3 files changed, 10 insertions, 3 deletions

diff --git a/sm/call-agent.c b/sm/call-agent.c
index 6373829e8..06319cf62 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line)
         flags->relax = 1;
       else if (has_leading_keyword (line, "cm"))
         flags->chain_model = 1;
+      else if (has_leading_keyword (line, "qual"))
+        flags->qualified = 1;
     }
   return 0;
 }
diff --git a/sm/certchain.c b/sm/certchain.c
index ee17599d1..4050680e8 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1715,8 +1715,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
               else
                 {
                   /* Need to consult the list of root certificates for
-                     qualified signatures. */
-                  err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
+                     qualified signatures.  But first we check the
+                     modern way by looking at the root ca flag.  */
+                  if (rootca_flags->qualified)
+                    err = 0;
+                  else
+                    err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
                   if (!err)
                     is_qualified = 1;
                   else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
@@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
    do_validate_chain.  This function is a wrapper to handle a root
    certificate with the chain_model flag set.  If RETFLAGS is not
    NULL, flags indicating now the verification was done are stored
-   there.  The only defined vits for RETFLAGS are
+   there.  The only defined bits for RETFLAGS are
    VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
 
    If you are verifying a signature you should set CHECKTIME to the
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 6dc5927b7..acb9332ba 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -268,6 +268,7 @@ struct rootca_flags_s
                             information.  */
   unsigned int relax:1;  /* Relax checking of root certificates.  */
   unsigned int chain_model:1; /* Root requires the use of the chain model.  */
+  unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
 };