diff options
| author | Werner Koch <[email protected]> | 2025-08-27 10:03:41 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-08-27 10:04:25 +0000 |
| commit | 7b133027ae86a4cd68bc15b02d568f5951942218 (patch) | |
| tree | 32adbeb1af9c3e0686a198078712eed38c5aa4d1 | |
| parent | gpgsm: Add option --no-qes-note and trustlist flag "noconsent". (diff) | |
| download | gnupg-7b133027ae86a4cd68bc15b02d568f5951942218.tar.gz gnupg-7b133027ae86a4cd68bc15b02d568f5951942218.zip | |
agent: Enable "relax" in the trustlist by default and add "norelax"
* agent/trustlist.c (read_one_trustfile): Enabled the relax flag be
default. Add new keyword "norelax".
--
In any real world settings the "relax" flag is always set. Thus it is
better to make it the default and provide a way to disable it. In
fact, it is questionable whether this flag make sense at all. It is
some kind of legacy thing.
| -rw-r--r-- | agent/trustlist.c | 8 | ||||
| -rw-r--r-- | doc/gpg-agent.texi | 5 |
2 files changed, 9 insertions, 4 deletions
diff --git a/agent/trustlist.c b/agent/trustlist.c index 144e641ce..8581cda15 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -42,7 +42,7 @@ struct trustitem_s unsigned int for_pgp:1; /* Set by '*' or 'P' as first flag. */ unsigned int for_smime:1; /* Set by '*' or 'S' as first flag. */ unsigned int relax:1; /* Relax checking of root certificate - constraints. */ + constraints. Be default enabled. */ unsigned int cm:1; /* Use chain model for validation. */ unsigned int qual:1; /* Root CA for qualified signatures. */ unsigned int de_vs:1; /* Root CA for de-vs compliant PKI. */ @@ -257,6 +257,7 @@ read_one_trustfile (const char *fname, int systrust, ti = table + tableidx; memset (&ti->flags, 0, sizeof ti->flags); + ti->flags.relax = 1; /* Legacy flag; use "norelax" to trun it off. */ if (*p == '!') { ti->flags.disabled = 1; @@ -322,6 +323,8 @@ read_one_trustfile (const char *fname, int systrust, } else if (n == 5 && !memcmp (p, "relax", 5)) ti->flags.relax = 1; + else if (n == 7 && !memcmp (p, "norelax", 7)) + ti->flags.relax = 0; else if (n == 2 && !memcmp (p, "cm", 2)) ti->flags.cm = 1; else if (n == 4 && !memcmp (p, "qual", 4) && systrust) @@ -875,8 +878,7 @@ agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag) } else es_fputs (nameformatted, fp); - es_fprintf (fp, "\n%s%s %c%s\n", yes_i_trust?"":"!", fprformatted, flag, - flag == 'S'? " relax":""); + es_fprintf (fp, "\n%s%s %c\n", yes_i_trust?"":"!", fprformatted, flag); if (es_ferror (fp)) err = gpg_error_from_syserror (); diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 92fac27a7..96242048c 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -844,11 +844,14 @@ caller: @table @code @item relax +@itemx norelax @cindex relax +@cindex norelax Relax checking of some root certificate requirements. As of now this flag allows the use of root certificates with a missing basicConstraints attribute (despite that it is a MUST for CA certificates) and disables -CRL checking for the root certificate. +CRL checking for the root certificate. This is by default enabled. +Use "norelax" to disable it. @item cm If validation of a certificate finally issued by a CA with this flag set |