From 69349561bf941cc67f1afcbbc115af8dbd624f94 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 18 May 2024 23:21:03 +0200 Subject: Merging upstream version 2.2.43. Signed-off-by: Daniel Baumann --- agent/trustlist.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'agent/trustlist.c') diff --git a/agent/trustlist.c b/agent/trustlist.c index 086d8ae..5617370 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -45,6 +45,8 @@ struct trustitem_s int relax:1; /* Relax checking of root certificate constraints. */ int cm:1; /* Use chain model for validation. */ + int qual:1; /* Root CA for qualified signatures. */ + int de_vs:1; /* Root CA for de-vs compliant PKI. */ } flags; unsigned char fpr[20]; /* The binary fingerprint. */ }; @@ -322,6 +324,10 @@ read_one_trustfile (const char *fname, int systrust, ti->flags.relax = 1; else if (n == 2 && !memcmp (p, "cm", 2)) ti->flags.cm = 1; + else if (n == 4 && !memcmp (p, "qual", 4) && systrust) + ti->flags.qual = 1; + else if (n == 4 && !memcmp (p, "de-vs", 4) && systrust) + ti->flags.de_vs = 1; else log_error ("flag '%.*s' in '%s', line %d ignored\n", n, p, fname, lnr); @@ -474,17 +480,20 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled, in a locked state. */ if (already_locked) ; - else if (ti->flags.relax) + else if (ti->flags.relax || ti->flags.cm || ti->flags.qual + || ti->flags.de_vs) { unlock_trusttable (); locked = 0; - err = agent_write_status (ctrl, "TRUSTLISTFLAG", "relax", NULL); - } - else if (ti->flags.cm) - { - unlock_trusttable (); - locked = 0; - err = agent_write_status (ctrl, "TRUSTLISTFLAG", "cm", NULL); + err = 0; + if (ti->flags.relax) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "relax",NULL); + if (!err && ti->flags.cm) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL); + if (!err && ti->flags.qual) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL); + if (!err && ti->flags.de_vs) + err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL); } if (!err) @@ -646,7 +655,7 @@ agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag) if (!fname) return gpg_error_from_syserror (); - if ((ec = access (fname, W_OK)) && ec != GPG_ERR_ENOENT) + if ((ec = gnupg_access (fname, W_OK)) && ec != GPG_ERR_ENOENT) { xfree (fname); return gpg_error (GPG_ERR_EPERM); -- cgit v1.2.3