hx509: Add HX509_CERTS_STORE_NO_ROOTS flag

This will allow us to add a --no-roots option to hxtool copy-certificate which is convenient when copying certificate chains from stores that may include root CA certificates.
2022-12-19 16:24:23 -06:00
parent 49c00512a7
commit 6def4750bc
3 changed files with 17 additions and 0 deletions
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -162,6 +162,7 @@ typedef enum {

 /* flags to hx509_certs_store */
 #define HX509_CERTS_STORE_NO_PRIVATE_KEYS		0x04
+#define HX509_CERTS_STORE_NO_ROOTS			0x08


 /* flags to hx509_set_error_string */
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -550,6 +550,14 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
    heim_octet_string data;
    int ret = 0;

+    if ((sc->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int self_signed = 0;
+
+        ret = hx509_cert_is_self_signed(context, c, &self_signed);
+        if (ret || self_signed)
+            return ret;
+    }
+
    if (hx509_cert_have_private_key_only(c)) {
        data.length = 0;
        data.data = NULL;
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -525,6 +525,14 @@ store_func(hx509_context context, void *d, hx509_cert c)
    size_t size;
    int ret;

+    if ((ctx->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int is_root = 0;
+
+        ret = hx509_cert_is_root(context, c, &is_root);
+        if (ret || is_root)
+            return ret;
+    }
+
    memset(&os, 0, sizeof(os));
    memset(&cb, 0, sizeof(cb));