Make PKCS7_NOCERTS match documentation.

As documented PKCS7_NOCERTS should only exclude the signer's certificate
and not any supplied in the "certs" parameter. This makes it possible to
exclude the signer's certificate but include other certificates. Applications
that don't want to include other certificates should set "certs" to NULL
anyway.
(cherry picked from commit 5c6f808b66f1a2e0fb2a508b24b845a88803fe3a)
This commit is contained in:
Dr. Stephen Henson 2014-06-02 13:40:00 +01:00
parent db305124f3
commit 812b7246d4

View file

@ -89,13 +89,10 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
goto err;
}
if(!(flags & PKCS7_NOCERTS))
for(i = 0; i < sk_X509_num(certs); i++)
{
for(i = 0; i < sk_X509_num(certs); i++)
{
if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i)))
goto err;
}
if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i)))
goto err;
}
if(flags & PKCS7_DETACHED)