Mailing List Archive

[PATCH scute] Add option to return leaf certificate only.
* src/options.h (_scute_opt_t): Add no_chain.
* src/readconf.c (_scute_read_conf): Set no_chain.
* src/agent.c (scute_gpgsm_get_cert): Ask for chain of certificates
depending on no_chain value.
--

The default behaviour of Scute of returning the full certificate
chain, when it obtains the certificate from GpgSM, may cause various
issues in client applications, some of which seemingly only expect a
single certificate. Thus we make that behaviour configurable.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
---
doc/scute.texi | 5 +++++
src/gpgsm.c | 3 +--
src/options.h | 1 +
src/readconf.c | 5 ++++-
4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/doc/scute.texi b/doc/scute.texi
index 29be08c..742b858 100644
--- a/doc/scute.texi
+++ b/doc/scute.texi
@@ -214,6 +214,11 @@ This is a hack to ignore a request to use native threads instead of
user provided callbacks. Should only be used with caution if there is
no easy way to fix the caller or until we have fixed Scute.

+@item no-chain
+@opindex no-chain
+By default, when Scute is asked for a certificate, it returns the
+requested certificate along with the chain of signing certificates.
+This option makes Scute return only the leaf certificate.

@end table

diff --git a/src/gpgsm.c b/src/gpgsm.c
index 53bbef8..ef180ca 100644
--- a/src/gpgsm.c
+++ b/src/gpgsm.c
@@ -118,7 +118,7 @@ scute_gpgsm_get_cert (key_info_t kinfo, cert_get_cb_t cert_get_cb, void *hook)
search.found = false;
search.cert_get_cb = cert_get_cb;
search.hook = hook;
- search.with_chain = false;
+ search.with_chain = !_scute_opt.no_chain;
search.kinfo = kinfo;

DEBUG (DBG_INFO, "scute_gpgsm_get_cert: keyref='%s'", kinfo->keyref);
@@ -136,7 +136,6 @@ scute_gpgsm_get_cert (key_info_t kinfo, cert_get_cb_t cert_get_cb, void *hook)
}

DEBUG (DBG_INFO, "scute_gpgsm_get_cert: falling back to gpgsm");
- search.with_chain = true;
err = scute_gpgsm_search_certs (KEYLIST_BY_GRIP, kinfo->grip,
search_cb, &search);
return err;
diff --git a/src/options.h b/src/options.h
index d545da9..787af5e 100644
--- a/src/options.h
+++ b/src/options.h
@@ -26,6 +26,7 @@ typedef struct {
char *user;
int debug_flags;
int assume_single_threaded;
+ int no_chain;
} _scute_opt_t;

extern _scute_opt_t _scute_opt;
diff --git a/src/readconf.c b/src/readconf.c
index 94f967c..80a92a5 100644
--- a/src/readconf.c
+++ b/src/readconf.c
@@ -53,13 +53,15 @@ my_strusage (int level)
void
_scute_read_conf (void)
{
- enum { oNull = 500, oUser, oDebug, oLogfile, oAssumeSingleThreaded };
+ enum { oNull = 500, oUser, oDebug, oLogfile, oAssumeSingleThreaded,
+ oNoChain };
gpgrt_opt_t opts[] =
{
ARGPARSE_s_s(oUser, "user", NULL ),
ARGPARSE_s_s(oDebug, "debug", NULL),
ARGPARSE_s_s(oLogfile, "log-file", NULL),
ARGPARSE_s_n(oAssumeSingleThreaded, "assume-single-threaded", NULL),
+ ARGPARSE_s_n(oNoChain, "no-chain", NULL),
ARGPARSE_end()
};
int dummy_argc = 0;
@@ -82,6 +84,7 @@ _scute_read_conf (void)
case oAssumeSingleThreaded:
_scute_opt.assume_single_threaded = 1;
break;
+ case oNoChain: _scute_opt.no_chain = 1; break;
case ARGPARSE_CONFFILE: break;
default : pargs.err = ARGPARSE_PRINT_WARNING; break;
}
--
2.35.3


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel