1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

agent: New flag "qual" for the trustlist.txt.

* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers.  Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
This commit is contained in:
Werner Koch 2022-02-27 12:03:20 +01:00
parent b901e63b4d
commit 7c8c606061
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
5 changed files with 33 additions and 18 deletions

View File

@ -44,6 +44,7 @@ struct trustitem_s
int relax:1; /* Relax checking of root certificate int relax:1; /* Relax checking of root certificate
constraints. */ constraints. */
int cm:1; /* Use chain model for validation. */ int cm:1; /* Use chain model for validation. */
int qual:1; /* Root CA for qualified signatures. */
} flags; } flags;
unsigned char fpr[20]; /* The binary fingerprint. */ unsigned char fpr[20]; /* The binary fingerprint. */
}; };
@ -128,7 +129,7 @@ clear_trusttable (void)
static gpg_error_t static gpg_error_t
read_one_trustfile (const char *fname, int allow_include, read_one_trustfile (const char *fname, int systrust,
trustitem_t **addr_of_table, trustitem_t **addr_of_table,
size_t *addr_of_tablesize, size_t *addr_of_tablesize,
int *addr_of_tableidx) int *addr_of_tableidx)
@ -187,7 +188,7 @@ read_one_trustfile (const char *fname, int allow_include,
gpg_error_t err2; gpg_error_t err2;
gpg_err_code_t ec; gpg_err_code_t ec;
if (!allow_include) if (systrust)
{ {
log_error (_("statement \"%s\" ignored in '%s', line %d\n"), log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
"include-default", fname, lnr); "include-default", fname, lnr);
@ -207,7 +208,7 @@ read_one_trustfile (const char *fname, int allow_include,
} }
else else
{ {
err2 = read_one_trustfile (etcname, 0, err2 = read_one_trustfile (etcname, 1,
&table, &tablesize, &tableidx); &table, &tablesize, &tableidx);
if (err2) if (err2)
err = err2; err = err2;
@ -303,6 +304,8 @@ read_one_trustfile (const char *fname, int allow_include,
ti->flags.relax = 1; ti->flags.relax = 1;
else if (n == 2 && !memcmp (p, "cm", 2)) else if (n == 2 && !memcmp (p, "cm", 2))
ti->flags.cm = 1; ti->flags.cm = 1;
else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
ti->flags.qual = 1;
else else
log_error ("flag '%.*s' in '%s', line %d ignored\n", log_error ("flag '%.*s' in '%s', line %d ignored\n",
n, p, fname, lnr); n, p, fname, lnr);
@ -336,7 +339,7 @@ read_trustfiles (void)
int tableidx; int tableidx;
size_t tablesize; size_t tablesize;
char *fname; char *fname;
int allow_include = 1; int systrust = 0;
gpg_err_code_t ec; gpg_err_code_t ec;
tablesize = 20; tablesize = 20;
@ -364,10 +367,9 @@ read_trustfiles (void)
} }
xfree (fname); xfree (fname);
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL); fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
allow_include = 0; systrust = 1;
} }
err = read_one_trustfile (fname, allow_include, err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
&table, &tablesize, &tableidx);
xfree (fname); xfree (fname);
if (err) if (err)
@ -449,17 +451,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
in a locked state. */ in a locked state. */
if (already_locked) if (already_locked)
; ;
else if (ti->flags.relax) else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
{ {
unlock_trusttable (); unlock_trusttable ();
locked = 0; locked = 0;
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL); err = 0;
} if (ti->flags.relax)
else if (ti->flags.cm) err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL);
{ if (!err && ti->flags.cm)
unlock_trusttable (); err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
locked = 0; if (!err && ti->flags.qual)
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL); err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
} }
if (!err) if (!err)

View File

@ -792,6 +792,12 @@ CRL checking for the root certificate.
If validation of a certificate finally issued by a CA with this flag set If validation of a certificate finally issued by a CA with this flag set
fails, try again using the chain validation model. fails, try again using the chain validation model.
@item qual
The CA is allowed to issue certificates for qualified signatures.
This flag has an effect only if used in the global list. This is now
the preferred way to mark such CA; the old way of having a separate
file @file{qualified.txt} is still supported.
@end table @end table

View File

@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line)
flags->relax = 1; flags->relax = 1;
else if (has_leading_keyword (line, "cm")) else if (has_leading_keyword (line, "cm"))
flags->chain_model = 1; flags->chain_model = 1;
else if (has_leading_keyword (line, "qual"))
flags->qualified = 1;
} }
return 0; return 0;
} }

View File

@ -1715,8 +1715,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
else else
{ {
/* Need to consult the list of root certificates for /* Need to consult the list of root certificates for
qualified signatures. */ qualified signatures. But first we check the
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); modern way by looking at the root ca flag. */
if (rootca_flags->qualified)
err = 0;
else
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
if (!err) if (!err)
is_qualified = 1; is_qualified = 1;
else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND) else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
do_validate_chain. This function is a wrapper to handle a root do_validate_chain. This function is a wrapper to handle a root
certificate with the chain_model flag set. If RETFLAGS is not certificate with the chain_model flag set. If RETFLAGS is not
NULL, flags indicating now the verification was done are stored NULL, flags indicating now the verification was done are stored
there. The only defined vits for RETFLAGS are there. The only defined bits for RETFLAGS are
VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED. VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
If you are verifying a signature you should set CHECKTIME to the If you are verifying a signature you should set CHECKTIME to the

View File

@ -268,6 +268,7 @@ struct rootca_flags_s
information. */ information. */
unsigned int relax:1; /* Relax checking of root certificates. */ unsigned int relax:1; /* Relax checking of root certificates. */
unsigned int chain_model:1; /* Root requires the use of the chain model. */ unsigned int chain_model:1; /* Root requires the use of the chain model. */
unsigned int qualified:1; /* Root CA used for qualfied signatures. */
}; };