diff --git a/agent/trustlist.c b/agent/trustlist.c index a19af344a..d98da0c21 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -45,6 +45,7 @@ struct trustitem_s int relax:1; /* Relax checking of root certificate constraints. */ int cm:1; /* Use chain model for validation. */ + int qual:1; /* Root CA for qualified signatures. */ } flags; unsigned char fpr[20]; /* The binary fingerprint. */ }; @@ -322,6 +323,8 @@ read_one_trustfile (const char *fname, int systrust, ti->flags.relax = 1; else if (n == 2 && !memcmp (p, "cm", 2)) ti->flags.cm = 1; + else if (n == 4 && !memcmp (p, "qual", 4) && systrust) + ti->flags.qual = 1; else log_error ("flag '%.*s' in '%s', line %d ignored\n", n, p, fname, lnr); @@ -474,17 +477,17 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, in a locked state. */ if (already_locked) ; - else if (ti->flags.relax) + else if (ti->flags.relax || ti->flags.cm || ti->flags.qual) { unlock_trusttable (); locked = 0; - err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL); - } - else if (ti->flags.cm) - { - unlock_trusttable (); - locked = 0; - err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL); + err = 0; + if (ti->flags.relax) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL); + if (!err && ti->flags.cm) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL); + if (!err && ti->flags.qual) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL); } if (!err) diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index a97529d54..05eb066a5 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -823,6 +823,12 @@ CRL checking for the root certificate. If validation of a certificate finally issued by a CA with this flag set fails, try again using the chain validation model. +@item qual +The CA is allowed to issue certificates for qualified signatures. +This flag has an effect only if used in the global list. This is now +the preferred way to mark such CA; the old way of having a separate +file @file{qualified.txt} is still supported. + @end table diff --git a/sm/call-agent.c b/sm/call-agent.c index 5b1b0a9b0..5e56371fd 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -872,6 +872,8 @@ istrusted_status_cb (void *opaque, const char *line) flags->relax = 1; else if (has_leading_keyword (line, "cm")) flags->chain_model = 1; + else if (has_leading_keyword (line, "qual")) + flags->qualified = 1; } return 0; } diff --git a/sm/certchain.c b/sm/certchain.c index 720648e06..57de48301 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1727,8 +1727,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, else { /* Need to consult the list of root certificates for - qualified signatures. */ - err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); + qualified signatures. But first we check the + modern way by looking at the root ca flag. */ + if (rootca_flags->qualified) + err = 0; + else + err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL); if (!err) is_qualified = 1; else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND ) diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 469bca33c..b826fa814 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -261,6 +261,7 @@ struct rootca_flags_s information. */ unsigned int relax:1; /* Relax checking of root certificates. */ unsigned int chain_model:1; /* Root requires the use of the chain model. */ + unsigned int qualified:1; /* Root CA used for qualfied signatures. */ };