gpgsm: Add a certificate chain check for de-vs compliance
* sm/certchain.c (do_validate_chain): Fix typo * sm/decrypt.c (gpgsm_decrypt): Check the certifacte chain for de-vs compliance * sm/verify.c (gpgsm_verify): Check the certificate chain for de-vs compliance * sm/certchain.c (do_validate_chain): Set the is_de_vs user data and flag. * sm/keylist.c (cert_has_de_vs_flag): New. (print_compliance_flags): Print compliance string only if the flag is set.
The gpgsm status for CO_DE_VS compliance should only be set if the
certificate chain is also checked and compliant (besides the pk algo,
the message digest and cipher which were already checked before).
Cherry-picked-from: fa1ac5c23d167dde6899536d6d80d9391737d21e (2.2)
Some extra changes had to be picked from
See-commit: 14383ff052ff5013ba40b6d53b91a1525b5ae2d8 (2.2)
which was not yet ported to master. This is in particular setting the
is_de_vs user data for the cert in certchain.c and printing the
compliance flag only if it is compliant in keylist.c . Thus in de-vs
compliance mode we now look at the de-vs flag from the trustlist.txt
and print a certificate as VS-NfD compliant only if this flag is set.
Obviously this now requires that --with-validation has been used. The
advantage of this behaviour (as already avaulabel in 2.2) is that also
non-compliant certificates can be entered into the trustlist.txt and
such certs can be used with the usual warning that the cert is not
VS-NfD compliant.
- GnuPG-bug-id: T7593