diff options
| author | Karl Tarbe <karl.tarbe@cyber.ee> | 2017-05-04 16:46:14 +0300 |
|---|---|---|
| committer | Karl Tarbe <karl.tarbe@cyber.ee> | 2017-05-14 15:59:35 +0300 |
| commit | 3fb751fe5711f710e993051992c4eadff53f471d (patch) | |
| tree | 06618cc102d53a31200763986d8159aa9cd6490b | |
| parent | 42a73d82dbe700e08e7930799e54244ab9f6789c (diff) | |
| download | gnutls-3fb751fe5711f710e993051992c4eadff53f471d.tar.gz | |
certtool: allow multiple certificates in --p7-sign
Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
| -rw-r--r-- | src/certtool-args.def | 4 | ||||
| -rw-r--r-- | src/certtool.c | 22 |
2 files changed, 20 insertions, 6 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index f43d328a35..dd156b64d5 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -329,14 +329,14 @@ flag = { flag = { name = p7-sign; descrip = "Signs using a PKCS #7 structure"; - doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey."; + doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."; }; flag = { name = p7-detached-sign; descrip = "Signs using a detached PKCS #7 structure"; - doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey."; + doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."; }; flag = { diff --git a/src/certtool.c b/src/certtool.c index 72b7778207..1a8ccf8a0c 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2896,7 +2896,9 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) size_t size; gnutls_datum_t data; unsigned flags = 0; - gnutls_x509_crt_t signer; + gnutls_x509_crt_t *crts; + size_t crt_size; + size_t i; if (ENABLED_OPT(P7_TIME)) flags |= GNUTLS_PKCS7_INCLUDE_TIME; @@ -2918,18 +2920,27 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) app_exit(1); } - signer = load_cert(1, cinfo); + crts = load_cert_list(1, &crt_size, cinfo); key = load_private_key(1, cinfo); if (embed) flags |= GNUTLS_PKCS7_EMBED_DATA; - ret = gnutls_pkcs7_sign(pkcs7, signer, key, &data, NULL, NULL, get_dig(signer), flags); + ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts), flags); if (ret < 0) { fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret)); app_exit(1); } + for (i=1;i<crt_size;i++) { + ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]); + if (ret < 0) { + fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + + size = lbuffer_size; ret = gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size); @@ -2941,7 +2952,10 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed) fwrite(lbuffer, 1, size, outfile); gnutls_privkey_deinit(key); - gnutls_x509_crt_deinit(signer); + for (i=0;i<crt_size;i++) { + gnutls_x509_crt_deinit(crts[i]); + } + gnutls_free(crts); gnutls_pkcs7_deinit(pkcs7); app_exit(0); } |