From 8a12a2000d82acfa881e8c18d028290100bf5e43 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 7 Dec 2011 16:15:15 +0100
Subject: gpgsm: Add new validation model "steed".

* sm/gpgsm.h (VALIDATE_FLAG_STEED): New.
* sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed".
* sm/server.c (option_handler): Allow validation model "steed".
* sm/certlist.c (gpgsm_cert_has_well_known_private_key): New.
* sm/certchain.c (do_validate_chain): Handle the
well-known-private-key attribute.  Support the "steed" model.
(gpgsm_validate_chain): Ditto.
* sm/verify.c (gpgsm_verify): Return "steed" in the trust status line.
* sm/keylist.c (list_cert_colon): Print the new 'w' flag.
--

This is the first part of changes to implement the STEED proposal as
described at http://g10code.com/steed.html .  The idea for X.509 is
not to use plain self-signed certificates but certificates signed by a
dummy CA (i.e. one for which the private key is known).  Having a
single CA as an indication for the use of STEED might help other X.509
implementations to implement STEED.
---
 sm/gpgsm.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'sm/gpgsm.h')

diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 31cd95150..6c68af746 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -195,7 +195,9 @@ struct server_control_s
                          certificates up the chain (0 = none, 1 = only
                          signer) */
   int use_ocsp;       /* Set to true if OCSP should be used. */
-  int validation_model; /* Set to 1 for the chain model.  */
+  int validation_model; /* 0 := standard model (shell),
+                           1 := chain model,
+                           2 := STEED model. */
 };
 
 
@@ -307,7 +309,7 @@ int gpgsm_create_cms_signature (ctrl_t ctrl,
 /* Flags used with  gpgsm_validate_chain.  */
 #define VALIDATE_FLAG_NO_DIRMNGR  1
 #define VALIDATE_FLAG_CHAIN_MODEL 2
-
+#define VALIDATE_FLAG_STEED       4
 
 int gpgsm_walk_cert_chain (ctrl_t ctrl,
                            ksba_cert_t start, ksba_cert_t *r_next);
@@ -326,6 +328,7 @@ int gpgsm_cert_use_verify_p (ksba_cert_t cert);
 int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_cert_p (ksba_cert_t cert);
 int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
+int gpgsm_cert_has_well_known_private_key (ksba_cert_t cert);
 int gpgsm_certs_identical_p (ksba_cert_t cert_a, ksba_cert_t cert_b);
 int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
                                 certlist_t *listaddr, int is_encrypt_to);
-- 
cgit v1.2.3