mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
agent: New flag "qual" for the trustlist.txt.
* agent/trustlist.c (struct trustitem_s): Add flag "qual". (read_one_trustfile): Rename arg "allow_include" to "systrust" and change callers. Parse new flag "qual". (istrusted_internal): Print all flags. * sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag. * sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified". * sm/certchain.c (do_validate_chain): Take care of the qualified flag.
This commit is contained in:
parent
b901e63b4d
commit
7c8c606061
@ -44,6 +44,7 @@ struct trustitem_s
|
|||||||
int relax:1; /* Relax checking of root certificate
|
int relax:1; /* Relax checking of root certificate
|
||||||
constraints. */
|
constraints. */
|
||||||
int cm:1; /* Use chain model for validation. */
|
int cm:1; /* Use chain model for validation. */
|
||||||
|
int qual:1; /* Root CA for qualified signatures. */
|
||||||
} flags;
|
} flags;
|
||||||
unsigned char fpr[20]; /* The binary fingerprint. */
|
unsigned char fpr[20]; /* The binary fingerprint. */
|
||||||
};
|
};
|
||||||
@ -128,7 +129,7 @@ clear_trusttable (void)
|
|||||||
|
|
||||||
|
|
||||||
static gpg_error_t
|
static gpg_error_t
|
||||||
read_one_trustfile (const char *fname, int allow_include,
|
read_one_trustfile (const char *fname, int systrust,
|
||||||
trustitem_t **addr_of_table,
|
trustitem_t **addr_of_table,
|
||||||
size_t *addr_of_tablesize,
|
size_t *addr_of_tablesize,
|
||||||
int *addr_of_tableidx)
|
int *addr_of_tableidx)
|
||||||
@ -187,7 +188,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
|||||||
gpg_error_t err2;
|
gpg_error_t err2;
|
||||||
gpg_err_code_t ec;
|
gpg_err_code_t ec;
|
||||||
|
|
||||||
if (!allow_include)
|
if (systrust)
|
||||||
{
|
{
|
||||||
log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
|
log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
|
||||||
"include-default", fname, lnr);
|
"include-default", fname, lnr);
|
||||||
@ -207,7 +208,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
err2 = read_one_trustfile (etcname, 0,
|
err2 = read_one_trustfile (etcname, 1,
|
||||||
&table, &tablesize, &tableidx);
|
&table, &tablesize, &tableidx);
|
||||||
if (err2)
|
if (err2)
|
||||||
err = err2;
|
err = err2;
|
||||||
@ -303,6 +304,8 @@ read_one_trustfile (const char *fname, int allow_include,
|
|||||||
ti->flags.relax = 1;
|
ti->flags.relax = 1;
|
||||||
else if (n == 2 && !memcmp (p, "cm", 2))
|
else if (n == 2 && !memcmp (p, "cm", 2))
|
||||||
ti->flags.cm = 1;
|
ti->flags.cm = 1;
|
||||||
|
else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
|
||||||
|
ti->flags.qual = 1;
|
||||||
else
|
else
|
||||||
log_error ("flag '%.*s' in '%s', line %d ignored\n",
|
log_error ("flag '%.*s' in '%s', line %d ignored\n",
|
||||||
n, p, fname, lnr);
|
n, p, fname, lnr);
|
||||||
@ -336,7 +339,7 @@ read_trustfiles (void)
|
|||||||
int tableidx;
|
int tableidx;
|
||||||
size_t tablesize;
|
size_t tablesize;
|
||||||
char *fname;
|
char *fname;
|
||||||
int allow_include = 1;
|
int systrust = 0;
|
||||||
gpg_err_code_t ec;
|
gpg_err_code_t ec;
|
||||||
|
|
||||||
tablesize = 20;
|
tablesize = 20;
|
||||||
@ -364,10 +367,9 @@ read_trustfiles (void)
|
|||||||
}
|
}
|
||||||
xfree (fname);
|
xfree (fname);
|
||||||
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
|
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
|
||||||
allow_include = 0;
|
systrust = 1;
|
||||||
}
|
}
|
||||||
err = read_one_trustfile (fname, allow_include,
|
err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
|
||||||
&table, &tablesize, &tableidx);
|
|
||||||
xfree (fname);
|
xfree (fname);
|
||||||
|
|
||||||
if (err)
|
if (err)
|
||||||
@ -449,17 +451,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
|
|||||||
in a locked state. */
|
in a locked state. */
|
||||||
if (already_locked)
|
if (already_locked)
|
||||||
;
|
;
|
||||||
else if (ti->flags.relax)
|
else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
|
||||||
{
|
{
|
||||||
unlock_trusttable ();
|
unlock_trusttable ();
|
||||||
locked = 0;
|
locked = 0;
|
||||||
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL);
|
err = 0;
|
||||||
}
|
if (ti->flags.relax)
|
||||||
else if (ti->flags.cm)
|
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL);
|
||||||
{
|
if (!err && ti->flags.cm)
|
||||||
unlock_trusttable ();
|
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
|
||||||
locked = 0;
|
if (!err && ti->flags.qual)
|
||||||
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL);
|
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!err)
|
if (!err)
|
||||||
|
@ -792,6 +792,12 @@ CRL checking for the root certificate.
|
|||||||
If validation of a certificate finally issued by a CA with this flag set
|
If validation of a certificate finally issued by a CA with this flag set
|
||||||
fails, try again using the chain validation model.
|
fails, try again using the chain validation model.
|
||||||
|
|
||||||
|
@item qual
|
||||||
|
The CA is allowed to issue certificates for qualified signatures.
|
||||||
|
This flag has an effect only if used in the global list. This is now
|
||||||
|
the preferred way to mark such CA; the old way of having a separate
|
||||||
|
file @file{qualified.txt} is still supported.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
|
||||||
|
@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line)
|
|||||||
flags->relax = 1;
|
flags->relax = 1;
|
||||||
else if (has_leading_keyword (line, "cm"))
|
else if (has_leading_keyword (line, "cm"))
|
||||||
flags->chain_model = 1;
|
flags->chain_model = 1;
|
||||||
|
else if (has_leading_keyword (line, "qual"))
|
||||||
|
flags->qualified = 1;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -1715,8 +1715,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* Need to consult the list of root certificates for
|
/* Need to consult the list of root certificates for
|
||||||
qualified signatures. */
|
qualified signatures. But first we check the
|
||||||
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
|
modern way by looking at the root ca flag. */
|
||||||
|
if (rootca_flags->qualified)
|
||||||
|
err = 0;
|
||||||
|
else
|
||||||
|
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
|
||||||
if (!err)
|
if (!err)
|
||||||
is_qualified = 1;
|
is_qualified = 1;
|
||||||
else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
|
else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
|
||||||
@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
|
|||||||
do_validate_chain. This function is a wrapper to handle a root
|
do_validate_chain. This function is a wrapper to handle a root
|
||||||
certificate with the chain_model flag set. If RETFLAGS is not
|
certificate with the chain_model flag set. If RETFLAGS is not
|
||||||
NULL, flags indicating now the verification was done are stored
|
NULL, flags indicating now the verification was done are stored
|
||||||
there. The only defined vits for RETFLAGS are
|
there. The only defined bits for RETFLAGS are
|
||||||
VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
|
VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
|
||||||
|
|
||||||
If you are verifying a signature you should set CHECKTIME to the
|
If you are verifying a signature you should set CHECKTIME to the
|
||||||
|
@ -268,6 +268,7 @@ struct rootca_flags_s
|
|||||||
information. */
|
information. */
|
||||||
unsigned int relax:1; /* Relax checking of root certificates. */
|
unsigned int relax:1; /* Relax checking of root certificates. */
|
||||||
unsigned int chain_model:1; /* Root requires the use of the chain model. */
|
unsigned int chain_model:1; /* Root requires the use of the chain model. */
|
||||||
|
unsigned int qualified:1; /* Root CA used for qualfied signatures. */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user