security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

agent: New flag "qual" for the trustlist.txt. 

* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers.  Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
--

(cherry picked from commit 7c8c606061)
This commit is contained in:
Werner Koch 2022-02-27 12:03:20 +01:00
parent 3d3b941ce9
commit 7e320a89c2
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
5 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
agent/trustlist.c
View File

@ -45,6 +45,7 @@ struct trustitem_s
int relax:1; /* Relax checking of root certificate
constraints. */
int cm:1; /* Use chain model for validation. */
int qual:1; /* Root CA for qualified signatures. */
} flags;
unsigned char fpr[20]; /* The binary fingerprint. */
};
@ -322,6 +323,8 @@ read_one_trustfile (const char *fname, int systrust,
ti->flags.relax = 1;
else if (n == 2 && !memcmp (p, "cm", 2))
ti->flags.cm = 1;
else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
ti->flags.qual = 1;
else
log_error ("flag '%.*s' in '%s', line %d ignored\n",
n, p, fname, lnr);
@ -474,17 +477,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
in a locked state. */
if (already_locked)
;
else if (ti->flags.relax)
else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
{
unlock_trusttable ();
locked = 0;
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL);
}
else if (ti->flags.cm)
{
unlock_trusttable ();
locked = 0;
err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL);
err = 0;
if (ti->flags.relax)
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL);
if (!err && ti->flags.cm)
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
if (!err && ti->flags.qual)
err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
}
if (!err)

6
doc/gpg-agent.texi
View File

@ -823,6 +823,12 @@ CRL checking for the root certificate.
If validation of a certificate finally issued by a CA with this flag set
fails, try again using the chain validation model.
@item qual
The CA is allowed to issue certificates for qualified signatures.
This flag has an effect only if used in the global list. This is now
the preferred way to mark such CA; the old way of having a separate
file @file{qualified.txt} is still supported.
@end table

2
sm/call-agent.c
View File

@ -872,6 +872,8 @@ istrusted_status_cb (void *opaque, const char *line)
flags->relax = 1;
else if (has_leading_keyword (line, "cm"))
flags->chain_model = 1;
else if (has_leading_keyword (line, "qual"))
flags->qualified = 1;
}
return 0;
}

8
sm/certchain.c
View File

@ -1727,8 +1727,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
else
{
/* Need to consult the list of root certificates for
qualified signatures. */
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
qualified signatures. But first we check the
modern way by looking at the root ca flag. */
if (rootca_flags->qualified)
err = 0;
else
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
if (!err)
is_qualified = 1;
else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND )

1
sm/gpgsm.h
View File

@ -261,6 +261,7 @@ struct rootca_flags_s
information. */
unsigned int relax:1; /* Relax checking of root certificates. */
unsigned int chain_model:1; /* Root requires the use of the chain model. */
unsigned int qualified:1; /* Root CA used for qualfied signatures. */
};