From a5360ae4c7bfe6df6754409d5bd5c5a521ae5e6f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 3 Apr 2023 14:06:36 +0200 Subject: [PATCH] agent: Add trustlist flag "de-vs". * agent/trustlist.c (struct trustitem_s): Add field de_vs. (read_one_trustfile): Parse it. (istrusted_internal): Emit TRUSTLISTFLAG status line. * sm/gpgsm.h (struct rootca_flags_s): Add field de_vs. * sm/call-agent.c (istrusted_status_cb): Detect the flags. * sm/sign.c (write_detached_signature): Remove unused vars. -- Right now this flag has no effect; we first need to specify the exact behaviour. GnuPG-bug-id: 5079 --- agent/trustlist.c | 8 +++++++- doc/gpg-agent.texi | 5 +++++ sm/call-agent.c | 2 ++ sm/gpgsm.h | 1 + sm/sign.c | 6 ++++-- 5 files changed, 19 insertions(+), 3 deletions(-) diff --git a/agent/trustlist.c b/agent/trustlist.c index 4d23eb1b0..330f233b8 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -45,6 +45,7 @@ struct trustitem_s constraints. */ int cm:1; /* Use chain model for validation. */ int qual:1; /* Root CA for qualified signatures. */ + int de_vs:1; /* Root CA for de-vs compliant PKI. */ } flags; unsigned char fpr[20]; /* The binary fingerprint. */ }; @@ -324,6 +325,8 @@ read_one_trustfile (const char *fname, int systrust, ti->flags.cm = 1; else if (n == 4 && !memcmp (p, "qual", 4) && systrust) ti->flags.qual = 1; + else if (n == 4 && !memcmp (p, "de-vs", 4) && systrust) + ti->flags.de_vs = 1; else log_error ("flag '%.*s' in '%s', line %d ignored\n", n, p, fname, lnr); @@ -476,7 +479,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, in a locked state. */ if (already_locked) ; - else if (ti->flags.relax || ti->flags.cm || ti->flags.qual) + else if (ti->flags.relax || ti->flags.cm || ti->flags.qual + || ti->flags.de_vs) { unlock_trusttable (); locked = 0; @@ -487,6 +491,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL); if (!err && ti->flags.qual) err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL); + if (!err && ti->flags.de_vs) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL); } if (!err) diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 1a03de010..c8080c7c2 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -813,6 +813,11 @@ This flag has an effect only if used in the global list. This is now the preferred way to mark such CA; the old way of having a separate file @file{qualified.txt} is still supported. +@item de-vs +The CA is part of an approved PKI for the German classification level +VS-NfD. It is only valid in the global trustlist. As of now this is +used only for documentation purpose. + @end table diff --git a/sm/call-agent.c b/sm/call-agent.c index 06319cf62..698039504 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -890,6 +890,8 @@ istrusted_status_cb (void *opaque, const char *line) flags->chain_model = 1; else if (has_leading_keyword (line, "qual")) flags->qualified = 1; + else if (has_leading_keyword (line, "de-vs")) + flags->de_vs = 1; } return 0; } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 6149b8491..cef39ff2a 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -295,6 +295,7 @@ struct rootca_flags_s unsigned int relax:1; /* Relax checking of root certificates. */ unsigned int chain_model:1; /* Root requires the use of the chain model. */ unsigned int qualified:1; /* Root CA used for qualfied signatures. */ + unsigned int de_vs:1; /* Root CA is de-vs compliant. */ }; diff --git a/sm/sign.c b/sm/sign.c index 64bbf8d56..b3b7e1883 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -433,8 +433,8 @@ write_detached_signature (ctrl_t ctrl, const void *blob, size_t bloblen, estream_t out_fp) { gpg_error_t err; - const unsigned char *p, *psave; - size_t n, nsave, objlen, objlensave, hdrlen; + const unsigned char *p; + size_t n, objlen, hdrlen; int class, tag, cons, ndef; const unsigned char *p_ctoid, *p_version, *p_algoset, *p_dataoid; size_t n_ctoid, n_version, n_algoset, n_dataoid; @@ -445,6 +445,8 @@ write_detached_signature (ctrl_t ctrl, const void *blob, size_t bloblen, unsigned char *finalder = NULL; size_t finalderlen; + (void)ctrl; + p = blob; n = bloblen; if ((err=parse_ber_header (&p,&n,&class,&tag,&cons,&ndef,&objlen,&hdrlen)))