agent: Add trustlist flag "de-vs".

* agent/trustlist.c (struct trustitem_s): Add field de_vs. (read_one_trustfile): Parse it. (istrusted_internal): Emit TRUSTLISTFLAG status line. * sm/gpgsm.h (struct rootca_flags_s): Add field de_vs. * sm/call-agent.c (istrusted_status_cb): Detect the flags. * sm/sign.c (write_detached_signature): Remove unused vars. -- Right now this flag has no effect; we first need to specify the exact behaviour. GnuPG-bug-id: 5079 (cherry picked from commit a5360ae4c7)
2023-04-03 14:06:36 +02:00 · 2023-04-03 14:06:36 +02:00 · 6d45fcdd3c
parent 7e320a89c2
commit 6d45fcdd3c
4 changed files with 15 additions and 1 deletions
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@ -46,6 +46,7 @@ struct trustitem_s
                             constraints. */
    int cm:1;             /* Use chain model for validation. */
    int qual:1;           /* Root CA for qualified signatures.  */
+    int de_vs:1;          /* Root CA for de-vs compliant PKI.    */
  } flags;
  unsigned char fpr[20];  /* The binary fingerprint. */
 };
@ -325,6 +326,8 @@ read_one_trustfile (const char *fname, int systrust,
            ti->flags.cm = 1;
          else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
            ti->flags.qual = 1;
+          else if (n == 4 && !memcmp (p, "de-vs", 4) && systrust)
+            ti->flags.de_vs = 1;
          else
            log_error ("flag '%.*s' in '%s', line %d ignored\n",
                       n, p, fname, lnr);
@ -477,7 +480,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
               in a locked state.  */
            if (already_locked)
              ;
-            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
+            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual
+                     || ti->flags.de_vs)
              {
                unlock_trusttable ();
                locked = 0;
@ -488,6 +492,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
                if (!err && ti->flags.qual)
                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
+                if (!err && ti->flags.de_vs)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL);
              }

            if (!err)
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@ -829,6 +829,11 @@ This flag has an effect only if used in the global list.  This is now
 the preferred way to mark such CA; the old way of having a separate
 file @file{qualified.txt} is still supported.

+@item de-vs
+The CA is part of an approved PKI for the German classification level
+VS-NfD.  It is only valid in the global trustlist.  As of now this is
+used only for documentation purpose.
+
@end table


--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@ -874,6 +874,8 @@ istrusted_status_cb (void *opaque, const char *line)
        flags->chain_model = 1;
      else if (has_leading_keyword (line, "qual"))
        flags->qualified = 1;
+      else if (has_leading_keyword (line, "de-vs"))
+        flags->de_vs = 1;
    }
  return 0;
 }
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -262,6 +262,7 @@ struct rootca_flags_s
  unsigned int relax:1;  /* Relax checking of root certificates.  */
  unsigned int chain_model:1; /* Root requires the use of the chain model.  */
  unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
+  unsigned int de_vs:1;       /* Root CA is de-vs compliant.             */
 };