certtool: allow multiple certificates in --p7-sign

Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>

diff --git a/src/certtool-args.def b/src/certtool-args.def
index f43d328a357e762e984f8dfd23a2038ab7d1c14a..dd156b64d5256c0fcbc9bb67f0e6f4281b1545d6 100644 (file)
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -329,14 +329,14 @@ flag = {
 flag = {
     name      = p7-sign;
     descrip   = "Signs using a PKCS #7 structure";
-    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey.";
+    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
 };
 
 
 flag = {
     name      = p7-detached-sign;
     descrip   = "Signs using a detached PKCS #7 structure";
-    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey.";
+    doc       = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.";
 };
 
 flag = {

diff --git a/src/certtool.c b/src/certtool.c
index 72b77782074f43c8b2090b43a0ed1baccdf9f83b..1a8ccf8a0c5894675898c329e135191b147cdc43 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2896,7 +2896,9 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
        size_t size;
        gnutls_datum_t data;
        unsigned flags = 0;
-       gnutls_x509_crt_t signer;
+       gnutls_x509_crt_t *crts;
+       size_t crt_size;
+       size_t i;
 
        if (ENABLED_OPT(P7_TIME))
                flags |= GNUTLS_PKCS7_INCLUDE_TIME;
@@ -2918,18 +2920,27 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
                app_exit(1);
        }
 
-       signer = load_cert(1, cinfo);
+       crts = load_cert_list(1, &crt_size, cinfo);
        key = load_private_key(1, cinfo);
 
        if (embed)
                flags |= GNUTLS_PKCS7_EMBED_DATA;
 
-       ret = gnutls_pkcs7_sign(pkcs7, signer, key, &data, NULL, NULL, get_dig(signer), flags);
+       ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts), flags);
        if (ret < 0) {
                fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret));
                app_exit(1);
        }
 
+       for (i=1;i<crt_size;i++) {
+               ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]);
+               if (ret < 0) {
+                       fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret));
+                       exit(1);
+               }
+       }
+
+
        size = lbuffer_size;
        ret =
            gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size);
@@ -2941,7 +2952,10 @@ void pkcs7_sign(common_info_st * cinfo, unsigned embed)
        fwrite(lbuffer, 1, size, outfile);
 
        gnutls_privkey_deinit(key);
-       gnutls_x509_crt_deinit(signer);
+       for (i=0;i<crt_size;i++) {
+               gnutls_x509_crt_deinit(crts[i]);
+       }
+       gnutls_free(crts);
        gnutls_pkcs7_deinit(pkcs7);
        app_exit(0);
 }