From bd4bf6fa0b20e3087ec17c9a1c1798edb67b8fa7 Mon Sep 17 00:00:00 2001
From: Karl Tarbe <karl.tarbe@cyber.ee>
Date: Thu, 4 May 2017 16:46:14 +0300
Subject: certtool: allow multiple certificates in --p7-sign

Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
---
 src/certtool-args.def |  4 ++--
 src/certtool.c        | 22 ++++++++++++++++++----
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/certtool-args.def b/src/certtool-args.def
index 04967b94f2..912810cf1a 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -325,14 +325,14 @@ flag = {
 flag = {
     name      = p7-sign;
     descrip   = "Signs using a PKCS #7 structure";
-    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey.";
+    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
 };
 
 
 flag = {
     name      = p7-detached-sign;
     descrip   = "Signs using a detached PKCS #7 structure";
-    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey.";
+    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
 };
 
 flag = {
diff --git a/src/certtool.c b/src/certtool.c
index 8f887eb510..e25b00ee48 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2962,7 +2962,9 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
 	size_t size;
 	gnutls_datum_t data;
 	unsigned flags = 0;
-	gnutls_x509_crt_t signer;
+	gnutls_x509_crt_t *crts;
+	size_t crt_size;
+	size_t i;
 
 	if (ENABLED_OPT(P7_TIME))
 		flags |= GNUTLS_PKCS7_INCLUDE_TIME;
@@ -2984,18 +2986,27 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
 		exit(1);
 	}
 
-	signer = load_cert(1, cinfo);
+	crts = load_cert_list(1, &crt_size, cinfo);
 	key = load_private_key(1, cinfo);
 
 	if (embed)
 		flags |= GNUTLS_PKCS7_EMBED_DATA;
 
-	ret = gnutls_pkcs7_sign(pkcs7, signer, key, &data, NULL, NULL, get_dig(signer), flags);
+	ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts), flags);
 	if (ret < 0) {
 		fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret));
 		exit(1);
 	}
 
+	for (i=1;i<crt_size;i++) {
+		ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]);
+		if (ret < 0) {
+			fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret));
+			exit(1);
+		}
+	}
+
+
 	size = lbuffer_size;
 	ret =
 	    gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size);
@@ -3007,7 +3018,10 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
 	fwrite(lbuffer, 1, size, outfile);
 
 	gnutls_privkey_deinit(key);
-	gnutls_x509_crt_deinit(signer);
+	for (i=0;i<crt_size;i++) {
+		gnutls_x509_crt_deinit(crts[i]);
+	}
+	gnutls_free(crts);
 	gnutls_pkcs7_deinit(pkcs7);
 	exit(0);
 }
-- 
cgit v1.2.1