From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 1 Jun 2015 19:37:44 +0000 (+0200)
Subject: certtool: improved PKCS #7 verification output
X-Git-Tag: gnutls_3_4_2~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aeb2a2f0510c81efadcedff83769c6af4f46a21c;p=thirdparty%2Fgnutls.git

certtool: improved PKCS #7 verification output
---

diff --git a/src/certtool-args.def b/src/certtool-args.def
index 4b196529cd..6bf86ea7f2 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -289,7 +289,7 @@ flag = {
 flag = {
     name      = p7-verify;
     descrip   = "Verify the provided PKCS #7 structure";
-    doc       = "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. no certificate list is provided, then the system's certificate list is used.";
+    doc       = "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. no certificate list is provided, then the system's certificate list is used. A key purpose can be enforced with the --verify-purpose option.";
 };
 
 
diff --git a/src/certtool.c b/src/certtool.c
index 48ca6e65ca..07873555be 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2717,7 +2717,7 @@ void verify_crl(common_info_st * cinfo)
 	fprintf(outfile, "\n");
 }
 
-static void print_dn(const gnutls_datum_t *raw)
+static void print_dn(const char *prefix, const gnutls_datum_t *raw)
 {
 	gnutls_x509_dn_t dn = NULL;
 	gnutls_datum_t str = {NULL, 0};
@@ -2735,7 +2735,7 @@ static void print_dn(const gnutls_datum_t *raw)
 	if (ret < 0)
 		goto cleanup;
 
-	fprintf(stderr, "DN: %s\n", str.data);
+	fprintf(stderr, "%s: %s\n", prefix, str.data);
 
  cleanup:
  	gnutls_x509_dn_deinit(dn);
@@ -2792,17 +2792,17 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose)
 		if (ret < 0)
 			break;
 
-		print_dn(&info.issuer_dn);
-		fprintf(stderr, "Algorithm: %s\n\n", gnutls_sign_get_name(info.algo));
+		print_dn("\tSigner's issuer DN", &info.issuer_dn);
+		fprintf(stderr, "\tSignature Algorithm: %s\n", gnutls_sign_get_name(info.algo));
 
 		gnutls_pkcs7_signature_info_deinit(&info);
 
 		ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, NULL, 0);
 		if (ret < 0) {
-			fprintf(stderr, "Signature verification failed: %s\n", gnutls_strerror(ret));
+			fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
 			ecode = 1;
 		} else {
-			fprintf(stderr, "Signature was verified\n");
+			fprintf(stderr, "\tSignature status: ok\n");
 			ecode = 0;
 		}
 	}