agent: New flag "qual" for the trustlist.txt.

* agent/trustlist.c (struct trustitem_s): Add flag "qual". (read_one_trustfile): Rename arg "allow_include" to "systrust" and change callers. Parse new flag "qual". (istrusted_internal): Print all flags. * sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag. * sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified". * sm/certchain.c (do_validate_chain): Take care of the qualified flag.
2025-07-02 22:46:30 +02:00 · 2022-02-27 12:03:20 +01:00 · 2022-02-27 12:03:20 +01:00 · 7c8c606061
commit 7c8c606061
parent b901e63b4d
5 changed files with 33 additions and 18 deletions
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line)
        flags->relax = 1;
      else if (has_leading_keyword (line, "cm"))
        flags->chain_model = 1;
+      else if (has_leading_keyword (line, "qual"))
+        flags->qualified = 1;
    }
  return 0;
 }
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -1715,8 +1715,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
              else
                {
                  /* Need to consult the list of root certificates for
-                     qualified signatures. */
-                  err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
+                     qualified signatures.  But first we check the
+                     modern way by looking at the root ca flag.  */
+                  if (rootca_flags->qualified)
+                    err = 0;
+                  else
+                    err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
                  if (!err)
                    is_qualified = 1;
                  else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
   do_validate_chain.  This function is a wrapper to handle a root
   certificate with the chain_model flag set.  If RETFLAGS is not
   NULL, flags indicating now the verification was done are stored
-   there.  The only defined vits for RETFLAGS are
+   there.  The only defined bits for RETFLAGS are
   VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.

   If you are verifying a signature you should set CHECKTIME to the
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -268,6 +268,7 @@ struct rootca_flags_s
                            information.  */
  unsigned int relax:1;  /* Relax checking of root certificates.  */
  unsigned int chain_model:1; /* Root requires the use of the chain model.  */
+  unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
 };