agent: New flag "qual" for the trustlist.txt.

* agent/trustlist.c (struct trustitem_s): Add flag "qual". (read_one_trustfile): Rename arg "allow_include" to "systrust" and change callers. Parse new flag "qual". (istrusted_internal): Print all flags. * sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag. * sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified". * sm/certchain.c (do_validate_chain): Take care of the qualified flag. -- (cherry picked from commit 7c8c6060616ab91f5490e91a0fb9efc9aee9f58e)
author: Werner Koch <[email protected]> 2022-02-27 11:03:20 +0000
committer: Werner Koch <[email protected]> 2023-09-07 15:12:33 +0000
commit: 7e320a89c2019201594b04bb62843732f2c5f0c5 (patch)
tree: 78548569dda3c7191c7f78f0dc2e77b438870897
parent: gpgsm: Create binary detached sigs with definite form length octets. (diff)
download: gnupg-7e320a89c2019201594b04bb62843732f2c5f0c5.tar.gz
gnupg-7e320a89c2019201594b04bb62843732f2c5f0c5.zip
5 files changed, 26 insertions, 10 deletions
diff --git a/agent/trustlist.c b/agent/trustlist.c
index a19af344a..d98da0c21 100644
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@@ -45,6 +45,7 @@ struct trustitem_s
     int relax:1;          /* Relax checking of root certificate
                              constraints. */
     int cm:1;             /* Use chain model for validation. */
+    int qual:1;           /* Root CA for qualified signatures.  */
   } flags;
   unsigned char fpr[20];  /* The binary fingerprint. */
 };
@@ -322,6 +323,8 @@ read_one_trustfile (const char *fname, int systrust,
             ti->flags.relax = 1;
           else if (n == 2 && !memcmp (p, "cm", 2))
             ti->flags.cm = 1;
+          else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
+            ti->flags.qual = 1;
           else
             log_error ("flag '%.*s' in '%s', line %d ignored\n",
                        n, p, fname, lnr);
@@ -474,17 +477,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
                in a locked state.  */
             if (already_locked)
               ;
-            else if (ti->flags.relax)
+            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
               {
                 unlock_trusttable ();
                 locked = 0;
-                err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL);
-              }
-            else if (ti->flags.cm)
-              {
-                unlock_trusttable ();
-                locked = 0;
-                err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL);
+                err = 0;
+                if (ti->flags.relax)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL);
+                if (!err && ti->flags.cm)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
+                if (!err && ti->flags.qual)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
               }
 
             if (!err)
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index a97529d54..05eb066a5 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -823,6 +823,12 @@ CRL checking for the root certificate.
 If validation of a certificate finally issued by a CA with this flag set
 fails, try again using the chain validation model.
 
+@item qual
+The CA is allowed to issue certificates for qualified signatures.
+This flag has an effect only if used in the global list.  This is now
+the preferred way to mark such CA; the old way of having a separate
+file @file{qualified.txt} is still supported.
+
 @end table
 
 
diff --git a/sm/call-agent.c b/sm/call-agent.c
index 5b1b0a9b0..5e56371fd 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -872,6 +872,8 @@ istrusted_status_cb (void *opaque, const char *line)
         flags->relax = 1;
       else if (has_leading_keyword (line, "cm"))
         flags->chain_model = 1;
+      else if (has_leading_keyword (line, "qual"))
+        flags->qualified = 1;
     }
   return 0;
 }
diff --git a/sm/certchain.c b/sm/certchain.c
index 720648e06..57de48301 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1727,8 +1727,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
               else
                 {
                   /* Need to consult the list of root certificates for
-                     qualified signatures. */
-                  err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
+                     qualified signatures.  But first we check the
+                     modern way by looking at the root ca flag.  */
+                  if (rootca_flags->qualified)
+                    err = 0;
+                  else
+                    err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
                   if (!err)
                     is_qualified = 1;
                   else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND )
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 469bca33c..b826fa814 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -261,6 +261,7 @@ struct rootca_flags_s
                             information.  */
   unsigned int relax:1;  /* Relax checking of root certificates.  */
   unsigned int chain_model:1; /* Root requires the use of the chain model.  */
+  unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
 };
author	Werner Koch <[email protected]>	2022-02-27 11:03:20 +0000
committer	Werner Koch <[email protected]>	2023-09-07 15:12:33 +0000
commit	7e320a89c2019201594b04bb62843732f2c5f0c5 (patch)
tree	78548569dda3c7191c7f78f0dc2e77b438870897
parent	gpgsm: Create binary detached sigs with definite form length octets. (diff)
download	gnupg-7e320a89c2019201594b04bb62843732f2c5f0c5.tar.gz gnupg-7e320a89c2019201594b04bb62843732f2c5f0c5.zip