certtool: improved documentation

Incorporated comments made in Lenka Horakova's thesis study.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3 files changed, 66 insertions, 30 deletions

diff --git a/src/certtool-args.def b/src/certtool-args.def
index f832f0f9a9..8cf1ab7be9 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -6,8 +6,9 @@ detail    = "Tool to parse and generate X.509 certificates, requests and private
 It can be used interactively or non interactively by
 specifying the template command line option.
 
-The tool accepts files or URLs supported by GnuTLS. In case PIN is required for the URL
-access you can provide it using the environment variables GNUTLS_PIN and GNUTLS_SO_PIN.
+The tool accepts files or supported URIs via the --infile option. In case PIN
+is required for URI access you can provide it using the environment variables GNUTLS_PIN 
+and GNUTLS_SO_PIN.
 ";
 short-usage   = "certtool [options]\ncerttool --help for usage instructions.\n";
 explain       = "";
@@ -40,7 +41,7 @@ flag = {
 flag = {
     name      = generate-crl;
     descrip   = "Generate a CRL";
-    doc = "This option generates a CRL. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).";
+    doc = "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).";
 };
 
 flag = {
@@ -88,21 +89,24 @@ flag = {
     name      = verify-chain;
     value     = e;
     descrip   = "Verify a PEM encoded certificate chain";
-    doc = "The last certificate in the chain must be a self signed one. It can be combined with --verify-purpose or --verify-hostname.";
+    doc = "Verifies the validity of a certificate chain. That is, an ordered set of
+    certificates where each one is the issuer of the previous, and the first is
+    the end-certificate to be validated. In a proper chain the last certificate
+    is a self signed one. It can be combined with --verify-purpose or --verify-hostname.";
 };
 
 flag = {
     name      = verify;
-    descrip   = "Verify a PEM encoded certificate chain using a trusted list";
+    descrip   = "Verify a PEM encoded certificate (chain) against a trusted set";
     doc = "The trusted certificate list can be loaded with --load-ca-certificate. If no
-certificate list is provided, then the system's certificate list is used. Note that
+certificate list is provided, then the system's trusted certificate list is used. Note that
 during verification multiple paths may be explored. On a successful verification
 the successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname.";
 };
 
 flag = {
     name      = verify-crl;
-    descrip   = "Verify a CRL using a trusted list";
+    descrip   = "Verify a Certificate Revocation List using a trusted list";
     doc = "The trusted certificate list must be loaded with --load-ca-certificate.";
     flags-must = load-ca-certificate;
 };
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 6415ee8cf3..107703c047 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -813,15 +813,25 @@ void get_crl_dist_point_set(gnutls_x509_crt_t crt)
 		}
 	} else {
 		const char *p;
+		unsigned int counter = 0;
 
 		do {
-			p = read_str
-			    ("Enter the URI of the CRL distribution point: ");
+			if (counter == 0) {
+				p = read_str
+				    ("Enter the URI of the CRL distribution point: ");
+			} else {
+				p = read_str
+				    ("Enter an additional URI of the CRL distribution point: ");
+			}
 			if (!p)
 				return;
 
 			ret = gnutls_x509_crt_set_crl_dist_points
 			    (crt, GNUTLS_SAN_URI, p, 0);
+			if (ret < 0)
+				break;
+
+			counter++;
 		}
 		while (p);
 	}
@@ -1879,10 +1889,16 @@ void get_dc_set(int type, void *crt)
 		}
 	} else {
 		const char *p;
+		unsigned int counter = 0;
 
 		do {
-			p = read_str
-			    ("Enter the subject's domain component (DC): ");
+			if (counter == 0) {
+				p = read_str
+				    ("Enter the subject's domain component (DC): ");
+			} else {
+				p = read_str
+				    ("Enter an additional domain component (DC): ");
+			}
 			if (!p)
 				return;
 
@@ -1900,6 +1916,9 @@ void get_dc_set(int type, void *crt)
 								  0, p,
 								  strlen
 								  (p));
+			counter++;
+			if (ret < 0)
+				break;
 		}
 		while (p != NULL);
 	}
@@ -1940,10 +1959,14 @@ void get_dns_name_set(int type, void *crt)
 		}
 	} else {
 		const char *p;
+		unsigned int counter = 0;
 
 		do {
-			p = read_str
-			    ("Enter a dnsName of the subject of the certificate: ");
+			if (counter == 0) {
+				p = read_str("Enter a dnsName of the subject of the certificate: ");
+			} else {
+				p = read_str("Enter an additional dnsName of the subject of the certificate: ");
+			}
 			if (!p)
 				return;
 
@@ -1955,8 +1978,8 @@ void get_dns_name_set(int type, void *crt)
 				ret = gnutls_x509_crq_set_subject_alt_name
 				    (crt, GNUTLS_SAN_DNSNAME, p, strlen(p),
 				     GNUTLS_FSAN_APPEND);
-		}
-		while (p);
+			counter++;
+		} while (p);
 	}
 
 	if (ret < 0) {
@@ -2266,10 +2289,16 @@ void get_uri_set(int type, void *crt)
 		}
 	} else {
 		const char *p;
+		unsigned int counter = 0;
 
 		do {
-			p = read_str
-			    ("Enter a URI of the subject of the certificate: ");
+			if (counter == 0) {
+				p = read_str
+				    ("Enter a URI of the subject of the certificate: ");
+			} else {
+				p = read_str
+				    ("Enter an additional URI of the subject of the certificate: ");
+			}
 			if (!p)
 				return;
 
@@ -2281,6 +2310,9 @@ void get_uri_set(int type, void *crt)
 				ret = gnutls_x509_crq_set_subject_alt_name
 				    (crt, GNUTLS_SAN_URI, p, strlen(p),
 				     GNUTLS_FSAN_APPEND);
+			counter++;
+			if (ret < 0)
+				break;
 		}
 		while (p);
 	}
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 0f47be53b0..4c5d40aa7b 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -195,7 +195,7 @@ static gnutls_privkey_t _load_privkey(gnutls_datum_t * dat,
 	}
 
 	if (ret < 0) {
-		fprintf(stderr, "importing --load-privkey: %s: %s\n",
+		fprintf(stderr, "error loading file at --load-privkey: %s: %s\n",
 			info->privkey, gnutls_strerror(ret));
 		exit(1);
 	}
@@ -216,7 +216,7 @@ static gnutls_privkey_t _load_url_privkey(const char *url)
 
 	ret = gnutls_privkey_import_url(key, url, 0);
 	if (ret < 0) {
-		fprintf(stderr, "importing key: %s: %s\n",
+		fprintf(stderr, "error importing key at %s: %s\n",
 			url, gnutls_strerror(ret));
 		exit(1);
 	}
@@ -271,7 +271,7 @@ gnutls_privkey_t load_private_key(int mand, common_info_st * info)
 	dat.size = size;
 
 	if (!dat.data) {
-		fprintf(stderr, "error reading --load-privkey: %s\n",
+		fprintf(stderr, "error reading file at --load-privkey: %s\n",
 			info->privkey);
 		exit(1);
 	}
@@ -314,7 +314,7 @@ load_x509_private_key(int mand, common_info_st * info)
 	dat.size = size;
 
 	if (!dat.data) {
-		fprintf(stderr, "error reading --load-privkey: %s\n",
+		fprintf(stderr, "error reading file at --load-privkey: %s\n",
 			info->privkey);
 		exit(1);
 	}
@@ -350,7 +350,7 @@ load_x509_private_key(int mand, common_info_st * info)
 	}
 
 	if (ret < 0) {
-		fprintf(stderr, "importing --load-privkey: %s: %s\n",
+		fprintf(stderr, "error importing private key: %s: %s\n",
 			info->privkey, gnutls_strerror(ret));
 		exit(1);
 	}
@@ -516,7 +516,7 @@ gnutls_x509_crq_t load_request(common_info_st * info)
 	dat.size = size;
 
 	if (!dat.data) {
-		fprintf(stderr, "error reading --load-request: %s\n",
+		fprintf(stderr, "error reading file at --load-request: %s\n",
 			info->request);
 		exit(1);
 	}
@@ -530,7 +530,7 @@ gnutls_x509_crq_t load_request(common_info_st * info)
 
 	free(dat.data);
 	if (ret < 0) {
-		fprintf(stderr, "importing --load-request: %s: %s\n",
+		fprintf(stderr, "error importing certificate request: %s: %s\n",
 			info->request, gnutls_strerror(ret));
 		exit(1);
 	}
@@ -557,7 +557,7 @@ gnutls_privkey_t load_ca_private_key(common_info_st * info)
 	dat.size = size;
 
 	if (!dat.data) {
-		fprintf(stderr, "error reading --load-ca-privkey: %s\n",
+		fprintf(stderr, "error reading file at --load-ca-privkey: %s\n",
 			info->ca_privkey);
 		exit(1);
 	}
@@ -596,7 +596,7 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info)
 	if (gnutls_url_is_supported(info->ca) != 0) {
 		ret = gnutls_x509_crt_import_url(crt, info->ca, 0);
 		if (ret < 0) {
-			fprintf(stderr, "error importing --load-ca-certificate: %s: %s\n",
+			fprintf(stderr, "error importing CA certificate: %s: %s\n",
 				info->ca, gnutls_strerror(ret));
 			exit(1);
 		}
@@ -607,7 +607,7 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info)
 	dat.size = size;
 
 	if (!dat.data) {
-		fprintf(stderr, "error reading --load-ca-certificate: %s\n",
+		fprintf(stderr, "error reading file at --load-ca-certificate: %s\n",
 			info->ca);
 		exit(1);
 	}
@@ -615,7 +615,7 @@ gnutls_x509_crt_t load_ca_cert(unsigned mand, common_info_st * info)
 	ret = gnutls_x509_crt_import(crt, &dat, info->incert_format);
 	free(dat.data);
 	if (ret < 0) {
-		fprintf(stderr, "error importing --load-ca-certificate: %s: %s\n",
+		fprintf(stderr, "error importing CA certificate: %s: %s\n",
 			info->ca, gnutls_strerror(ret));
 		exit(1);
 	}
@@ -654,7 +654,7 @@ gnutls_pubkey_t load_pubkey(int mand, common_info_st * info)
 	dat.size = size;
 
 	if (!dat.data) {
-		fprintf(stderr, "error reading --load-pubkey: %s\n", info->pubkey);
+		fprintf(stderr, "error reading file at --load-pubkey: %s\n", info->pubkey);
 		exit(1);
 	}
 
@@ -668,7 +668,7 @@ gnutls_pubkey_t load_pubkey(int mand, common_info_st * info)
 			exit(1);
 		}
 	} else if (ret < 0) {
-		fprintf(stderr, "importing --load-pubkey: %s: %s\n",
+		fprintf(stderr, "importing public key: %s: %s\n",
 			info->pubkey, gnutls_strerror(ret));
 		exit(1);
 	}