oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hx509: Add HX509_CERTS_STORE_NO_ROOTS flag

Browse Source 
This will allow us to add a --no-roots option to

    hxtool copy-certificate

which is convenient when copying certificate chains from stores that may
include root CA certificates.
This commit is contained in:
Nicolas Williams
2022-12-19 16:24:23 -06:00
parent 49c00512a7
commit 6def4750bc
3 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/hx509/hx509.h
View File

@@ -162,6 +162,7 @@ typedef enum {
/* flags to hx509_certs_store */ /* flags to hx509_certs_store */
#define HX509_CERTS_STORE_NO_PRIVATE_KEYS 0x04 #define HX509_CERTS_STORE_NO_PRIVATE_KEYS 0x04
#define HX509_CERTS_STORE_NO_ROOTS 0x08
/* flags to hx509_set_error_string */ /* flags to hx509_set_error_string */

8
lib/hx509/ks_file.c
View File

@@ -550,6 +550,14 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
heim_octet_string data; heim_octet_string data;
int ret = 0; int ret = 0;
if ((sc->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
int self_signed = 0;
ret = hx509_cert_is_self_signed(context, c, &self_signed);
if (ret || self_signed)
return ret;
}
if (hx509_cert_have_private_key_only(c)) { if (hx509_cert_have_private_key_only(c)) {
data.length = 0; data.length = 0;
data.data = NULL; data.data = NULL;

8
lib/hx509/ks_p12.c
View File

@@ -525,6 +525,14 @@ store_func(hx509_context context, void *d, hx509_cert c)
size_t size; size_t size;
int ret; int ret;
if ((ctx->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
int is_root = 0;
ret = hx509_cert_is_root(context, c, &is_root);
if (ret || is_root)
return ret;
}
memset(&os, 0, sizeof(os)); memset(&os, 0, sizeof(os));
memset(&cb, 0, sizeof(cb)); memset(&cb, 0, sizeof(cb));