certtool: enhance to allow writing CRLs in PKCS#12 files

In addition fallback to DER when --load-crl fails importing a PEM
encoded CRL due to PEM issues.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 43 insertions, 2 deletions

diff --git a/src/certtool-common.c b/src/certtool-common.c
index 85196629bf..0f47be53b0 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -477,6 +477,9 @@ gnutls_x509_crl_t *load_crl_list(int mand, size_t * crl_size,
 	dat.size = size;
 
 	ret = gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, GNUTLS_X509_FMT_PEM, 0);
+	if (ret == GNUTLS_E_BASE64_DECODING_ERROR) {
+		ret = gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, GNUTLS_X509_FMT_DER, 0);
+	}
 	if (ret < 0) {
 		fprintf(stderr, "Error loading CRLs: %s\n", gnutls_strerror(ret));
 		exit(1);
diff --git a/src/certtool.c b/src/certtool.c
index e3b850165d..8a99dc7fce 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -3007,6 +3007,7 @@ void generate_pkcs8(common_info_st * cinfo)
 void generate_pkcs12(common_info_st * cinfo)
 {
 	gnutls_pkcs12_t pkcs12;
+	gnutls_x509_crl_t *crls;
 	gnutls_x509_crt_t *crts, ca_crt;
 	gnutls_x509_privkey_t *keys;
 	int result;
@@ -3020,6 +3021,7 @@ void generate_pkcs12(common_info_st * cinfo)
 	int indx;
 	size_t ncrts;
 	size_t nkeys;
+	size_t ncrls;
 
 	fprintf(stderr, "Generating a PKCS #12 structure...\n");
 
@@ -3027,8 +3029,10 @@ void generate_pkcs12(common_info_st * cinfo)
 	crts = load_cert_list(0, &ncrts, cinfo);
 	ca_crt = load_ca_cert(0, cinfo);
 
-	if (keys == NULL && crts == NULL && ca_crt == NULL) {
-		fprintf(stderr, "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n");
+	crls = load_crl_list(0, &ncrls, cinfo);
+
+	if (keys == NULL && crts == NULL && ca_crt == NULL && crls == NULL) {
+		fprintf(stderr, "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n\t--load-crl\n");
 		exit(1);
 	}
 
@@ -3114,6 +3118,40 @@ void generate_pkcs12(common_info_st * cinfo)
 		gnutls_pkcs12_bag_deinit(bag);
 	}
 
+	/* add any CRLs */
+	for (i = 0; i < ncrls; i++) {
+		gnutls_pkcs12_bag_t bag;
+
+		result = gnutls_pkcs12_bag_init(&bag);
+		if (result < 0) {
+			fprintf(stderr, "bag_init: %s\n",
+				gnutls_strerror(result));
+			exit(1);
+		}
+
+		result = gnutls_pkcs12_bag_set_crl(bag, crls[i]);
+		if (result < 0) {
+			fprintf(stderr, "set_crl[%d]: %s\n", i,
+				gnutls_strerror(result));
+			exit(1);
+		}
+
+		result = gnutls_pkcs12_bag_encrypt(bag, pass, flags);
+		if (result < 0) {
+			fprintf(stderr, "bag_encrypt: %s\n",
+				gnutls_strerror(result));
+			exit(1);
+		}
+
+		result = gnutls_pkcs12_set_bag(pkcs12, bag);
+		if (result < 0) {
+			fprintf(stderr, "set_bag: %s\n",
+				gnutls_strerror(result));
+			exit(1);
+		}
+		gnutls_pkcs12_bag_deinit(bag);
+	}
+
 	/* Add the ca cert, if any */
 	if (ca_crt) {
 		gnutls_pkcs12_bag_t bag;