From 6def4750bcd1f27fc49ec34b178a28ce1e0e57a7 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Mon, 19 Dec 2022 16:24:23 -0600
Subject: [PATCH] hx509: Add HX509_CERTS_STORE_NO_ROOTS flag

This will allow us to add a --no-roots option to

    hxtool copy-certificate

which is convenient when copying certificate chains from stores that may
include root CA certificates.
---
 lib/hx509/hx509.h   | 1 +
 lib/hx509/ks_file.c | 8 ++++++++
 lib/hx509/ks_p12.c  | 8 ++++++++
 3 files changed, 17 insertions(+)

diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 75d64734b..6bd36e98b 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -162,6 +162,7 @@ typedef enum {
 
 /* flags to hx509_certs_store */
 #define HX509_CERTS_STORE_NO_PRIVATE_KEYS		0x04
+#define HX509_CERTS_STORE_NO_ROOTS			0x08
 
 
 /* flags to hx509_set_error_string */
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index 880668b45..6d8c77bd2 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -550,6 +550,14 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
     heim_octet_string data;
     int ret = 0;
 
+    if ((sc->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int self_signed = 0;
+
+        ret = hx509_cert_is_self_signed(context, c, &self_signed);
+        if (ret || self_signed)
+            return ret;
+    }
+
     if (hx509_cert_have_private_key_only(c)) {
         data.length = 0;
         data.data = NULL;
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index 953ce7880..1e9a92a4f 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -525,6 +525,14 @@ store_func(hx509_context context, void *d, hx509_cert c)
     size_t size;
     int ret;
 
+    if ((ctx->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int is_root = 0;
+
+        ret = hx509_cert_is_root(context, c, &is_root);
+        if (ret || is_root)
+            return ret;
+    }
+
     memset(&os, 0, sizeof(os));
     memset(&cb, 0, sizeof(cb));