agent: New flag "qual" for the trustlist.txt.

* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers.  Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
--

(cherry picked from commit 7c8c606061)

sm/call-agent.c

@@ -872,6 +872,8 @@ istrusted_status_cb (void *opaque, const char *line)
         flags->relax = 1;
       else if (has_leading_keyword (line, "cm"))
         flags->chain_model = 1;
+      else if (has_leading_keyword (line, "qual"))
+        flags->qualified = 1;
     }
   return 0;
 }

sm/certchain.c

@@ -1727,8 +1727,12 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
               else
                 {
                   /* Need to consult the list of root certificates for
-                     qualified signatures. */
-                  err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
+                     qualified signatures.  But first we check the
+                     modern way by looking at the root ca flag.  */
+                  if (rootca_flags->qualified)
+                    err = 0;
+                  else
+                    err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
                   if (!err)
                     is_qualified = 1;
                   else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND )

sm/gpgsm.h

@@ -261,6 +261,7 @@ struct rootca_flags_s
                             information.  */
   unsigned int relax:1;  /* Relax checking of root certificates.  */
   unsigned int chain_model:1; /* Root requires the use of the chain model.  */
+  unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
 };