diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-05 08:12:17 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-05 08:51:35 +0200 |
commit | 1031e8a1a789fb4865220fe4c5cb8e15a451eb3d (patch) | |
tree | 09060c25deb852a371606145f6d796374ce8b826 | |
parent | 809631ddc7612d41d90e69967c644c1dcb1c9e3b (diff) | |
download | gnutls-1031e8a1a789fb4865220fe4c5cb8e15a451eb3d.tar.gz |
certtool: improved documentation
Incorporated comments made in Lenka Horakova's thesis study.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | src/certtool-args.def | 18 | ||||
-rw-r--r-- | src/certtool-cfg.c | 52 | ||||
-rw-r--r-- | src/certtool-common.c | 26 |
3 files changed, 66 insertions, 30 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index f832f0f9a9..8cf1ab7be9 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -6,8 +6,9 @@ detail = "Tool to parse and generate X.509 certificates, requests and private It can be used interactively or non interactively by specifying the template command line option. -The tool accepts files or URLs supported by GnuTLS. In case PIN is required for the URL -access you can provide it using the environment variables GNUTLS_PIN and GNUTLS_SO_PIN. +The tool accepts files or supported URIs via the --infile option. In case PIN +is required for URI access you can provide it using the environment variables GNUTLS_PIN +and GNUTLS_SO_PIN. "; short-usage = "certtool [options]\ncerttool --help for usage instructions.\n"; explain = ""; @@ -40,7 +41,7 @@ flag = { flag = { name = generate-crl; descrip = "Generate a CRL"; - doc = "This option generates a CRL. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL)."; + doc = "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL)."; }; flag = { @@ -88,21 +89,24 @@ flag = { name = verify-chain; value = e; descrip = "Verify a PEM encoded certificate chain"; - doc = "The last certificate in the chain must be a self signed one. It can be combined with --verify-purpose or --verify-hostname."; + doc = "Verifies the validity of a certificate chain. That is, an ordered set of + certificates where each one is the issuer of the previous, and the first is + the end-certificate to be validated. In a proper chain the last certificate + is a self signed one. It can be combined with --verify-purpose or --verify-hostname."; }; flag = { name = verify; - descrip = "Verify a PEM encoded certificate chain using a trusted list"; + descrip = "Verify a PEM encoded certificate (chain) against a trusted set"; doc = "The trusted certificate list can be loaded with --load-ca-certificate. If no -certificate list is provided, then the system's certificate list is used. Note that +certificate list is provided, then the system's trusted certificate list is used. Note that during verification multiple paths may be explored. On a successful verification the successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname."; }; flag = { name = verify-crl; - descrip = "Verify a CRL using a trusted list"; + descrip = "Verify a Certificate Revocation List using a trusted list"; doc = "The trusted certificate list must be loaded with --load-ca-certificate."; flags-must = load-ca-certificate; }; diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 6415ee8cf3..107703c047 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -813,15 +813,25 @@ void get_crl_dist_point_set(gnutls_x509_crt_t crt) } } else { const char *p; + unsigned int counter = 0; do { - p = read_str - ("Enter the URI of the CRL distribution point: "); + if (counter == 0) { + p = read_str + ("Enter the URI of the CRL distribution point: "); + } else { + p = read_str + ("Enter an additional URI of the CRL distribution point: "); + } if (!p) return; ret = gnutls_x509_crt_set_crl_dist_points (crt, GNUTLS_SAN_URI, p, 0); + if (ret < 0) + break; + + counter++; } while (p); } @@ -1879,10 +1889,16 @@ void get_dc_set(int type, void *crt) } } else { const char *p; + unsigned int counter = 0; do { - p = read_str - ("Enter the subject's domain component (DC): "); + if (counter == 0) { + p = read_str + ("Enter the subject's domain component (DC): "); + } else { + p = read_str + ("Enter an additional domain component (DC): "); + } if (!p) return; @@ -1900,6 +1916,9 @@ void get_dc_set(int type, void *crt) 0, p, strlen (p)); + counter++; + if (ret < 0) + break; } while (p != NULL); } @@ -1940,10 +1959,14 @@ void get_dns_name_set(int type, void *crt) } } else { const char *p; + unsigned int counter = 0; do { - p = read_str - ("Enter a dnsName of the subject of the certificate: "); + if (counter == 0) { + p = read_str("Enter a dnsName of the subject of the certificate: "); + } else { + p = read_str("Enter an additional dnsName of the subject of the certificate: "); + } if (!p) return; @@ -1955,8 +1978,8 @@ void get_dns_name_set(int type, void *crt) ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME, p, strlen(p), GNUTLS_FSAN_APPEND); - } - while (p); + counter++; + } while (p); } if (ret < 0) { @@ -2266,10 +2289,16 @@ void get_uri_set(int type, void *crt) } } else { const char *p; + unsigned int counter = 0; do { - p = read_str - ("Enter a URI of the subject of the certificate: "); + if (counter == 0) { + p = read_str + ("Enter a URI of the subject of the certificate: "); + } else { + p = read_str + ("Enter an additional URI of the subject of the certificate: "); + } if (!p) return; @@ -2281,6 +2310,9 @@ void get_uri_set(int type, void *crt) ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_URI, p, strlen(p), GNUTLS_FSAN_APPEND); + counter++; + if (ret < 0) + break; } while (p); } diff --git a/src/certtool-common.c b/src/certtool-common.c index 0f47be53b0..4c5d40aa7b 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -195,7 +195,7 @@ static gnutls_privkey_t _load_privkey(gnutls_datum_t * dat, } if (ret < 0) { - fprintf(stderr, "importing --load-privkey: %s: %s\n", + fprintf(stderr, "error loading file at --load-privkey: %s: %s\n", info->privkey, gnutls_strerror(ret)); exit(1); } @@ -216,7 +216,7 @@ static gnutls_privkey_t _load_url_privkey(const char *url) ret = gnutls_privkey_import_url(key, url, 0); if (ret < 0) { - fprintf(stderr, "importing key: %s: %s\n", + fprintf(stderr, "error importing key at %s: %s\n", url, gnutls_strerror(ret)); exit(1); } @@ -271,7 +271,7 @@ gnutls_privkey_t load_private_key(int mand, common_info_st * info) dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading --load-privkey: %s\n", + fprintf(stderr, "error reading file at --load-privkey: %s\n", info->privkey); exit(1); } @@ -314,7 +314,7 @@ load_x509_private_key(int mand, common_info_st * info) dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading --load-privkey: %s\n", + fprintf(stderr, "error reading file at --load-privkey: %s\n", info->privkey); exit(1); } @@ -350,7 +350,7 @@ load_x509_private_key(int mand, common_info_st * info) } if (ret < 0) { - fprintf(stderr, "importing --load-privkey: %s: %s\n", + fprintf(stderr, "error importing private key: %s: %s\n", info->privkey, gnutls_strerror(ret)); exit(1); } @@ -516,7 +516,7 @@ gnutls_x509_crq_t load_request(common_info_st * info) dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading --load-request: %s\n", + fprintf(stderr, "error reading file at --load-request: %s\n", info->request); exit(1); } @@ -530,7 +530,7 @@ gnutls_x509_crq_t load_request(common_info_st * info) free(dat.data); if (ret < 0) { - fprintf(stderr, "importing --load-request: %s: %s\n", + fprintf(stderr, "error importing certificate request: %s: %s\n", info->request, gnutls_strerror(ret)); exit(1); } @@ -557,7 +557,7 @@ gnutls_privkey_t load_ca_private_key(common_info_st * info) dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading --load-ca-privkey: %s\n", + fprintf(stderr, "error reading file at --load-ca-privkey: %s\n", info->ca_privkey); exit(1); } @@ -596,7 +596,7 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info) if (gnutls_url_is_supported(info->ca) != 0) { ret = gnutls_x509_crt_import_url(crt, info->ca, 0); if (ret < 0) { - fprintf(stderr, "error importing --load-ca-certificate: %s: %s\n", + fprintf(stderr, "error importing CA certificate: %s: %s\n", info->ca, gnutls_strerror(ret)); exit(1); } @@ -607,7 +607,7 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info) dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading --load-ca-certificate: %s\n", + fprintf(stderr, "error reading file at --load-ca-certificate: %s\n", info->ca); exit(1); } @@ -615,7 +615,7 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info) ret = gnutls_x509_crt_import(crt, &dat, info->incert_format); free(dat.data); if (ret < 0) { - fprintf(stderr, "error importing --load-ca-certificate: %s: %s\n", + fprintf(stderr, "error importing CA certificate: %s: %s\n", info->ca, gnutls_strerror(ret)); exit(1); } @@ -654,7 +654,7 @@ gnutls_pubkey_t load_pubkey(int mand, common_info_st * info) dat.size = size; if (!dat.data) { - fprintf(stderr, "error reading --load-pubkey: %s\n", info->pubkey); + fprintf(stderr, "error reading file at --load-pubkey: %s\n", info->pubkey); exit(1); } @@ -668,7 +668,7 @@ gnutls_pubkey_t load_pubkey(int mand, common_info_st * info) exit(1); } } else if (ret < 0) { - fprintf(stderr, "importing --load-pubkey: %s: %s\n", + fprintf(stderr, "importing public key: %s: %s\n", info->pubkey, gnutls_strerror(ret)); exit(1); } |