scepclient: Also number CA certificates in case there is more than one.

Also, only number them if there are multiple certificates.

src/scepclient/scepclient.8

@@ -62,7 +62,9 @@ Do not write log output to stderr.
 .SS Options for CA Certificate Acquisition
 .B \-o, \-\-out cacert[=\fIfilename\fP]
 .RS 4
-Output file of acquired CA certificate. If more then one CA certificate is available, \fIfilename\fP is used as prefix for the resulting files.
+Output file of acquired CA certificate. If more then one CA certificate is
+available, \fIfilename\fP is used as prefix for the resulting files (refer to
+EXAMPLES below for details).
 .br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .RE
@@ -230,9 +232,11 @@ Changes the log level (-1..4, default: 1)
 .B  ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
 .RS 4
 Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
-If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc.
-.br
-Existing files are overwritten.
+If more then one CA certificate is returned, store them in files named
+\'caCert\-1.der\', \'caCert\-2.der\', etc.
+If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'.
+If more than one RA certificate is returned, store them in files named
+\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc.
 .RE
 .PP
 .B  ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024

src/scepclient/scepclient.c

@@ -222,9 +222,14 @@ static void join_paths(char *target, size_t target_size, char *parent,
  * add a suffix to a given filename, properly handling extensions like '.der'
  */
 static void add_path_suffix(char *target, size_t target_size, char *filename,
-							char *suffix)
+							char *suffix_fmt, ...)
 {
-	char *start, *dot;
+	char suffix[PATH_MAX], *start, *dot;
+	va_list args;
+
+	va_start(args, suffix_fmt);
+	vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
+	va_end(args);
 
 	start = strrchr(filename, '/');
 	start = start ?: filename;
@@ -862,22 +867,50 @@ int main(int argc, char **argv)
 		{
 			enumerator_t *enumerator;
 			certificate_t *cert;
-			int i = 1;
+			int ra_certs = 0, ca_certs = 0;
+			int ra_index = 1, ca_index = 1;
+
+			enumerator = pkcs7->create_certificate_enumerator(pkcs7);
+			while (enumerator->enumerate(enumerator, &cert))
+			{
+				x509_t *x509 = (x509_t*)cert;
+				if (x509->get_flags(x509) & X509_CA)
+				{
+					ca_certs++;
+				}
+				else
+				{
+					ra_certs++;
+				}
+			}
+			enumerator->destroy(enumerator);
 
 			enumerator = pkcs7->create_certificate_enumerator(pkcs7);
 			while (enumerator->enumerate(enumerator, &cert))
 			{
 				x509_t *x509 = (x509_t*)cert;
 				bool ca_cert = x509->get_flags(x509) & X509_CA;
-				char *path = ca_path;
+				char cert_path[PATH_MAX], *path = ca_path;
 
-				if (!ca_cert)
+				if (ca_cert && ca_certs > 1)
+				{
+					add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+									"-%.1d", ca_index++);
+					path = cert_path;
+				}
+				else if (!ca_cert)
 				{	/* use CA name as base for RA certs */
-					char suffix[6], ra_path[PATH_MAX];
-
-					snprintf(suffix, sizeof(suffix), "-ra%0.2d", i++);
-					add_path_suffix(ra_path, sizeof(ra_path), ca_path, suffix);
-					path = ra_path;
+					if (ra_certs > 1)
+					{
+						add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+										"-ra-%.1d", ra_index++);
+					}
+					else
+					{
+						add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+										"-ra");
+					}
+					path = cert_path;
 				}
 
 				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||