From 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 6 Oct 2021 10:31:41 +0200
Subject: dirmngr: New option --ignore-cert

* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
---
 dirmngr/dirmngr.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 49 insertions(+), 4 deletions(-)

(limited to 'dirmngr/dirmngr.c')

diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 36ef873c2..51a586e20 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -143,6 +143,7 @@ enum cmd_and_opt_values {
   oSocketName,
   oLDAPWrapperProgram,
   oHTTPWrapperProgram,
+  oIgnoreCert,
   oIgnoreCertExtension,
   oUseTor,
   oNoUseTor,
@@ -216,6 +217,7 @@ static gpgrt_opt_t opts[] = {
                 N_("|N|do not return more than N items in one query")),
   ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/
   ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
+  ARGPARSE_s_s (oIgnoreCert,"ignore-cert", "@"),
   ARGPARSE_s_s (oIgnoreCertExtension,"ignore-cert-extension", "@"),
 
 
@@ -419,7 +421,9 @@ static void cleanup (void);
 #if USE_LDAP
 static ldap_server_t parse_ldapserver_file (const char* filename, int ienoent);
 #endif /*USE_LDAP*/
-static fingerprint_list_t parse_ocsp_signer (const char *string);
+static fingerprint_list_t parse_fingerprint_item (const char *string,
+                                                  const  char *optionname,
+                                                  int want_binary);
 static void netactivity_action (void);
 static void handle_connections (assuan_fd_t listen_fd);
 static void gpgconf_versions (void);
@@ -667,6 +671,12 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
           xfree (opt.ocsp_signer);
           opt.ocsp_signer = tmp;
         }
+      while (opt.ignored_certs)
+        {
+          fingerprint_list_t tmp = opt.ignored_certs->next;
+          xfree (opt.ignored_certs);
+          opt.ignored_certs = tmp;
+        }
       FREE_STRLIST (opt.ignored_cert_extensions);
       http_register_tls_ca (NULL);
       FREE_STRLIST (hkp_cacert_filenames);
@@ -732,7 +742,8 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
     case oAllowVersionCheck: opt.allow_version_check = 1; break;
     case oOCSPResponder: opt.ocsp_responder = pargs->r.ret_str; break;
     case oOCSPSigner:
-      opt.ocsp_signer = parse_ocsp_signer (pargs->r.ret_str);
+      opt.ocsp_signer = parse_fingerprint_item (pargs->r.ret_str,
+                                                "--ocsp-signer", 0);
       break;
     case oOCSPMaxClockSkew: opt.ocsp_max_clock_skew = pargs->r.ret_int; break;
     case oOCSPMaxPeriod: opt.ocsp_max_period = pargs->r.ret_int; break;
@@ -754,6 +765,24 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       }
       break;
 
+    case oIgnoreCert:
+      {
+        fingerprint_list_t item, r;
+        item = parse_fingerprint_item (pargs->r.ret_str, "--ignore-cert", 20);
+        if (item)
+          {  /* Append  */
+            if (!opt.ignored_certs)
+              opt.ignored_certs = item;
+            else
+              {
+                for (r = opt.ignored_certs; r->next; r = r->next)
+                  ;
+                r->next = item;
+              }
+          }
+      }
+      break;
+
     case oIgnoreCertExtension:
       add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
       break;
@@ -1709,8 +1738,13 @@ parse_ldapserver_file (const char* filename, int ignore_enoent)
 }
 #endif /*USE_LDAP*/
 
+
+/* Parse a fingerprint entry as used by --ocsc-signer.  OPTIONNAME as
+ * a description on the options used.  WANT_BINARY requests to store a
+ * binary fingerprint.  Returns NULL on error and logs that error. */
 static fingerprint_list_t
-parse_ocsp_signer (const char *string)
+parse_fingerprint_item (const char *string,
+                        const char *optionname, int want_binary)
 {
   gpg_error_t err;
   char *fname;
@@ -1735,10 +1769,15 @@ parse_ocsp_signer (const char *string)
       if (j != 40 || !(spacep (string+i) || !string[i]))
         {
           log_error (_("%s:%u: invalid fingerprint detected\n"),
-                     "--ocsp-signer", 0);
+                     optionname, 0);
           xfree (item);
           return NULL;
         }
+      if (want_binary)
+        {
+          item->binlen = 20;
+          hex2bin (item->hexfpr, item->hexfpr, 20);
+        }
       return item;
     }
 
@@ -1821,6 +1860,12 @@ parse_ocsp_signer (const char *string)
           log_error (_("%s:%u: invalid fingerprint detected\n"), fname, lnr);
           errflag = 1;
         }
+      else if (want_binary)
+        {
+          item->binlen = 20;
+          hex2bin (item->hexfpr, item->hexfpr, 20);
+        }
+
       i++;
       while (spacep (p+i))
         i++;
-- 
cgit