fix p7b multi certs

Signed-off-by: Li Chaoran <[email protected]>
pkking · Nov 13, 2023 · 56747c5 · 56747c5
1 parent d1835ef
commit 56747c5
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 11 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "efi_signer"
-version = "0.2.6"
+version = "0.2.7"
 edition = "2021"
 authors = ["Li Chaoran <[email protected]>"]
 description = "A crates for signing and parsing EFI image"

diff --git a/examples/main.rs b/examples/main.rs
@@ -48,8 +48,9 @@ enum Commands {
 
 #[derive(Args)]
 struct P7b {
-    #[arg(help = "PEM cert to convert")]
-    path: String,
+    #[arg(short, long, action(clap::ArgAction::Append))]
+    #[arg(help = "PEM certs to convert")]
+    cert: Option<Vec<String>>,
     #[arg(help = "PKCS7 output file path")]
     output: String,
 }
@@ -80,14 +81,15 @@ struct Sign {
     output: String,
 }
 
-fn p7b(path: &str, output: &str) {
-    let pem_file_content = read(path).unwrap();
-    let pem_str = str::from_utf8(&pem_file_content).unwrap();
-    debug!("read cert: {}", pem_str);
+fn p7b(paths: Vec<String>, output: &str) {
+    let mut bufs: Vec<Vec<u8>> = vec![];
+    for path in paths.iter() {
+        let pem_file_content = read(path).unwrap();
 
-    let p7 = efi_signer::EfiImage::pem_to_p7(&pem_file_content).unwrap();
-    //debug!("pkcs7 info: {:?}", p7_pem);
-    //debug!("openssl p7topem {:?}", p7.to_pem().unwrap());
+        debug!("read cert: {}", path);
+        bufs.push(pem_file_content);
+    }
+    let p7 = efi_signer::EfiImage::pems_to_p7(bufs).unwrap();
 
     let mut file = std::fs::File::create(output).unwrap();
     file.write_all(&p7).unwrap();
@@ -163,6 +165,6 @@ fn main() {
     match app.command {
         Commands::Parse(p) => parse(&p.path, p.certs),
         Commands::Sign(s) => sign(&s.path, &s.output, &s.key, &s.cert, s.detach),
-        Commands::P7b(p) => p7b(&p.path, &p.output),
+        Commands::P7b(p) => p7b(p.cert.unwrap(), &p.output),
     }
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -256,6 +256,28 @@ impl<'a> EfiImage<'a> {
             .to_vec())
     }
 
+    pub fn pems_to_p7(bufs: Vec<Vec<u8>>) -> Result<Vec<u8>> {
+        let mut certs: Vec<x509_cert::certificate::CertificateInner> = vec![];
+        for buf in bufs.iter() {
+            certs.push(x509_cert::Certificate::from_pem(buf).context(ConvertPEM2PKCS7Snafu {})?);
+        }
+
+        // this method will result a slight difference p7b cert compared using openssl
+        // see: https://github.com/RustCrypto/formats/issues/1030
+        let p7b_der = ContentInfo::try_from(certs)
+            .context(ConvertPEM2PKCS7Snafu {})?
+            .to_der()
+            .context(ConvertPEM2PKCS7Snafu {})?;
+        let p7 = Pkcs7::from_der(&p7b_der).context(ParseCertificateSnafu {})?;
+        debug!("p7b info: {:#?}", p7);
+        Ok(p7
+            .to_pem()
+            .context(ParseCertificateSnafu {})?
+            .to_string()
+            .as_bytes()
+            .to_vec())
+    }
+
     fn check_sum(mut checksum: u32, data: &[u8], mut steps: usize) -> Result<u32> {
         if steps > 0 {
             let mut rdr = Cursor::new(data);