mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
agent: New flag "qual" for the trustlist.txt.
* agent/trustlist.c (struct trustitem_s): Add flag "qual". (read_one_trustfile): Rename arg "allow_include" to "systrust" and change callers. Parse new flag "qual". (istrusted_internal): Print all flags. * sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag. * sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified". * sm/certchain.c (do_validate_chain): Take care of the qualified flag.
This commit is contained in:
parent
b901e63b4d
commit
7c8c606061
@ -44,6 +44,7 @@ struct trustitem_s
|
||||
int relax:1; /* Relax checking of root certificate
|
||||
constraints. */
|
||||
int cm:1; /* Use chain model for validation. */
|
||||
int qual:1; /* Root CA for qualified signatures. */
|
||||
} flags;
|
||||
unsigned char fpr[20]; /* The binary fingerprint. */
|
||||
};
|
||||
@ -128,7 +129,7 @@ clear_trusttable (void)
|
||||
|
||||
|
||||
static gpg_error_t
|
||||
read_one_trustfile (const char *fname, int allow_include,
|
||||
read_one_trustfile (const char *fname, int systrust,
|
||||
trustitem_t **addr_of_table,
|
||||
size_t *addr_of_tablesize,
|
||||
int *addr_of_tableidx)
|
||||
@ -187,7 +188,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
||||
gpg_error_t err2;
|
||||
gpg_err_code_t ec;
|
||||
|
||||
if (!allow_include)
|
||||
if (systrust)
|
||||
{
|
||||
log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
|
||||
"include-default", fname, lnr);
|
||||
@ -207,7 +208,7 @@ read_one_trustfile (const char *fname, int allow_include,
|
||||
}
|
||||
else
|
||||
{
|
||||
err2 = read_one_trustfile (etcname, 0,
|
||||
err2 = read_one_trustfile (etcname, 1,
|
||||
&table, &tablesize, &tableidx);
|
||||
if (err2)
|
||||
err = err2;
|
||||
@ -303,6 +304,8 @@ read_one_trustfile (const char *fname, int allow_include,
|
||||
ti->flags.relax = 1;
|
||||
else if (n == 2 && !memcmp (p, "cm", 2))
|
||||
ti->flags.cm = 1;
|
||||
else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
|
||||
ti->flags.qual = 1;
|
||||
else
|
||||
log_error ("flag '%.*s' in '%s', line %d ignored\n",
|
||||
n, p, fname, lnr);
|
||||
@ -336,7 +339,7 @@ read_trustfiles (void)
|
||||
int tableidx;
|
||||
size_t tablesize;
|
||||
char *fname;
|
||||
int allow_include = 1;
|
||||
int systrust = 0;
|
||||
gpg_err_code_t ec;
|
||||
|
||||
tablesize = 20;
|
||||
@ -364,10 +367,9 @@ read_trustfiles (void)
|
||||
}
|
||||
xfree (fname);
|
||||
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
|
||||
allow_include = 0;
|
||||
systrust = 1;
|
||||
}
|
||||
err = read_one_trustfile (fname, allow_include,
|
||||
&table, &tablesize, &tableidx);
|
||||
err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
|
||||
xfree (fname);
|
||||
|
||||
if (err)
|
||||
@ -449,17 +451,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
|
||||
in a locked state. */
|
||||
if (already_locked)
|
||||
;
|
||||
else if (ti->flags.relax)
|
||||
else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
|
||||
{
|
||||
unlock_trusttable ();
|
||||
locked = 0;
|
||||
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL);
|
||||
}
|
||||
else if (ti->flags.cm)
|
||||
{
|
||||
unlock_trusttable ();
|
||||
locked = 0;
|
||||
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL);
|
||||
err = 0;
|
||||
if (ti->flags.relax)
|
||||
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL);
|
||||
if (!err && ti->flags.cm)
|
||||
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
|
||||
if (!err && ti->flags.qual)
|
||||
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
|
||||
}
|
||||
|
||||
if (!err)
|
||||
|
@ -792,6 +792,12 @@ CRL checking for the root certificate.
|
||||
If validation of a certificate finally issued by a CA with this flag set
|
||||
fails, try again using the chain validation model.
|
||||
|
||||
@item qual
|
||||
The CA is allowed to issue certificates for qualified signatures.
|
||||
This flag has an effect only if used in the global list. This is now
|
||||
the preferred way to mark such CA; the old way of having a separate
|
||||
file @file{qualified.txt} is still supported.
|
||||
|
||||
@end table
|
||||
|
||||
|
||||
|
@ -888,6 +888,8 @@ istrusted_status_cb (void *opaque, const char *line)
|
||||
flags->relax = 1;
|
||||
else if (has_leading_keyword (line, "cm"))
|
||||
flags->chain_model = 1;
|
||||
else if (has_leading_keyword (line, "qual"))
|
||||
flags->qualified = 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -1715,7 +1715,11 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
|
||||
else
|
||||
{
|
||||
/* Need to consult the list of root certificates for
|
||||
qualified signatures. */
|
||||
qualified signatures. But first we check the
|
||||
modern way by looking at the root ca flag. */
|
||||
if (rootca_flags->qualified)
|
||||
err = 0;
|
||||
else
|
||||
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
|
||||
if (!err)
|
||||
is_qualified = 1;
|
||||
@ -2113,7 +2117,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
|
||||
do_validate_chain. This function is a wrapper to handle a root
|
||||
certificate with the chain_model flag set. If RETFLAGS is not
|
||||
NULL, flags indicating now the verification was done are stored
|
||||
there. The only defined vits for RETFLAGS are
|
||||
there. The only defined bits for RETFLAGS are
|
||||
VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
|
||||
|
||||
If you are verifying a signature you should set CHECKTIME to the
|
||||
|
@ -268,6 +268,7 @@ struct rootca_flags_s
|
||||
information. */
|
||||
unsigned int relax:1; /* Relax checking of root certificates. */
|
||||
unsigned int chain_model:1; /* Root requires the use of the chain model. */
|
||||
unsigned int qualified:1; /* Root CA used for qualfied signatures. */
|
||||
};
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user