agent: Add trustlist flag "de-vs".

* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.

* sm/sign.c (write_detached_signature): Remove unused vars.
--

Right now this flag has no effect; we first need to specify the exact
behaviour.

GnuPG-bug-id: 5079

5 files changed, 19 insertions, 3 deletions

diff --git a/agent/trustlist.c b/agent/trustlist.c
index 4d23eb1b0..330f233b8 100644
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@@ -45,6 +45,7 @@ struct trustitem_s
                              constraints. */
     int cm:1;             /* Use chain model for validation. */
     int qual:1;           /* Root CA for qualified signatures.  */
+    int de_vs:1;          /* Root CA for de-vs compliant PKI.    */
   } flags;
   unsigned char fpr[20];  /* The binary fingerprint. */
 };
@@ -324,6 +325,8 @@ read_one_trustfile (const char *fname, int systrust,
             ti->flags.cm = 1;
           else if (n == 4 && !memcmp (p, "qual", 4) && systrust)
             ti->flags.qual = 1;
+          else if (n == 4 && !memcmp (p, "de-vs", 4) && systrust)
+            ti->flags.de_vs = 1;
           else
             log_error ("flag '%.*s' in '%s', line %d ignored\n",
                        n, p, fname, lnr);
@@ -476,7 +479,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
                in a locked state.  */
             if (already_locked)
               ;
-            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual)
+            else if (ti->flags.relax || ti->flags.cm || ti->flags.qual
+                     || ti->flags.de_vs)
               {
                 unlock_trusttable ();
                 locked = 0;
@@ -487,6 +491,8 @@ istrusted_internal (ctrl_t ctrl, const char *fpr, int *r_disabled,
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "cm", NULL);
                 if (!err && ti->flags.qual)
                   err = agent_write_status (ctrl,"TRUSTLISTFLAG", "qual",NULL);
+                if (!err && ti->flags.de_vs)
+                  err = agent_write_status (ctrl,"TRUSTLISTFLAG", "de-vs",NULL);
               }
 
             if (!err)
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 1a03de010..c8080c7c2 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -813,6 +813,11 @@ This flag has an effect only if used in the global list.  This is now
 the preferred way to mark such CA; the old way of having a separate
 file @file{qualified.txt} is still supported.
 
+@item de-vs
+The CA is part of an approved PKI for the German classification level
+VS-NfD.  It is only valid in the global trustlist.  As of now this is
+used only for documentation purpose.
+
 @end table
 
 
diff --git a/sm/call-agent.c b/sm/call-agent.c
index 06319cf62..698039504 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -890,6 +890,8 @@ istrusted_status_cb (void *opaque, const char *line)
         flags->chain_model = 1;
       else if (has_leading_keyword (line, "qual"))
         flags->qualified = 1;
+      else if (has_leading_keyword (line, "de-vs"))
+        flags->de_vs = 1;
     }
   return 0;
 }
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 6149b8491..cef39ff2a 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -295,6 +295,7 @@ struct rootca_flags_s
   unsigned int relax:1;  /* Relax checking of root certificates.  */
   unsigned int chain_model:1; /* Root requires the use of the chain model.  */
   unsigned int qualified:1;   /* Root CA used for qualfied signatures.   */
+  unsigned int de_vs:1;       /* Root CA is de-vs compliant.             */
 };
 
 
diff --git a/sm/sign.c b/sm/sign.c
index 64bbf8d56..b3b7e1883 100644
--- a/sm/sign.c
+++ b/sm/sign.c
@@ -433,8 +433,8 @@ write_detached_signature (ctrl_t ctrl, const void *blob, size_t bloblen,
                           estream_t out_fp)
 {
   gpg_error_t err;
-  const unsigned char *p, *psave;
-  size_t n, nsave, objlen, objlensave, hdrlen;
+  const unsigned char *p;
+  size_t n, objlen, hdrlen;
   int class, tag, cons, ndef;
   const unsigned char *p_ctoid, *p_version, *p_algoset, *p_dataoid;
   size_t               n_ctoid,  n_version,  n_algoset,  n_dataoid;
@@ -445,6 +445,8 @@ write_detached_signature (ctrl_t ctrl, const void *blob, size_t bloblen,
   unsigned char *finalder = NULL;
   size_t finalderlen;
 
+  (void)ctrl;
+
   p = blob;
   n = bloblen;
   if ((err=parse_ber_header (&p,&n,&class,&tag,&cons,&ndef,&objlen,&hdrlen)))