diff options
| author | Karl Tarbe <karl.tarbe@cyber.ee> | 2017-05-04 16:46:14 +0300 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-16 16:42:51 +0200 |
| commit | bd4bf6fa0b20e3087ec17c9a1c1798edb67b8fa7 (patch) | |
| tree | fad6286243e60af679b544de5c329cda7d37a719 | |
| parent | 6165d3fe70aff216e1ddac9cce62edbb2102f12e (diff) | |
| download | gnutls-bd4bf6fa0b20e3087ec17c9a1c1798edb67b8fa7.tar.gz | |
certtool: allow multiple certificates in --p7-sign
Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
| -rw-r--r-- | src/certtool-args.def | 4 | ||||
| -rw-r--r-- | src/certtool.c | 22 |
2 files changed, 20 insertions, 6 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 04967b94f2..912810cf1a 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -325,14 +325,14 @@ flag = { flag = { name = p7-sign; descrip = "Signs using a PKCS #7 structure"; - doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey."; + doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."; }; flag = { name = p7-detached-sign; descrip = "Signs using a detached PKCS #7 structure"; - doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey."; + doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."; }; flag = { diff --git a/src/certtool.c b/src/certtool.c index 8f887eb510..e25b00ee48 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2962,7 +2962,9 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) size_t size; gnutls_datum_t data; unsigned flags = 0; - gnutls_x509_crt_t signer; + gnutls_x509_crt_t *crts; + size_t crt_size; + size_t i; if (ENABLED_OPT(P7_TIME)) flags |= GNUTLS_PKCS7_INCLUDE_TIME; @@ -2984,18 +2986,27 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) exit(1); } - signer = load_cert(1, cinfo); + crts = load_cert_list(1, &crt_size, cinfo); key = load_private_key(1, cinfo); if (embed) flags |= GNUTLS_PKCS7_EMBED_DATA; - ret = gnutls_pkcs7_sign(pkcs7, signer, key, &data, NULL, NULL, get_dig(signer), flags); + ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts), flags); if (ret < 0) { fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret)); exit(1); } + for (i=1;i<crt_size;i++) { + ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]); + if (ret < 0) { + fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + + size = lbuffer_size; ret = gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size); @@ -3007,7 +3018,10 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) fwrite(lbuffer, 1, size, outfile); gnutls_privkey_deinit(key); - gnutls_x509_crt_deinit(signer); + for (i=0;i<crt_size;i++) { + gnutls_x509_crt_deinit(crts[i]); + } + gnutls_free(crts); gnutls_pkcs7_deinit(pkcs7); exit(0); } |