agent: Add trustlist flag "de-vs".

* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.

* sm/sign.c (write_detached_signature): Remove unused vars.
--

Right now this flag has no effect; we first need to specify the exact
behaviour.

GnuPG-bug-id: 5079
(cherry picked from commit a5360ae4c7bfe6df6754409d5bd5c5a521ae5e6f)

agent/trustlist.c

@@ -46,6 +46,7 @@ struct trustitem_s
                              constraints. */
     int cm:1;             /* Use chain model for validation. */
     int qual:1;           /* Root CA for qualified signatures.  */
+    int de_vs:1;          /* Root CA for de-vs compliant PKI.    */
   } flags;
   unsigned char fpr[20];  /* The binary fingerprint. */
 };
@@ -325,6 +326,8 @@ read_one_trustfile (const char *fname, int systrust,
             ti->flags.cm = 1;
           else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
             ti->flags.qual = 1;
+          else if (n == 4 && !memcmp (p, "de-vs", 4) && systrust)
+            ti->flags.de_vs = 1;
           else
             log_error ("flag '%.*s' in '%s', line %d ignored\n",
                        n, p, fname, lnr);
@@ -477,7 +480,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
                in a locked state.  */
             if (already_locked)
               ;
-            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
+            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual
+                     || ti->flags.de_vs)
               {
                 unlock_trusttable ();
                 locked = 0;
@@ -488,6 +492,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
                 if (!err && ti->flags.qual)
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
+                if (!err && ti->flags.de_vs)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL);
               }
 
             if (!err)

doc/gpg-agent.texi

@@ -829,6 +829,11 @@ This flag has an effect only if used in the global list.  This is now
 the preferred way to mark such CA; the old way of having a separate
 file @file{qualified.txt} is still supported.
 
+@item de-vs
+The CA is part of an approved PKI for the German classification level
+VS-NfD.  It is only valid in the global trustlist.  As of now this is
+used only for documentation purpose.
+
 @end table
 
 

sm/call-agent.c

@@ -874,6 +874,8 @@ istrusted_status_cb (void *opaque, const char *line)
         flags->chain_model = 1;
       else if (has_leading_keyword (line, "qual"))
         flags->qualified = 1;
+      else if (has_leading_keyword (line, "de-vs"))
+        flags->de_vs = 1;
     }
   return 0;
 }

sm/gpgsm.h

@@ -262,6 +262,7 @@ struct rootca_flags_s
   unsigned int relax:1;  /* Relax checking of root certificates.  */
   unsigned int chain_model:1; /* Root requires the use of the chain model.  */
   unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
+  unsigned int de_vs:1;       /* Root CA is de-vs compliant.             */
 };