updates in danetool

6 files changed, 138 insertions, 69 deletions

diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index c04c1d7f8e..ebdcdedcca 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -6,7 +6,7 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-certtool.texi)
 # 
-# It has been AutoGen-ed  March  7, 2013 at 02:56:55 AM by AutoGen 5.16
+# It has been AutoGen-ed  March  7, 2013 at 11:22:22 AM by AutoGen 5.16
 # From the definitions    ../src/certtool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index cb34077cd7..b063e56358 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -6,7 +6,7 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-danetool.texi)
 # 
-# It has been AutoGen-ed  March  1, 2013 at 05:06:53 PM by AutoGen 5.16
+# It has been AutoGen-ed  March  7, 2013 at 11:03:39 PM by AutoGen 5.16
 # From the definitions    ../src/danetool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -66,7 +66,11 @@ USAGE:  danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
        --ca                   Whether the provided certificate or public key is a Certificate
 Authority.
        --x509                 Use the hash of the X.509 certificate, rather than the public key.
-       --local                The provided certificate or public key is a local entity.
+       --local                This is an alias for 'domain'
+                                - enabled by default
+       --domain               The provided certificate or public key is issued by the local domain.
+                                - disabled as --no-domain
+                                - enabled by default
    -v, --version[=arg]        Output version information and exit
    -h, --help                 Display extended usage information and exit
    -!, --more-help            Extended usage information passed thru pager
@@ -191,8 +195,22 @@ This option forces the generated record to contain the hash of the full X.509 ce
 @anchor{danetool local}
 @subsubheading local option
 
-This is the ``the provided certificate or public key is a local entity.'' option.
-DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.
+This is an alias for the domain option,
+@pxref{danetool domain, the domain option documentation}.
+
+@anchor{danetool domain}
+@subsubheading domain option
+
+This is the ``the provided certificate or public key is issued by the local domain.'' option.
+
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+is enabled by default.
+@end itemize
+
+DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.
 @anchor{danetool exit status}
 @subsubheading danetool exit status
 
@@ -211,26 +229,27 @@ The operation failed or the command syntax was not valid.
 @subsubheading danetool Examples
 @subsubheading DANE TLSA RR generation
 
-To create a DANE TLSA resource record for a CA signed certificate use the following commands.
-
+To create a DANE TLSA resource record for a certificate (or public key) 
+that was issued localy and may or may not be signed by a CA use the following command.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
 @end example
 
-For a self signed certificate use:
+To create a DANE TLSA resource record for a CA signed certificate, which will
+be marked as such use the following command.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
-  --local
+  --no-domain
 @end example
 
-The latter is useful to add in your DNS entry even if your certificate is signed 
+The former is useful to add in your DNS entry even if your certificate is signed 
 by a CA. That way even users who do not trust your CA will be able to verify your
 certificate using DANE.
 
-In order to create a record for the signer of your certificate use:
+In order to create a record for the CA signer of your certificate use the following.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
-  --ca
+  --ca --no-domain
 @end example
 
 To read a server's DANE TLSA entry, use:
diff --git a/src/danetool-args.c b/src/danetool-args.c
index 2538974dbf..09825fadaa 100644
--- a/src/danetool-args.c
+++ b/src/danetool-args.c
@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (danetool-args.c)
  *  
- *  It has been AutoGen-ed  March  1, 2013 at 05:01:34 PM by AutoGen 5.16
+ *  It has been AutoGen-ed  March  7, 2013 at 11:03:28 PM by AutoGen 5.16
  *  From the definitions    danetool-args.def
  *  and the template file   options
  *
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
 /*
  *  danetool option static const strings
  */
-static char const danetool_opt_strs[2467] =
+static char const danetool_opt_strs[2520] =
 /*     0 */ "danetool @VERSION@\n"
             "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
@@ -148,24 +148,26 @@ static char const danetool_opt_strs[2467] =
 /*  1886 */ "Use the hash of the X.509 certificate, rather than the public key.\0"
 /*  1953 */ "X509\0"
 /*  1958 */ "x509\0"
-/*  1963 */ "The provided certificate or public key is a local entity.\0"
-/*  2021 */ "LOCAL\0"
-/*  2027 */ "local\0"
-/*  2033 */ "Display extended usage information and exit\0"
-/*  2077 */ "help\0"
-/*  2082 */ "Extended usage information passed thru pager\0"
-/*  2127 */ "more-help\0"
-/*  2137 */ "Output version information and exit\0"
-/*  2173 */ "version\0"
-/*  2181 */ "DANETOOL\0"
-/*  2190 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n"
+/*  1963 */ "This is an alias for 'domain'\0"
+/*  1993 */ "local\0"
+/*  1999 */ "The provided certificate or public key is issued by the local domain.\0"
+/*  2069 */ "DOMAIN\0"
+/*  2076 */ "no-domain\0"
+/*  2086 */ "Display extended usage information and exit\0"
+/*  2130 */ "help\0"
+/*  2135 */ "Extended usage information passed thru pager\0"
+/*  2180 */ "more-help\0"
+/*  2190 */ "Output version information and exit\0"
+/*  2226 */ "version\0"
+/*  2234 */ "DANETOOL\0"
+/*  2243 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n"
             "USAGE:  %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
-/*  2293 */ "bug-gnutls@gnu.org\0"
-/*  2312 */ "\n\n\0"
-/*  2315 */ "\n"
+/*  2346 */ "bug-gnutls@gnu.org\0"
+/*  2365 */ "\n\n\0"
+/*  2368 */ "\n"
             "Tool to generate and check DNS resource records for the DANE protocol.\n\0"
-/*  2388 */ "danetool @VERSION@\0"
-/*  2407 */ "danetool [options]\n"
+/*  2441 */ "danetool @VERSION@\0"
+/*  2460 */ "danetool [options]\n"
             "danetool --help for usage instructions.\n";
 
 /*
@@ -357,19 +359,29 @@ static int const aTlsa_RrMustList[] = {
 /*
  *  local option description:
  */
-#define LOCAL_DESC      (danetool_opt_strs+1963)
-#define LOCAL_NAME      (danetool_opt_strs+2021)
-#define LOCAL_name      (danetool_opt_strs+2027)
-#define LOCAL_FLAGS     (OPTST_DISABLED)
+#define LOCAL_DESC    (danetool_opt_strs+1963)
+#define LOCAL_NAME    NULL
+#define LOCAL_name    (danetool_opt_strs+1993)
+#define LOCAL_FLAGS     (DOMAIN_FLAGS | OPTST_ALIAS)
+
+/*
+ *  domain option description:
+ */
+#define DOMAIN_DESC      (danetool_opt_strs+1999)
+#define DOMAIN_NAME      (danetool_opt_strs+2069)
+#define NOT_DOMAIN_name  (danetool_opt_strs+2076)
+#define NOT_DOMAIN_PFX   (danetool_opt_strs+1457)
+#define DOMAIN_name      (NOT_DOMAIN_name + 3)
+#define DOMAIN_FLAGS     (OPTST_INITENABLED)
 
 /*
  *  Help/More_Help/Version option descriptions:
  */
-#define HELP_DESC       (danetool_opt_strs+2033)
-#define HELP_name       (danetool_opt_strs+2077)
+#define HELP_DESC       (danetool_opt_strs+2086)
+#define HELP_name       (danetool_opt_strs+2130)
 #ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC  (danetool_opt_strs+2082)
-#define MORE_HELP_name  (danetool_opt_strs+2127)
+#define MORE_HELP_DESC  (danetool_opt_strs+2135)
+#define MORE_HELP_name  (danetool_opt_strs+2180)
 #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
 #else
 #define MORE_HELP_DESC  NULL
@@ -382,8 +394,8 @@ static int const aTlsa_RrMustList[] = {
 #  define VER_FLAGS     (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
                          OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
 #endif
-#define VER_DESC        (danetool_opt_strs+2137)
-#define VER_name        (danetool_opt_strs+2173)
+#define VER_DESC        (danetool_opt_strs+2190)
+#define VER_name        (danetool_opt_strs+2226)
 /*
  *  Declare option callback procedures
  */
@@ -393,7 +405,7 @@ extern tOptProc
     optionStackArg,     optionTimeDate,     optionTimeVal,
     optionUnstackArg,   optionVendorOption;
 static tOptProc
-    doOptDebug, doOptInfile, doOptInraw, doUsageOpt;
+    doOptDebug, doOptInfile, doOptInraw, doOptLocal, doUsageOpt;
 #define VER_PROC        optionPrintVersion
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
@@ -663,9 +675,21 @@ static tOptDesc optDesc[OPTION_CT] = {
      /* last opt argumnt */ { NULL }, /* --local */
      /* arg list/cookie  */ NULL,
      /* must/cannot opts */ NULL, NULL,
-     /* option proc      */ NULL,
+     /* option proc      */ doOptLocal,
      /* desc, NAME, name */ LOCAL_DESC, LOCAL_NAME, LOCAL_name,
-     /* disablement strs */ NULL, NULL },
+     /* disablement strs */ 0, 0 },
+
+  {  /* entry idx, value */ 22, VALUE_OPT_DOMAIN,
+     /* equiv idx, value */ 22, VALUE_OPT_DOMAIN,
+     /* equivalenced to  */ NO_EQUIVALENT,
+     /* min, max, act ct */ 0, 1, 0,
+     /* opt state flags  */ DOMAIN_FLAGS, 0,
+     /* last opt argumnt */ { NULL }, /* --domain */
+     /* arg list/cookie  */ NULL,
+     /* must/cannot opts */ NULL, NULL,
+     /* option proc      */ NULL,
+     /* desc, NAME, name */ DOMAIN_DESC, DOMAIN_NAME, DOMAIN_name,
+     /* disablement strs */ NOT_DOMAIN_name, NOT_DOMAIN_PFX },
 
   {  /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION,
      /* equiv idx value  */ NO_EQUIVALENT, VALUE_OPT_VERSION,
@@ -711,14 +735,14 @@ static tOptDesc optDesc[OPTION_CT] = {
  *
  *  Define the danetool Option Environment
  */
-#define zPROGNAME       (danetool_opt_strs+2181)
-#define zUsageTitle     (danetool_opt_strs+2190)
+#define zPROGNAME       (danetool_opt_strs+2234)
+#define zUsageTitle     (danetool_opt_strs+2243)
 #define zRcName         NULL
 #define apzHomeList     NULL
-#define zBugsAddr       (danetool_opt_strs+2293)
-#define zExplain        (danetool_opt_strs+2312)
-#define zDetail         (danetool_opt_strs+2315)
-#define zFullVersion    (danetool_opt_strs+2388)
+#define zBugsAddr       (danetool_opt_strs+2346)
+#define zExplain        (danetool_opt_strs+2365)
+#define zDetail         (danetool_opt_strs+2368)
+#define zFullVersion    (danetool_opt_strs+2441)
 /* extracted from optcode.tlib near line 350 */
 
 #if defined(ENABLE_NLS)
@@ -732,7 +756,7 @@ static tOptDesc optDesc[OPTION_CT] = {
 
 #define danetool_full_usage (NULL)
 
-#define danetool_short_usage (danetool_opt_strs+2407)
+#define danetool_short_usage (danetool_opt_strs+2460)
 
 #endif /* not defined __doxygen__ */
 
@@ -827,6 +851,22 @@ doOptInraw(tOptions* pOptions, tOptDesc* pOptDesc)
         USAGE(DANETOOL_EXIT_FAILURE);
 
 }
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+/**
+ * Code to handle the local option.
+ *
+ * @param pOptions the danetool options data structure
+ * @param pOptDesc the option descriptor for this option.
+ */
+static void
+doOptLocal(tOptions* pOptions, tOptDesc* pOptDesc)
+{
+    int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_DOMAIN);
+    if ((res != 0) && ((pOptions->fOptSet & OPTPROC_ERRSTOP) != 0))
+        USAGE(DANETOOL_EXIT_FAILURE);
+
+}
 /* extracted from optmain.tlib near line 1113 */
 
 /**
@@ -891,7 +931,7 @@ tOptions danetoolOptions = {
       NO_EQUIVALENT, /* '-#' option index */
       NO_EQUIVALENT /* index of default opt */
     },
-    25 /* full option count */, 22 /* user option count */,
+    26 /* full option count */, 23 /* user option count */,
     danetool_full_usage, danetool_short_usage,
     NULL, NULL,
     PKGDATADIR, danetool_packager_info
diff --git a/src/danetool-args.def b/src/danetool-args.def
index 36ffd1e4bb..b22fd41feb 100644
--- a/src/danetool-args.def
+++ b/src/danetool-args.def
@@ -133,8 +133,15 @@ flag = {
 
 flag = {
     name      = local;
-    descrip   = "The provided certificate or public key is a local entity.";
-    doc      = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.";
+    aliases   = domain;
+};
+
+flag = {
+    name      = domain;
+    descrip   = "The provided certificate or public key is issued by the local domain.";
+    enabled;
+    disable   = "no";
+    doc      = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.";
 };
 
 doc-section = {
@@ -151,26 +158,27 @@ doc-section = {
   ds-text   = <<-_EOT_
 @subheading DANE TLSA RR generation
 
-To create a DANE TLSA resource record for a CA signed certificate use the following commands.
-
+To create a DANE TLSA resource record for a certificate (or public key) 
+that was issued localy and may or may not be signed by a CA use the following command.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
 @end example
 
-For a self signed certificate use:
+To create a DANE TLSA resource record for a CA signed certificate, which will
+be marked as such use the following command.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
-  --local
+  --no-domain
 @end example
 
-The latter is useful to add in your DNS entry even if your certificate is signed 
+The former is useful to add in your DNS entry even if your certificate is signed 
 by a CA. That way even users who do not trust your CA will be able to verify your
 certificate using DANE.
 
-In order to create a record for the signer of your certificate use:
+In order to create a record for the CA signer of your certificate use the following.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
-  --ca
+  --ca --no-domain
 @end example
 
 To read a server's DANE TLSA entry, use:
diff --git a/src/danetool-args.h b/src/danetool-args.h
index 1e37cbd966..467d418e5b 100644
--- a/src/danetool-args.h
+++ b/src/danetool-args.h
@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (danetool-args.h)
  *  
- *  It has been AutoGen-ed  March  1, 2013 at 05:01:34 PM by AutoGen 5.16
+ *  It has been AutoGen-ed  March  7, 2013 at 11:03:28 PM by AutoGen 5.16
  *  From the definitions    danetool-args.def
  *  and the template file   options
  *
@@ -89,12 +89,13 @@ typedef enum {
     INDEX_OPT_CA                = 19,
     INDEX_OPT_X509              = 20,
     INDEX_OPT_LOCAL             = 21,
-    INDEX_OPT_VERSION           = 22,
-    INDEX_OPT_HELP              = 23,
-    INDEX_OPT_MORE_HELP         = 24
+    INDEX_OPT_DOMAIN            = 22,
+    INDEX_OPT_VERSION           = 23,
+    INDEX_OPT_HELP              = 24,
+    INDEX_OPT_MORE_HELP         = 25
 } teOptIndex;
 
-#define OPTION_CT    25
+#define OPTION_CT    26
 #define DANETOOL_VERSION       "@VERSION@"
 #define DANETOOL_FULL_VERSION  "danetool @VERSION@"
 
@@ -158,6 +159,7 @@ typedef enum {
 #define VALUE_OPT_CA             19
 #define VALUE_OPT_X509           20
 #define VALUE_OPT_LOCAL          21
+#define VALUE_OPT_DOMAIN         22
 #define VALUE_OPT_HELP          'h'
 #define VALUE_OPT_MORE_HELP     '!'
 #define VALUE_OPT_VERSION       'v'
diff --git a/src/danetool.c b/src/danetool.c
index 05e24e1c6f..01c9724cfe 100644
--- a/src/danetool.c
+++ b/src/danetool.c
@@ -55,7 +55,7 @@
 
 static void cmd_parser (int argc, char **argv);
 static void dane_info(const char* host, const char* proto, unsigned int port, 
-                      unsigned int ca, unsigned int local, common_info_st * cinfo);
+                      unsigned int ca, unsigned int domain, common_info_st * cinfo);
 
 static void dane_check(const char* host, const char* proto, unsigned int port,
                        common_info_st * cinfo);
@@ -166,7 +166,7 @@ cmd_parser (int argc, char **argv)
 
   if (HAVE_OPT(TLSA_RR))
     dane_info (OPT_ARG(HOST), proto, port,
-               HAVE_OPT(CA), HAVE_OPT(LOCAL), &cinfo);
+               HAVE_OPT(CA), ENABLED_OPT(DOMAIN), &cinfo);
   else if (HAVE_OPT(CHECK))
     dane_check (OPT_ARG(CHECK), proto, port, 
                 &cinfo);
@@ -307,7 +307,7 @@ unsigned vflags = DANE_VFLAG_FAIL_IF_NOT_CHECKED;
 }
 
 static void dane_info(const char* host, const char* proto, unsigned int port, 
-                      unsigned int ca, unsigned int local, common_info_st * cinfo)
+                      unsigned int ca, unsigned int domain, common_info_st * cinfo)
 {
   gnutls_pubkey_t pubkey;
   gnutls_x509_crt_t crt;
@@ -390,7 +390,7 @@ static void dane_info(const char* host, const char* proto, unsigned int port,
   else type = 2;
 
   /* DANE certificate classification crap */
-  if (local==0)
+  if (domain==0)
     {  
       if (ca) usage = 0;
       else usage = 1;