diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-03-07 23:04:33 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-03-07 23:04:33 +0100 |
commit | 3e4a7a0f800c5c218058e1ca19b97d765d03c004 (patch) | |
tree | 9ff2964f66216d03d5536d95378fb29e33b7734a | |
parent | b2018a523505279ad822f3b09c3473b5459269ab (diff) | |
download | gnutls-3e4a7a0f800c5c218058e1ca19b97d765d03c004.tar.gz |
updates in danetool
-rw-r--r-- | doc/invoke-certtool.texi | 2 | ||||
-rw-r--r-- | doc/invoke-danetool.texi | 41 | ||||
-rw-r--r-- | src/danetool-args.c | 118 | ||||
-rw-r--r-- | src/danetool-args.def | 26 | ||||
-rw-r--r-- | src/danetool-args.h | 12 | ||||
-rw-r--r-- | src/danetool.c | 8 |
6 files changed, 138 insertions, 69 deletions
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi index c04c1d7f8e..ebdcdedcca 100644 --- a/doc/invoke-certtool.texi +++ b/doc/invoke-certtool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-certtool.texi) # -# It has been AutoGen-ed March 7, 2013 at 02:56:55 AM by AutoGen 5.16 +# It has been AutoGen-ed March 7, 2013 at 11:22:22 AM by AutoGen 5.16 # From the definitions ../src/certtool-args.def # and the template file agtexi-cmd.tpl @end ignore diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi index cb34077cd7..b063e56358 100644 --- a/doc/invoke-danetool.texi +++ b/doc/invoke-danetool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-danetool.texi) # -# It has been AutoGen-ed March 1, 2013 at 05:06:53 PM by AutoGen 5.16 +# It has been AutoGen-ed March 7, 2013 at 11:03:39 PM by AutoGen 5.16 # From the definitions ../src/danetool-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -66,7 +66,11 @@ USAGE: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... --ca Whether the provided certificate or public key is a Certificate Authority. --x509 Use the hash of the X.509 certificate, rather than the public key. - --local The provided certificate or public key is a local entity. + --local This is an alias for 'domain' + - enabled by default + --domain The provided certificate or public key is issued by the local domain. + - disabled as --no-domain + - enabled by default -v, --version[=arg] Output version information and exit -h, --help Display extended usage information and exit -!, --more-help Extended usage information passed thru pager @@ -191,8 +195,22 @@ This option forces the generated record to contain the hash of the full X.509 ce @anchor{danetool local} @subsubheading local option -This is the ``the provided certificate or public key is a local entity.'' option. -DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity. +This is an alias for the domain option, +@pxref{danetool domain, the domain option documentation}. + +@anchor{danetool domain} +@subsubheading domain option + +This is the ``the provided certificate or public key is issued by the local domain.'' option. + +@noindent +This option has some usage constraints. It: +@itemize @bullet +@item +is enabled by default. +@end itemize + +DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved. @anchor{danetool exit status} @subsubheading danetool exit status @@ -211,26 +229,27 @@ The operation failed or the command syntax was not valid. @subsubheading danetool Examples @subsubheading DANE TLSA RR generation -To create a DANE TLSA resource record for a CA signed certificate use the following commands. - +To create a DANE TLSA resource record for a certificate (or public key) +that was issued localy and may or may not be signed by a CA use the following command. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem @end example -For a self signed certificate use: +To create a DANE TLSA resource record for a CA signed certificate, which will +be marked as such use the following command. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --local + --no-domain @end example -The latter is useful to add in your DNS entry even if your certificate is signed +The former is useful to add in your DNS entry even if your certificate is signed by a CA. That way even users who do not trust your CA will be able to verify your certificate using DANE. -In order to create a record for the signer of your certificate use: +In order to create a record for the CA signer of your certificate use the following. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --ca + --ca --no-domain @end example To read a server's DANE TLSA entry, use: diff --git a/src/danetool-args.c b/src/danetool-args.c index 2538974dbf..09825fadaa 100644 --- a/src/danetool-args.c +++ b/src/danetool-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (danetool-args.c) * - * It has been AutoGen-ed March 1, 2013 at 05:01:34 PM by AutoGen 5.16 + * It has been AutoGen-ed March 7, 2013 at 11:03:28 PM by AutoGen 5.16 * From the definitions danetool-args.def * and the template file options * @@ -67,7 +67,7 @@ extern FILE * option_usage_fp; /* * danetool option static const strings */ -static char const danetool_opt_strs[2467] = +static char const danetool_opt_strs[2520] = /* 0 */ "danetool @VERSION@\n" "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -148,24 +148,26 @@ static char const danetool_opt_strs[2467] = /* 1886 */ "Use the hash of the X.509 certificate, rather than the public key.\0" /* 1953 */ "X509\0" /* 1958 */ "x509\0" -/* 1963 */ "The provided certificate or public key is a local entity.\0" -/* 2021 */ "LOCAL\0" -/* 2027 */ "local\0" -/* 2033 */ "Display extended usage information and exit\0" -/* 2077 */ "help\0" -/* 2082 */ "Extended usage information passed thru pager\0" -/* 2127 */ "more-help\0" -/* 2137 */ "Output version information and exit\0" -/* 2173 */ "version\0" -/* 2181 */ "DANETOOL\0" -/* 2190 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n" +/* 1963 */ "This is an alias for 'domain'\0" +/* 1993 */ "local\0" +/* 1999 */ "The provided certificate or public key is issued by the local domain.\0" +/* 2069 */ "DOMAIN\0" +/* 2076 */ "no-domain\0" +/* 2086 */ "Display extended usage information and exit\0" +/* 2130 */ "help\0" +/* 2135 */ "Extended usage information passed thru pager\0" +/* 2180 */ "more-help\0" +/* 2190 */ "Output version information and exit\0" +/* 2226 */ "version\0" +/* 2234 */ "DANETOOL\0" +/* 2243 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n" "USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" -/* 2293 */ "bug-gnutls@gnu.org\0" -/* 2312 */ "\n\n\0" -/* 2315 */ "\n" +/* 2346 */ "bug-gnutls@gnu.org\0" +/* 2365 */ "\n\n\0" +/* 2368 */ "\n" "Tool to generate and check DNS resource records for the DANE protocol.\n\0" -/* 2388 */ "danetool @VERSION@\0" -/* 2407 */ "danetool [options]\n" +/* 2441 */ "danetool @VERSION@\0" +/* 2460 */ "danetool [options]\n" "danetool --help for usage instructions.\n"; /* @@ -357,19 +359,29 @@ static int const aTlsa_RrMustList[] = { /* * local option description: */ -#define LOCAL_DESC (danetool_opt_strs+1963) -#define LOCAL_NAME (danetool_opt_strs+2021) -#define LOCAL_name (danetool_opt_strs+2027) -#define LOCAL_FLAGS (OPTST_DISABLED) +#define LOCAL_DESC (danetool_opt_strs+1963) +#define LOCAL_NAME NULL +#define LOCAL_name (danetool_opt_strs+1993) +#define LOCAL_FLAGS (DOMAIN_FLAGS | OPTST_ALIAS) + +/* + * domain option description: + */ +#define DOMAIN_DESC (danetool_opt_strs+1999) +#define DOMAIN_NAME (danetool_opt_strs+2069) +#define NOT_DOMAIN_name (danetool_opt_strs+2076) +#define NOT_DOMAIN_PFX (danetool_opt_strs+1457) +#define DOMAIN_name (NOT_DOMAIN_name + 3) +#define DOMAIN_FLAGS (OPTST_INITENABLED) /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (danetool_opt_strs+2033) -#define HELP_name (danetool_opt_strs+2077) +#define HELP_DESC (danetool_opt_strs+2086) +#define HELP_name (danetool_opt_strs+2130) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (danetool_opt_strs+2082) -#define MORE_HELP_name (danetool_opt_strs+2127) +#define MORE_HELP_DESC (danetool_opt_strs+2135) +#define MORE_HELP_name (danetool_opt_strs+2180) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC NULL @@ -382,8 +394,8 @@ static int const aTlsa_RrMustList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (danetool_opt_strs+2137) -#define VER_name (danetool_opt_strs+2173) +#define VER_DESC (danetool_opt_strs+2190) +#define VER_name (danetool_opt_strs+2226) /* * Declare option callback procedures */ @@ -393,7 +405,7 @@ extern tOptProc optionStackArg, optionTimeDate, optionTimeVal, optionUnstackArg, optionVendorOption; static tOptProc - doOptDebug, doOptInfile, doOptInraw, doUsageOpt; + doOptDebug, doOptInfile, doOptInraw, doOptLocal, doUsageOpt; #define VER_PROC optionPrintVersion /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ @@ -663,9 +675,21 @@ static tOptDesc optDesc[OPTION_CT] = { /* last opt argumnt */ { NULL }, /* --local */ /* arg list/cookie */ NULL, /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, + /* option proc */ doOptLocal, /* desc, NAME, name */ LOCAL_DESC, LOCAL_NAME, LOCAL_name, - /* disablement strs */ NULL, NULL }, + /* disablement strs */ 0, 0 }, + + { /* entry idx, value */ 22, VALUE_OPT_DOMAIN, + /* equiv idx, value */ 22, VALUE_OPT_DOMAIN, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DOMAIN_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --domain */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ DOMAIN_DESC, DOMAIN_NAME, DOMAIN_name, + /* disablement strs */ NOT_DOMAIN_name, NOT_DOMAIN_PFX }, { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, /* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_VERSION, @@ -711,14 +735,14 @@ static tOptDesc optDesc[OPTION_CT] = { * * Define the danetool Option Environment */ -#define zPROGNAME (danetool_opt_strs+2181) -#define zUsageTitle (danetool_opt_strs+2190) +#define zPROGNAME (danetool_opt_strs+2234) +#define zUsageTitle (danetool_opt_strs+2243) #define zRcName NULL #define apzHomeList NULL -#define zBugsAddr (danetool_opt_strs+2293) -#define zExplain (danetool_opt_strs+2312) -#define zDetail (danetool_opt_strs+2315) -#define zFullVersion (danetool_opt_strs+2388) +#define zBugsAddr (danetool_opt_strs+2346) +#define zExplain (danetool_opt_strs+2365) +#define zDetail (danetool_opt_strs+2368) +#define zFullVersion (danetool_opt_strs+2441) /* extracted from optcode.tlib near line 350 */ #if defined(ENABLE_NLS) @@ -732,7 +756,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define danetool_full_usage (NULL) -#define danetool_short_usage (danetool_opt_strs+2407) +#define danetool_short_usage (danetool_opt_strs+2460) #endif /* not defined __doxygen__ */ @@ -827,6 +851,22 @@ doOptInraw(tOptions* pOptions, tOptDesc* pOptDesc) USAGE(DANETOOL_EXIT_FAILURE); } + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ +/** + * Code to handle the local option. + * + * @param pOptions the danetool options data structure + * @param pOptDesc the option descriptor for this option. + */ +static void +doOptLocal(tOptions* pOptions, tOptDesc* pOptDesc) +{ + int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_DOMAIN); + if ((res != 0) && ((pOptions->fOptSet & OPTPROC_ERRSTOP) != 0)) + USAGE(DANETOOL_EXIT_FAILURE); + +} /* extracted from optmain.tlib near line 1113 */ /** @@ -891,7 +931,7 @@ tOptions danetoolOptions = { NO_EQUIVALENT, /* '-#' option index */ NO_EQUIVALENT /* index of default opt */ }, - 25 /* full option count */, 22 /* user option count */, + 26 /* full option count */, 23 /* user option count */, danetool_full_usage, danetool_short_usage, NULL, NULL, PKGDATADIR, danetool_packager_info diff --git a/src/danetool-args.def b/src/danetool-args.def index 36ffd1e4bb..b22fd41feb 100644 --- a/src/danetool-args.def +++ b/src/danetool-args.def @@ -133,8 +133,15 @@ flag = { flag = { name = local; - descrip = "The provided certificate or public key is a local entity."; - doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity."; + aliases = domain; +}; + +flag = { + name = domain; + descrip = "The provided certificate or public key is issued by the local domain."; + enabled; + disable = "no"; + doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved."; }; doc-section = { @@ -151,26 +158,27 @@ doc-section = { ds-text = <<-_EOT_ @subheading DANE TLSA RR generation -To create a DANE TLSA resource record for a CA signed certificate use the following commands. - +To create a DANE TLSA resource record for a certificate (or public key) +that was issued localy and may or may not be signed by a CA use the following command. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem @end example -For a self signed certificate use: +To create a DANE TLSA resource record for a CA signed certificate, which will +be marked as such use the following command. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --local + --no-domain @end example -The latter is useful to add in your DNS entry even if your certificate is signed +The former is useful to add in your DNS entry even if your certificate is signed by a CA. That way even users who do not trust your CA will be able to verify your certificate using DANE. -In order to create a record for the signer of your certificate use: +In order to create a record for the CA signer of your certificate use the following. @example $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --ca + --ca --no-domain @end example To read a server's DANE TLSA entry, use: diff --git a/src/danetool-args.h b/src/danetool-args.h index 1e37cbd966..467d418e5b 100644 --- a/src/danetool-args.h +++ b/src/danetool-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (danetool-args.h) * - * It has been AutoGen-ed March 1, 2013 at 05:01:34 PM by AutoGen 5.16 + * It has been AutoGen-ed March 7, 2013 at 11:03:28 PM by AutoGen 5.16 * From the definitions danetool-args.def * and the template file options * @@ -89,12 +89,13 @@ typedef enum { INDEX_OPT_CA = 19, INDEX_OPT_X509 = 20, INDEX_OPT_LOCAL = 21, - INDEX_OPT_VERSION = 22, - INDEX_OPT_HELP = 23, - INDEX_OPT_MORE_HELP = 24 + INDEX_OPT_DOMAIN = 22, + INDEX_OPT_VERSION = 23, + INDEX_OPT_HELP = 24, + INDEX_OPT_MORE_HELP = 25 } teOptIndex; -#define OPTION_CT 25 +#define OPTION_CT 26 #define DANETOOL_VERSION "@VERSION@" #define DANETOOL_FULL_VERSION "danetool @VERSION@" @@ -158,6 +159,7 @@ typedef enum { #define VALUE_OPT_CA 19 #define VALUE_OPT_X509 20 #define VALUE_OPT_LOCAL 21 +#define VALUE_OPT_DOMAIN 22 #define VALUE_OPT_HELP 'h' #define VALUE_OPT_MORE_HELP '!' #define VALUE_OPT_VERSION 'v' diff --git a/src/danetool.c b/src/danetool.c index 05e24e1c6f..01c9724cfe 100644 --- a/src/danetool.c +++ b/src/danetool.c @@ -55,7 +55,7 @@ static void cmd_parser (int argc, char **argv); static void dane_info(const char* host, const char* proto, unsigned int port, - unsigned int ca, unsigned int local, common_info_st * cinfo); + unsigned int ca, unsigned int domain, common_info_st * cinfo); static void dane_check(const char* host, const char* proto, unsigned int port, common_info_st * cinfo); @@ -166,7 +166,7 @@ cmd_parser (int argc, char **argv) if (HAVE_OPT(TLSA_RR)) dane_info (OPT_ARG(HOST), proto, port, - HAVE_OPT(CA), HAVE_OPT(LOCAL), &cinfo); + HAVE_OPT(CA), ENABLED_OPT(DOMAIN), &cinfo); else if (HAVE_OPT(CHECK)) dane_check (OPT_ARG(CHECK), proto, port, &cinfo); @@ -307,7 +307,7 @@ unsigned vflags = DANE_VFLAG_FAIL_IF_NOT_CHECKED; } static void dane_info(const char* host, const char* proto, unsigned int port, - unsigned int ca, unsigned int local, common_info_st * cinfo) + unsigned int ca, unsigned int domain, common_info_st * cinfo) { gnutls_pubkey_t pubkey; gnutls_x509_crt_t crt; @@ -390,7 +390,7 @@ static void dane_info(const char* host, const char* proto, unsigned int port, else type = 2; /* DANE certificate classification crap */ - if (local==0) + if (domain==0) { if (ca) usage = 0; else usage = 1; |