From 6d45fcdd3c3e8d039b05f7276e7619c19fc957d1 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 3 Apr 2023 14:06:36 +0200 Subject: [PATCH] agent: Add trustlist flag "de-vs". * agent/trustlist.c (struct trustitem_s): Add field de_vs. (read_one_trustfile): Parse it. (istrusted_internal): Emit TRUSTLISTFLAG status line. * sm/gpgsm.h (struct rootca_flags_s): Add field de_vs. * sm/call-agent.c (istrusted_status_cb): Detect the flags. * sm/sign.c (write_detached_signature): Remove unused vars. -- Right now this flag has no effect; we first need to specify the exact behaviour. GnuPG-bug-id: 5079 (cherry picked from commit a5360ae4c7bfe6df6754409d5bd5c5a521ae5e6f) --- agent/trustlist.c | 8 +++++++- doc/gpg-agent.texi | 5 +++++ sm/call-agent.c | 2 ++ sm/gpgsm.h | 1 + 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/agent/trustlist.c b/agent/trustlist.c index d98da0c21..5617370a8 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -46,6 +46,7 @@ struct trustitem_s constraints. */ int cm:1; /* Use chain model for validation. */ int qual:1; /* Root CA for qualified signatures. */ + int de_vs:1; /* Root CA for de-vs compliant PKI. */ } flags; unsigned char fpr[20]; /* The binary fingerprint. */ }; @@ -325,6 +326,8 @@ read_one_trustfile (const char *fname, int systrust, ti->flags.cm = 1; else if (n == 4 && !memcmp (p, "qual", 4) && systrust) ti->flags.qual = 1; + else if (n == 4 && !memcmp (p, "de-vs", 4) && systrust) + ti->flags.de_vs = 1; else log_error ("flag '%.*s' in '%s', line %d ignored\n", n, p, fname, lnr); @@ -477,7 +480,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, in a locked state. */ if (already_locked) ; - else if (ti->flags.relax || ti->flags.cm || ti->flags.qual) + else if (ti->flags.relax || ti->flags.cm || ti->flags.qual + || ti->flags.de_vs) { unlock_trusttable (); locked = 0; @@ -488,6 +492,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL); if (!err && ti->flags.qual) err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL); + if (!err && ti->flags.de_vs) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL); } if (!err) diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 05eb066a5..463b6a6b5 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -829,6 +829,11 @@ This flag has an effect only if used in the global list. This is now the preferred way to mark such CA; the old way of having a separate file @file{qualified.txt} is still supported. +@item de-vs +The CA is part of an approved PKI for the German classification level +VS-NfD. It is only valid in the global trustlist. As of now this is +used only for documentation purpose. + @end table diff --git a/sm/call-agent.c b/sm/call-agent.c index 5e56371fd..5cbaf33b0 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -874,6 +874,8 @@ istrusted_status_cb (void *opaque, const char *line) flags->chain_model = 1; else if (has_leading_keyword (line, "qual")) flags->qualified = 1; + else if (has_leading_keyword (line, "de-vs")) + flags->de_vs = 1; } return 0; } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index b826fa814..7038e0ea8 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -262,6 +262,7 @@ struct rootca_flags_s unsigned int relax:1; /* Relax checking of root certificates. */ unsigned int chain_model:1; /* Root requires the use of the chain model. */ unsigned int qualified:1; /* Root CA used for qualfied signatures. */ + unsigned int de_vs:1; /* Root CA is de-vs compliant. */ };