security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

agent: New flag "qual" for the trustlist.txt. 

* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers.  Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
This commit is contained in:
Werner Koch 2022-02-27 12:03:20 +01:00
parent b901e63b4d
commit 7c8c606061
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
5 changed files with 33 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
agent/trustlist.c
View File

@ -44,6 +44,7 @@ struct trustitem_s
int relax:1; /* Relax checking of root certificate
constraints. */
int cm:1; /* Use chain model for validation. */
int qual:1; /* Root CA for qualified signatures. */
} flags;
unsigned char fpr[20]; /* The binary fingerprint. */
};
@ -128,7 +129,7 @@ clear_trusttable (void)
static gpg_error_t
read_one_trustfile (const char *fname, int allow_include,
read_one_trustfile (const char *fname, int systrust,
trustitem_t **addr_of_table,
size_t *addr_of_tablesize,
int *addr_of_tableidx)
@ -187,7 +188,7 @@ read_one_trustfile (const char *fname, int allow_include,
gpg_error_t err2;
gpg_err_code_t ec;
if (!allow_include)
if (systrust)
{
log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
"include-default", fname, lnr);
@ -207,7 +208,7 @@ read_one_trustfile (const char *fname, int allow_include,
}
else
{
err2 = read_one_trustfile (etcname, 0,
err2 = read_one_trustfile (etcname, 1,
&table, &tablesize, &tableidx);
if (err2)
err = err2;
@ -303,6 +304,8 @@ read_one_trustfile (const char *fname, int allow_include,
ti->flags.relax = 1;
else if (n == 2 && !memcmp (p, "cm", 2))
ti->flags.cm = 1;
else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
ti->flags.qual = 1;
else
log_error ("flag '%.*s' in '%s', line %d ignored\n",
n, p, fname, lnr);
@ -336,7 +339,7 @@ read_trustfiles (void)
int tableidx;
size_t tablesize;
char *fname;
int allow_include = 1;
int systrust = 0;
gpg_err_code_t ec;
tablesize = 20;
@ -364,10 +367,9 @@ read_trustfiles (void)
}
xfree (fname);
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
allow_include = 0;
systrust = 1;
}
err = read_one_trustfile (fname, allow_include,
&table, &tablesize, &tableidx);
err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
xfree (fname);
if (err)
@ -449,17 +451,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
in a locked state. */
if (already_locked)
;
else if (ti->flags.relax)
else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
{
unlock_trusttable ();
locked = 0;
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL);
}
else if (ti->flags.cm)
{
unlock_trusttable ();
locked = 0;
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL);
err = 0;
if (ti->flags.relax)
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL);
if (!err && ti->flags.cm)
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
if (!err && ti->flags.qual)
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
}
if (!err)

6
doc/gpg-agent.texi
View File

@ -792,6 +792,12 @@ CRL checking for the root certificate.
If validation of a certificate finally issued by a CA with this flag set
fails, try again using the chain validation model.
@item qual
The CA is allowed to issue certificates for qualified signatures.
This flag has an effect only if used in the global list. This is now
the preferred way to mark such CA; the old way of having a separate
file @file{qualified.txt} is still supported.
@end table

2
sm/call-agent.c
View File

@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line)
flags->relax = 1;
else if (has_leading_keyword (line, "cm"))
flags->chain_model = 1;
else if (has_leading_keyword (line, "qual"))
flags->qualified = 1;
}
return 0;
}

10
sm/certchain.c
View File

@ -1715,8 +1715,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
else
{
/* Need to consult the list of root certificates for
qualified signatures. */
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
qualified signatures. But first we check the
modern way by looking at the root ca flag. */
if (rootca_flags->qualified)
err = 0;
else
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
if (!err)
is_qualified = 1;
else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
do_validate_chain. This function is a wrapper to handle a root
certificate with the chain_model flag set. If RETFLAGS is not
NULL, flags indicating now the verification was done are stored
there. The only defined vits for RETFLAGS are
there. The only defined bits for RETFLAGS are
VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
If you are verifying a signature you should set CHECKTIME to the

1
sm/gpgsm.h
View File

@ -268,6 +268,7 @@ struct rootca_flags_s
information. */
unsigned int relax:1; /* Relax checking of root certificates. */
unsigned int chain_model:1; /* Root requires the use of the chain model. */
unsigned int qualified:1; /* Root CA used for qualfied signatures. */
};