2 files changed, 20 insertions, 6 deletions

diff --git a/src/certtool-args.def b/src/certtool-args.def
index f43d328a35..dd156b64d5 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -329,14 +329,14 @@ flag = {
 flag = {
     name      = p7-sign;
     descrip   = "Signs using a PKCS #7 structure";
-    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey.";
+    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
 };
 
 
 flag = {
     name      = p7-detached-sign;
     descrip   = "Signs using a detached PKCS #7 structure";
-    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey.";
+    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
 };
 
 flag = {
diff --git a/src/certtool.c b/src/certtool.c
index 72b7778207..1a8ccf8a0c 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2896,7 +2896,9 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
 	size_t size;
 	gnutls_datum_t data;
 	unsigned flags = 0;
-	gnutls_x509_crt_t signer;
+	gnutls_x509_crt_t *crts;
+	size_t crt_size;
+	size_t i;
 
 	if (ENABLED_OPT(P7_TIME))
 		flags |= GNUTLS_PKCS7_INCLUDE_TIME;
@@ -2918,18 +2920,27 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
 		app_exit(1);
 	}
 
-	signer = load_cert(1, cinfo);
+	crts = load_cert_list(1, &crt_size, cinfo);
 	key = load_private_key(1, cinfo);
 
 	if (embed)
 		flags |= GNUTLS_PKCS7_EMBED_DATA;
 
-	ret = gnutls_pkcs7_sign(pkcs7, signer, key, &data, NULL, NULL, get_dig(signer), flags);
+	ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts), flags);
 	if (ret < 0) {
 		fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret));
 		app_exit(1);
 	}
 
+	for (i=1;i<crt_size;i++) {
+		ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]);
+		if (ret < 0) {
+			fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret));
+			exit(1);
+		}
+	}
+
+
 	size = lbuffer_size;
 	ret =
 	    gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size);
@@ -2941,7 +2952,10 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
 	fwrite(lbuffer, 1, size, outfile);
 
 	gnutls_privkey_deinit(key);
-	gnutls_x509_crt_deinit(signer);
+	for (i=0;i<crt_size;i++) {
+		gnutls_x509_crt_deinit(crts[i]);
+	}
+	gnutls_free(crts);
 	gnutls_pkcs7_deinit(pkcs7);
 	app_exit(0);
 }