1 files changed, 61 insertions, 2 deletions

diff --git a/sm/certchain.c b/sm/certchain.c
index 334af8d2d..69a68b40f 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1572,6 +1572,9 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
   int is_qualified = -1; /* Indicates whether the certificate stems
                             from a qualified root certificate.
                             -1 = unknown, 0 = no, 1 = yes. */
+  int is_de_vs = -1;     /* Indicates whether the certificate stems
+                            from a de_vs compliant root certificate.
+                            -1 = unknown, 0 = no, 1 = yes. */
   chain_item_t chain = NULL; /* A list of all certificates in the chain.  */
 
 
@@ -1743,8 +1746,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
 
 
           /* Set the flag for qualified signatures.  This flag is
-             deduced from a list of root certificates allowed for
-             qualified signatures. */
+           * deduced from a list of root certificates allowed for
+           * qualified signatures or flags from the trustlist.txt. */
           if (is_qualified == -1 && !(flags & VALIDATE_FLAG_STEED))
             {
               gpg_error_t err;
@@ -1790,6 +1793,40 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
                 }
             }
 
+          /* Set a flag for de_vs compliant certificates.  This flag
+           * is deduced from trustlist.txt flags de_vs. */
+          if (is_de_vs == -1 && !(flags & VALIDATE_FLAG_STEED))
+            {
+              gpg_error_t err;
+              size_t buflen;
+              char buf[1];
+
+              if (!ksba_cert_get_user_data (cert, "is_de_vs",
+                                            &buf, sizeof (buf),
+                                            &buflen) && buflen)
+                {
+                  /* We already checked this for this certificate,
+                   * thus we simply take it from the user data. */
+                  is_de_vs = !!*buf;
+                }
+              else
+                {
+                  /* We check by looking at the root ca flag.  */
+                  is_de_vs = !!rootca_flags->de_vs;
+                  if (is_de_vs != -1 )
+                    {
+                      /* Cache the result but don't care too much
+                       * about an error. */
+                      buf[0] = !!is_de_vs;
+                      err = ksba_cert_set_user_data (subject_cert,
+                                                     "is_de_vs", buf, 1);
+                      if (err)
+                        log_error ("set_user_data(is_de_vs) failed: %s\n",
+                                   gpg_strerror (err));
+                    }
+                }
+            }
+
 
           /* Act on the check for a trusted root certificates. */
           rc = istrusted_rc;
@@ -2177,6 +2214,28 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
         }
     }
 
+  /* The same as above for the de-vs flag.  */
+  if (is_de_vs != -1 && !(flags & VALIDATE_FLAG_STEED))
+    {
+      gpg_error_t err;
+      chain_item_t ci;
+      char buf[1];
+
+      buf[0] = !!is_de_vs;
+
+      for (ci = chain; ci; ci = ci->next)
+        {
+          err = ksba_cert_set_user_data (ci->cert, "is_de_vs", buf, 1);
+          if (err)
+            {
+              log_error ("set_user_data(is_der_vs) failed: %s\n",
+                         gpg_strerror (err));
+              if (!rc)
+                rc = err;
+            }
+        }
+    }
+
   /* If auditing has been enabled, record what is in the chain.  */
   if (ctrl->audit)
     {