP_VALUE); @@ -440,6 +449,8 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass) cert_log_subject (_(" subject ="), cert); } } + else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED) + log_info ("certificate '%s' skipped due to configuration\n", fname); else log_error (_("error loading certificate '%s': %s\n"), fname, gpg_strerror (err)); @@ -510,6 +521,8 @@ load_certs_from_file (const char *fname, unsigned int trustclasses, err = put_cert (cert, 1, trustclasses, NULL); if (gpg_err_code (err) == GPG_ERR_DUP_VALUE) log_info (_("certificate '%s' already cached\n"), fname); + else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED) + log_info ("certificate '%s' skipped due to configuration\n", fname); else if (err) log_error (_("error loading certificate '%s': %s\n"), fname, gpg_strerror (err)); @@ -625,6 +638,9 @@ load_certs_from_w32_store (const char *storename) if (DBG_X509) log_debug (_("certificate '%s' already cached\n"), storename); } + else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED) + log_info ("certificate '%s' skipped due to configuration\n", + storename); else if (err) log_error (_("error loading certificate '%s': %s\n"), storename, gpg_strerror (err)); @@ -852,6 +868,8 @@ cache_cert (ksba_cert_t cert) log_info (_("certificate already cached\n")); else if (!err) log_info (_("certificate cached\n")); + else if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED) + log_info ("certificate skipped due to configuration\n"); else log_error (_("error caching certificate: %s\n"), gpg_strerror (err)); return err; @@ -872,7 +890,10 @@ cache_cert_silent (ksba_cert_t cert, void *fpr_buffer) release_cache_lock (); if (gpg_err_code (err) == GPG_ERR_DUP_VALUE) err = 0; - if (err) + + if (gpg_err_code (err) == GPG_ERR_NOT_ENABLED) + log_info ("certificate skipped due to configuration\n"); + else if (err) log_error (_("error caching certificate: %s\n"), gpg_strerror (err)); return err; } -- cgit v1.2.3