gpgsm: Add option --no-qes-note and trustlist flag "noconsent".

* agent/trustlist.c (struct trustitem_s): Add flag "noconsent".
(read_one_trustfile): Set flag.
(istrusted_internal): Emit flag value.
* sm/call-agent.c (istrusted_status_cb): Parse flag.
* sm/certchain.c (do_validate_chain): Handle flag by using a different
true value for an existing variable.
* sm/sign.c (gpgsm_sign): Consult the new flag.
* sm/gpgsm.c (enum cmd_and_opt_values): Add oNoQESNote.
(opts): Add option --no-qes-note.
* sm/gpgsm.h (opt): Add field no_qes_note.
(struct rootca_flags_s): Add flag noconsent.
* sm/sign.c (gpgsm_sign): Take care of the noconsent flag.
* sm/qualified.c (gpgsm_qualified_consent): Take care of no_qes_note.
* sm/verify.c (gpgsm_verify): Ditto.
--

GnuPG-bug-id: 7713

10 files changed, 54 insertions, 14 deletions

diff --git a/agent/trustlist.c b/agent/trustlist.c
index 9831d04ef..144e641ce 100644
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@@ -46,6 +46,7 @@ struct trustitem_s
     unsigned int cm:1;             /* Use chain model for validation. */
     unsigned int qual:1;           /* Root CA for qualified signatures.  */
     unsigned int de_vs:1;          /* Root CA for de-vs compliant PKI.    */
+    unsigned int noconsent:1;      /* Do not require a conset for "qual". */
   } flags;
   unsigned char fpr[20];  /* The binary fingerprint. */
 };
@@ -325,6 +326,8 @@ read_one_trustfile (const char *fname, int systrust,
             ti->flags.cm = 1;
           else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
             ti->flags.qual = 1;
+          else if (n == 9 && !memcmp (p, "noconsent", 9) && systrust)
+            ti->flags.noconsent = 1;
           else if (n == 5 && !memcmp (p, "de-vs", 5) && systrust)
             ti->flags.de_vs = 1;
           else
@@ -485,7 +488,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int listmode, int *r_disabled,
             if (already_locked)
               ;
             else if (listmode || ti->flags.relax || ti->flags.cm
-                     || ti->flags.qual || ti->flags.de_vs)
+                     || ti->flags.qual || ti->flags.de_vs
+                     || ti->flags.noconsent)
               {
                 unlock_trusttable ();
                 locked = 0;
@@ -502,6 +506,9 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int listmode, int *r_disabled,
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
                 if (!err && ti->flags.qual)
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
+                if (!err && ti->flags.noconsent)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "noconsent",
+                                            NULL);
                 if (!err && ti->flags.de_vs)
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL);
               }
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 14bb0632d..92fac27a7 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -860,6 +860,9 @@ This flag has an effect only if used in the global list.  This is now
 the preferred way to mark such CA; the old way of having a separate
 file @file{qualified.txt} is still supported.
 
+@item noconsent
+Do not require consent from a user to create a qualified signature.
+
 @item de-vs
 The CA is part of an approved PKI for the German classification level
 VS-NfD.  It is only valid in the global trustlist.  As of now this is
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 7dab314be..8ea9b91db 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -910,6 +910,12 @@ operation requested by a web browser.
 @opindex no-common-certs-import
 Suppress the import of common certificates on keybox creation.
 
+
+@item --no-qes-note
+@opindex no-qes-note
+Do not print notices that ``this software is not officially approved
+to create or verify QES signatures''.
+
 @end table
 
 All the long options may also be given in the configuration file after
@@ -979,9 +985,9 @@ like this:
 This is the legacy method to mark root certificates as usable for
 qualified certificates.  Qualified certificates are capable of
 creating legally binding signatures in the same way as handwritten
-signatures.  The modern method to mark such root certificates is to
-use the "qual" flag in the system trustlist.txt; see the gpg-agent man
-page for details.
+signatures (QES).  The modern method to mark such root certificates is
+to use the "qual" flag in the system trustlist.txt; see the gpg-agent
+man page for details.
 
 Comments int his file start with a hash mark and empty lines are
 ignored.  Lines do have a length limit but this is not a serious
diff --git a/sm/call-agent.c b/sm/call-agent.c
index c2875626b..16fb10901 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -970,6 +970,8 @@ istrusted_status_cb (void *opaque, const char *line)
         parm->flags.chain_model = 1;
       else if (has_leading_keyword (line, "qual"))
         parm->flags.qualified = 1;
+      else if (has_leading_keyword (line, "noconsent"))
+        parm->flags.noconsent = 1;
       else if (has_leading_keyword (line, "de-vs"))
         parm->flags.de_vs = 1;
 
diff --git a/sm/certchain.c b/sm/certchain.c
index e5272b983..a285ce32c 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1630,7 +1630,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
   int any_no_policy_match = 0;
   int is_qualified = -1; /* Indicates whether the certificate stems
                             from a qualified root certificate.
-                            -1 = unknown, 0 = no, 1 = yes. */
+                            -1 = unknown, 0 = no, 1 = yes, 2 = yes,noconsent */
   chain_item_t chain = NULL; /* A list of all certificates in the chain.  */
 
 
@@ -1816,7 +1816,10 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
                 {
                   /* We already checked this for this certificate,
                      thus we simply take it from the user data. */
-                  is_qualified = !!*buf;
+                  if (*buf == 2)
+                    is_qualified = 2;
+                  else
+                    is_qualified = !!*buf;
                 }
               else
                 {
@@ -1828,7 +1831,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
                   else
                     err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
                   if (!err)
-                    is_qualified = 1;
+                    is_qualified = (rootca_flags->qualified
+                                    && rootca_flags->noconsent)? 2 : 1;
                   else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
                     is_qualified = 0;
                   else
@@ -1839,7 +1843,10 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
                     {
                       /* Cache the result but don't care too much
                          about an error. */
-                      buf[0] = !!is_qualified;
+                      if (is_qualified == 2)
+                        buf[0] = 2;
+                      else
+                        buf[0] = !!is_qualified;
                       err = ksba_cert_set_user_data (subject_cert,
                                                      "is_qualified", buf, 1);
                       if (err)
@@ -2222,7 +2229,10 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
       chain_item_t ci;
       char buf[1];
 
-      buf[0] = !!is_qualified;
+      if (is_qualified == 2)
+        buf[0] = 2;
+      else
+        buf[0] = !!is_qualified;
 
       for (ci = chain; ci; ci = ci->next)
         {
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 319002b07..57148d03e 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -220,6 +220,7 @@ enum cmd_and_opt_values {
   oAlwaysTrust,
   oNoAutostart,
   oAssertSigner,
+  oNoQESNote,
 
   oNoop
  };
@@ -324,7 +325,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oKeyboxdProgram, "keyboxd-program", "@"),
   ARGPARSE_s_s (oDirmngrProgram, "dirmngr-program", "@"),
   ARGPARSE_s_s (oProtectToolProgram, "protect-tool-program", "@"),
-
+  ARGPARSE_s_n (oNoQESNote, "no-qes-note", "@"),
 
   ARGPARSE_header ("Input", N_("Options controlling the input")),
 
@@ -1540,6 +1541,8 @@ main ( int argc, char **argv)
           add_to_strlist (&opt.assert_signer_list, pargs.r.ret_str);
           break;
 
+        case oNoQESNote: opt.no_qes_note = 1; break;
+
         case oNoop: break;
 
         default:
@@ -1640,7 +1643,7 @@ main ( int argc, char **argv)
   assuan_control (ASSUAN_CONTROL_REINIT_SYSCALL_CLAMP, NULL);
 
 
-/*   if (opt.qualsig_approval && !opt.quiet) */
+/*   if (opt.qualsig_approval && !opt.quiet && !opt.no_qes_note) */
 /*     log_info (_("This software has officially been approved to " */
 /*                 "create and verify\n" */
 /*                 "qualified signatures according to German law.\n")); */
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index d23223ea9..cc049d05b 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -141,6 +141,9 @@ struct
                                runtime option in case we want to check
                                the integrity of the software at
                                runtime. */
+  int no_qes_note;          /* Do not print a note that the software
+                             * has not been approved for creating or
+                             * verifying qualified signatures.  */
 
   unsigned int min_rsa_length;   /* Used for compliance checks.  */
 
@@ -341,6 +344,7 @@ struct rootca_flags_s
   unsigned int relax:1;  /* Relax checking of root certificates.  */
   unsigned int chain_model:1; /* Root requires the use of the chain model.  */
   unsigned int qualified:1;   /* Root CA used for qualified signatures.   */
+  unsigned int noconsent:1;   /* Consent is not required "qualified".     */
   unsigned int de_vs:1;       /* Root CA is de-vs compliant.             */
 };
 
diff --git a/sm/qualified.c b/sm/qualified.c
index 4d8dfccab..b35f4458b 100644
--- a/sm/qualified.c
+++ b/sm/qualified.c
@@ -209,7 +209,7 @@ gpgsm_qualified_consent (ctrl_t ctrl, ksba_cert_t cert)
                   "equated to a handwritten signature.\n\n%s%s"
                   "Are you really sure that you want to do this?"),
                 subject? subject:"?",
-                opt.qualsig_approval?
+                (opt.qualsig_approval || opt.no_qes_note)?
                 "":
                 _("Note, that this software is not officially approved "
                   "to create or verify such signatures.\n"),
diff --git a/sm/sign.c b/sm/sign.c
index ec0172b4b..8de79222a 100644
--- a/sm/sign.c
+++ b/sm/sign.c
@@ -891,7 +891,12 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
               goto leave;
             }
           if (*buffer)
-            err = gpgsm_qualified_consent (ctrl, cl->cert);
+            {
+              if (*buffer == 2)
+                err = 0;  /* No consent required.  */
+              else
+                err = gpgsm_qualified_consent (ctrl, cl->cert);
+            }
           else
             err = gpgsm_not_qualified_warning (ctrl, cl->cert);
           if (err)
diff --git a/sm/verify.c b/sm/verify.c
index 3c22ee0cc..2aaab30cd 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -703,7 +703,7 @@ gpgsm_verify (ctrl_t ctrl, estream_t in_fp, estream_t data_fp,
             if (*qualbuffer)
               {
                 log_info (_("This is a qualified signature\n"));
-                if (!opt.qualsig_approval)
+                if (!opt.qualsig_approval && !opt.no_qes_note)
                   log_info
                     (_("Note, that this software is not officially approved "
                        "to create or verify such signatures.\n"));