From 7c8c6060616ab91f5490e91a0fb9efc9aee9f58e Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sun, 27 Feb 2022 12:03:20 +0100 Subject: [PATCH] agent: New flag "qual" for the trustlist.txt. * agent/trustlist.c (struct trustitem_s): Add flag "qual". (read_one_trustfile): Rename arg "allow_include" to "systrust" and change callers. Parse new flag "qual". (istrusted_internal): Print all flags. * sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag. * sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified". * sm/certchain.c (do_validate_chain): Take care of the qualified flag. --- agent/trustlist.c | 32 +++++++++++++++++--------------- doc/gpg-agent.texi | 6 ++++++ sm/call-agent.c | 2 ++ sm/certchain.c | 10 +++++++--- sm/gpgsm.h | 1 + 5 files changed, 33 insertions(+), 18 deletions(-) diff --git a/agent/trustlist.c b/agent/trustlist.c index 087afbd51..53d759fcd 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -44,6 +44,7 @@ struct trustitem_s int relax:1; /* Relax checking of root certificate constraints. */ int cm:1; /* Use chain model for validation. */ + int qual:1; /* Root CA for qualified signatures. */ } flags; unsigned char fpr[20]; /* The binary fingerprint. */ }; @@ -128,7 +129,7 @@ clear_trusttable (void) static gpg_error_t -read_one_trustfile (const char *fname, int allow_include, +read_one_trustfile (const char *fname, int systrust, trustitem_t **addr_of_table, size_t *addr_of_tablesize, int *addr_of_tableidx) @@ -187,7 +188,7 @@ read_one_trustfile (const char *fname, int allow_include, gpg_error_t err2; gpg_err_code_t ec; - if (!allow_include) + if (systrust) { log_error (_("statement \"%s\" ignored in '%s', line %d\n"), "include-default", fname, lnr); @@ -207,7 +208,7 @@ read_one_trustfile (const char *fname, int allow_include, } else { - err2 = read_one_trustfile (etcname, 0, + err2 = read_one_trustfile (etcname, 1, &table, &tablesize, &tableidx); if (err2) err = err2; @@ -303,6 +304,8 @@ read_one_trustfile (const char *fname, int allow_include, ti->flags.relax = 1; else if (n == 2 && !memcmp (p, "cm", 2)) ti->flags.cm = 1; + else if (n == 4 && !memcmp (p, "qual", 4) && systrust) + ti->flags.qual = 1; else log_error ("flag '%.*s' in '%s', line %d ignored\n", n, p, fname, lnr); @@ -336,7 +339,7 @@ read_trustfiles (void) int tableidx; size_t tablesize; char *fname; - int allow_include = 1; + int systrust = 0; gpg_err_code_t ec; tablesize = 20; @@ -364,10 +367,9 @@ read_trustfiles (void) } xfree (fname); fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL); - allow_include = 0; + systrust = 1; } - err = read_one_trustfile (fname, allow_include, - &table, &tablesize, &tableidx); + err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx); xfree (fname); if (err) @@ -449,17 +451,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, in a locked state. */ if (already_locked) ; - else if (ti->flags.relax) + else if (ti->flags.relax || ti->flags.cm || ti->flags.qual) { unlock_trusttable (); locked = 0; - err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL); - } - else if (ti->flags.cm) - { - unlock_trusttable (); - locked = 0; - err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL); + err = 0; + if (ti->flags.relax) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL); + if (!err && ti->flags.cm) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL); + if (!err && ti->flags.qual) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL); } if (!err) diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 6c2330dc6..6a3f0bf19 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -792,6 +792,12 @@ CRL checking for the root certificate. If validation of a certificate finally issued by a CA with this flag set fails, try again using the chain validation model. +@item qual +The CA is allowed to issue certificates for qualified signatures. +This flag has an effect only if used in the global list. This is now +the preferred way to mark such CA; the old way of having a separate +file @file{qualified.txt} is still supported. + @end table diff --git a/sm/call-agent.c b/sm/call-agent.c index 6373829e8..06319cf62 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line) flags->relax = 1; else if (has_leading_keyword (line, "cm")) flags->chain_model = 1; + else if (has_leading_keyword (line, "qual")) + flags->qualified = 1; } return 0; } diff --git a/sm/certchain.c b/sm/certchain.c index ee17599d1..4050680e8 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1715,8 +1715,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, else { /* Need to consult the list of root certificates for - qualified signatures. */ - err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); + qualified signatures. But first we check the + modern way by looking at the root ca flag. */ + if (rootca_flags->qualified) + err = 0; + else + err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); if (!err) is_qualified = 1; else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND) @@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, do_validate_chain. This function is a wrapper to handle a root certificate with the chain_model flag set. If RETFLAGS is not NULL, flags indicating now the verification was done are stored - there. The only defined vits for RETFLAGS are + there. The only defined bits for RETFLAGS are VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED. If you are verifying a signature you should set CHECKTIME to the diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 6dc5927b7..acb9332ba 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -268,6 +268,7 @@ struct rootca_flags_s information. */ unsigned int relax:1; /* Relax checking of root certificates. */ unsigned int chain_model:1; /* Root requires the use of the chain model. */ + unsigned int qualified:1; /* Root CA used for qualfied signatures. */ };