From 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 6 Oct 2021 10:31:41 +0200
Subject: dirmngr: New option --ignore-cert

* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
---
 dirmngr/dirmngr.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'dirmngr/dirmngr.h')

diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 498a3d7b1..464aeb76e 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -74,6 +74,7 @@ typedef struct fingerprint_list_s *fingerprint_list_t;
 struct fingerprint_list_s
 {
   fingerprint_list_t next;
+  char binlen;  /* If this is not 0 hexfpr actually carries a binary fpr.  */
   char hexfpr[20+20+1];
 };
 
@@ -119,6 +120,10 @@ struct
   int ignore_ocsp_service_url; /* Ignore OCSP service URLs as given in
                                   the certificate.  */
 
+  /* A list of fingerprints of certififcates we should completely
+   * ignore.  These are all stored in binary format.  */
+  fingerprint_list_t ignored_certs;
+
   /* A list of certificate extension OIDs which are ignored so that
      one can claim that a critical extension has been handled.  One
      OID per string.  */
-- 
cgit v1.2.3