ocsptool: --load-chain will sort the input chain

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

3 files changed, 7 insertions, 1 deletions

diff --git a/src/certtool-common.c b/src/certtool-common.c
index 81d2189b4a..2453024567 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -395,6 +395,7 @@ gnutls_x509_crt_t *load_cert_list(int mand, size_t * crt_size,
 	gnutls_datum_t dat;
 	unsigned size;
 	unsigned int crt_max;
+	unsigned flags = 0;
 
 	*crt_size = 0;
 	if (info->verbose)
@@ -424,7 +425,10 @@ gnutls_x509_crt_t *load_cert_list(int mand, size_t * crt_size,
 	dat.data = (void *) lbuffer;
 	dat.size = size;
 
-	ret = gnutls_x509_crt_list_import2(&crt, &crt_max, &dat, GNUTLS_X509_FMT_PEM, 0);
+	if (info->sort_chain)
+		flags |= GNUTLS_X509_CRT_LIST_SORT;
+
+	ret = gnutls_x509_crt_list_import2(&crt, &crt_max, &dat, GNUTLS_X509_FMT_PEM, flags);
 	if (ret < 0) {
 		fprintf(stderr, "Error loading certificates: %s\n", gnutls_strerror(ret));
 		app_exit(1);
diff --git a/src/certtool-common.h b/src/certtool-common.h
index 9c5fb977e1..16c3c53dfa 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -76,6 +76,7 @@ typedef struct common_info {
 	unsigned no_compat;
 
 	unsigned rsa_pss_sign;
+	unsigned sort_chain;
 } common_info_st;
 
 /* this must be provided by the app */
diff --git a/src/ocsptool.c b/src/ocsptool.c
index 480f9b0383..4f3176be70 100644
--- a/src/ocsptool.c
+++ b/src/ocsptool.c
@@ -404,6 +404,7 @@ unsigned load_chain(gnutls_x509_crt_t chain[MAX_CHAIN_SIZE])
 
 		info.verbose = verbose;
 		info.cert = OPT_ARG(LOAD_CHAIN);
+		info.sort_chain = 1;
 		list = load_cert_list(1, &list_size, &info);
 
 		if (list_size > MAX_CHAIN_SIZE) {