diff options
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/call-agent.c | 2 | ||||
| -rw-r--r-- | sm/certchain.c | 8 | ||||
| -rw-r--r-- | sm/gpgsm.h | 1 |
3 files changed, 9 insertions, 2 deletions
diff --git a/sm/call-agent.c b/sm/call-agent.c index 5b1b0a9b0..5e56371fd 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -872,6 +872,8 @@ istrusted_status_cb (void *opaque, const char *line) flags->relax = 1; else if (has_leading_keyword (line, "cm")) flags->chain_model = 1; + else if (has_leading_keyword (line, "qual")) + flags->qualified = 1; } return 0; } diff --git a/sm/certchain.c b/sm/certchain.c index 720648e06..57de48301 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1727,8 +1727,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, else { /* Need to consult the list of root certificates for - qualified signatures. */ - err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); + qualified signatures. But first we check the + modern way by looking at the root ca flag. */ + if (rootca_flags->qualified) + err = 0; + else + err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); if (!err) is_qualified = 1; else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND ) diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 469bca33c..b826fa814 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -261,6 +261,7 @@ struct rootca_flags_s information. */ unsigned int relax:1; /* Relax checking of root certificates. */ unsigned int chain_model:1; /* Root requires the use of the chain model. */ + unsigned int qualified:1; /* Root CA used for qualfied signatures. */ }; |