From 1f6fba7c52a8c9bc93eed44a8018c7d22614e8a7 Mon Sep 17 00:00:00 2001
From: David Shaw <dshaw@jabberwocky.com>
Date: Wed, 5 Apr 2006 14:25:40 +0000
Subject: [PATCH] * make-dns-cert.c: Some changes from Peter Palfrader to send
 errors to stderr and allow spaces in a fingerprint.  Also warn when a key is
 over 16k (as that is the default max-cert-size) and fail when a key is over
 64k as that is the DNS limit in many places.

---
 tools/ChangeLog       |  8 ++++++
 tools/make-dns-cert.c | 65 ++++++++++++++++++++++++++++++-------------
 2 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/tools/ChangeLog b/tools/ChangeLog
index 090f2ec27..af68f3a0c 100644
--- a/tools/ChangeLog
+++ b/tools/ChangeLog
@@ -1,3 +1,11 @@
+2006-04-05  David Shaw  <dshaw@jabberwocky.com>
+
+	* make-dns-cert.c: Some changes from Peter Palfrader to send
+	errors to stderr and allow spaces in a fingerprint.  Also warn
+	when a key is over 16k (as that is the default max-cert-size) and
+	fail when a key is over 64k as that is the DNS limit in many
+	places.
+
 2006-04-04  David Shaw  <dshaw@jabberwocky.com>
 
 	* make-dns-cert.c: New program to generate properly formatted CERT
diff --git a/tools/make-dns-cert.c b/tools/make-dns-cert.c
index 6cf92645d..4d63f2b4f 100644
--- a/tools/make-dns-cert.c
+++ b/tools/make-dns-cert.c
@@ -44,23 +44,28 @@ cert_key(const char *name,const char *keyfile)
   fd=open(keyfile,O_RDONLY);
   if(fd==-1)
     {
-      printf("Cannot open key file %s: %s\n",keyfile,strerror(errno));
+      fprintf(stderr,"Cannot open key file %s: %s\n",keyfile,strerror(errno));
       return 1;
     }
 
   err=fstat(fd,&statbuf);
   if(err==-1)
     {
-      printf("Unable to stat key file %s: %s\n",keyfile,strerror(errno));
+      fprintf(stderr,"Unable to stat key file %s: %s\n",
+	      keyfile,strerror(errno));
       goto fail;
     }
 
-  if(statbuf.st_size>32768)
+  if(statbuf.st_size>65536)
     {
-      printf("Key %s too large for CERT encoding\n",keyfile);
+      fprintf(stderr,"Key %s too large for CERT encoding\n",keyfile);
       goto fail;
     }
 
+  if(statbuf.st_size>16384)
+    fprintf(stderr,"Warning: key file %s is larger than the default"
+	    " GnuPG max-cert-size\n",keyfile);
+
   printf("%s\tTYPE37\t\\# %u 0003 0000 00 ",
 	 name,(unsigned int)statbuf.st_size+5);
 
@@ -72,7 +77,8 @@ cert_key(const char *name,const char *keyfile)
       err=read(fd,buffer,1024);
       if(err==-1)
 	{
-	  printf("Unable to read key file %s: %s\n",keyfile,strerror(errno));
+	  fprintf(stderr,"Unable to read key file %s: %s\n",
+		  keyfile,strerror(errno));
 	  goto fail;
 	}
 
@@ -97,10 +103,28 @@ url_key(const char *name,const char *fpr,const char *url)
 
   if(fpr)
     {
-      fprlen=strlen(fpr);
+      const char *tmp = fpr;
+      while (*tmp)
+	{
+	  if ((*tmp >= 'A' && *tmp <= 'F') ||
+	      (*tmp >= 'a' && *tmp <= 'f') ||
+	      (*tmp >= '0' && *tmp <= '9'))
+	    {
+	      fprlen++;
+	    }
+	  else if (*tmp != ' ' && *tmp != '\t')
+	    {
+	      fprintf(stderr,"Fingerprint must consist of only hex digits"
+		      " and whitespace\n");
+	      return 1;
+	    }
+
+	  tmp++;
+	}
+
       if(fprlen%2)
 	{
-	  printf("Fingerprint must be an even number of characters\n");
+	  fprintf(stderr,"Fingerprint must be an even number of characters\n");
 	  return 1;
 	}
 
@@ -113,7 +137,8 @@ url_key(const char *name,const char *fpr,const char *url)
 
   if(!fpr && !url)
     {
-      printf("Cannot generate a CERT without either a fingerprint or URL\n");
+      fprintf(stderr,
+	      "Cannot generate a CERT without either a fingerprint or URL\n");
       return 1;
     }
 
@@ -136,13 +161,13 @@ url_key(const char *name,const char *fpr,const char *url)
 }
 
 static void
-usage(void)
+usage(FILE *stream)
 {
-  printf("make-dns-cert\n");
-  printf("\t-f\tfingerprint\n");
-  printf("\t-u\tURL\n");
-  printf("\t-k\tkey file\n");
-  printf("\t-n\tDNS name\n");
+  fprintf(stream,"make-dns-cert\n");
+  fprintf(stream,"\t-f\tfingerprint\n");
+  fprintf(stream,"\t-u\tURL\n");
+  fprintf(stream,"\t-k\tkey file\n");
+  fprintf(stream,"\t-n\tDNS name\n");
 }
 
 int
@@ -153,7 +178,7 @@ main(int argc,char *argv[])
 
   if(argc==1)
     {
-      usage();
+      usage(stderr);
       return 0;
     }
   else if(argc>1 && strcmp(argv[1],"--version")==0)
@@ -163,7 +188,7 @@ main(int argc,char *argv[])
     }
   else if(argc>1 && strcmp(argv[1],"--help")==0)
     {
-      usage();
+      usage(stdout);
       return 0;
     }
 
@@ -172,7 +197,7 @@ main(int argc,char *argv[])
       {
       default:
       case 'h':
-	usage();
+	usage(stdout);
 	exit(0);
 
       case 'f':
@@ -194,14 +219,14 @@ main(int argc,char *argv[])
 
   if(!name)
     {
-      printf("No name provided\n");
+      fprintf(stderr,"No name provided\n");
       return 1;
     }
 
   if(keyfile && (fpr || url))
     {
-      printf("Cannot generate a CERT record with both a keyfile and"
-	     " a fingerprint or URL\n");
+      fprintf(stderr,"Cannot generate a CERT record with both a keyfile and"
+	      " a fingerprint or URL\n");
       return 1;
     }