1 files changed, 857 insertions, 0 deletions

diff --git a/src/certtool-options.c b/src/certtool-options.c
new file mode 100644
index 0000000..0c97da3
--- /dev/null
+++ b/src/certtool-options.c
@@ -0,0 +1,857 @@
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "certtool-options.h"
+#include <errno.h>
+#include <error.h>
+#include <getopt.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#ifndef _WIN32
+#include <unistd.h>
+#endif /* !_WIN32 */
+#include <limits.h>
+
+struct certtool_options certtool_options;
+
+static long
+parse_number (const char *arg)
+{
+  char *endptr = NULL;
+  errno = 0;
+  long result;
+
+  if (strncmp (arg, "0x", 2) == 0)
+    result = strtol (arg + 2, &endptr, 16);
+  else if (strncmp (arg, "0", 1) == 0
+           && strspn (arg, "012345678") == strlen (optarg))
+    result = strtol (arg + 1, &endptr, 8);
+  else
+    result = strtol (arg, &endptr, 10);
+
+  if (errno != 0 || (endptr && *endptr != '\0'))
+    error (EXIT_FAILURE, errno, "'%s' is not a recognizable number.",
+           arg);
+
+  return result;
+}
+
+/* Long options.  */
+static const struct option long_options[] =
+{
+  { "debug", required_argument, 0, 'd' },
+  { "verbose", no_argument, 0, 'V' },
+  { "infile", required_argument, 0, CHAR_MAX + 1 },
+  { "outfile", required_argument, 0, CHAR_MAX + 2 },
+  { "certificate-info", no_argument, 0, 'i' },
+  { "pubkey-info", no_argument, 0, CHAR_MAX + 3 },
+  { "generate-self-signed", no_argument, 0, 's' },
+  { "generate-certificate", no_argument, 0, 'c' },
+  { "generate-proxy", no_argument, 0, CHAR_MAX + 4 },
+  { "update-certificate", no_argument, 0, 'u' },
+  { "fingerprint", no_argument, 0, CHAR_MAX + 5 },
+  { "key-id", no_argument, 0, CHAR_MAX + 6 },
+  { "certificate-pubkey", no_argument, 0, CHAR_MAX + 7 },
+  { "v1", no_argument, 0, CHAR_MAX + 8 },
+  { "sign-params", required_argument, 0, CHAR_MAX + 9 },
+  { "crq-info", no_argument, 0, CHAR_MAX + 10 },
+  { "generate-request", no_argument, 0, 'q' },
+  { "no-crq-extensions", no_argument, 0, CHAR_MAX + 11 },
+  { "p12-info", no_argument, 0, CHAR_MAX + 12 },
+  { "p12-name", required_argument, 0, CHAR_MAX + 13 },
+  { "to-p12", no_argument, 0, CHAR_MAX + 14 },
+  { "key-info", no_argument, 0, 'k' },
+  { "p8-info", no_argument, 0, CHAR_MAX + 15 },
+  { "to-rsa", no_argument, 0, CHAR_MAX + 16 },
+  { "generate-privkey", no_argument, 0, 'p' },
+  { "key-type", required_argument, 0, CHAR_MAX + 17 },
+  { "bits", required_argument, 0, CHAR_MAX + 18 },
+  { "curve", required_argument, 0, CHAR_MAX + 19 },
+  { "sec-param", required_argument, 0, CHAR_MAX + 20 },
+  { "to-p8", no_argument, 0, CHAR_MAX + 21 },
+  { "pkcs8", no_argument, 0, '8' },
+  { "provable", no_argument, 0, CHAR_MAX + 22 },
+  { "verify-provable-privkey", no_argument, 0, CHAR_MAX + 23 },
+  { "seed", required_argument, 0, CHAR_MAX + 24 },
+  { "crl-info", no_argument, 0, 'l' },
+  { "generate-crl", no_argument, 0, CHAR_MAX + 25 },
+  { "verify-crl", no_argument, 0, CHAR_MAX + 26 },
+  { "verify-chain", no_argument, 0, 'e' },
+  { "verify", no_argument, 0, CHAR_MAX + 27 },
+  { "verify-hostname", required_argument, 0, CHAR_MAX + 28 },
+  { "verify-email", required_argument, 0, CHAR_MAX + 29 },
+  { "verify-purpose", required_argument, 0, CHAR_MAX + 30 },
+  { "verify-allow-broken", no_argument, 0, CHAR_MAX + 31 },
+  { "verify-profile", required_argument, 0, CHAR_MAX + 32 },
+  { "p7-generate", no_argument, 0, CHAR_MAX + 33 },
+  { "p7-sign", no_argument, 0, CHAR_MAX + 34 },
+  { "p7-detached-sign", no_argument, 0, CHAR_MAX + 35 },
+  { "p7-include-cert", no_argument, 0, CHAR_MAX + 36 },
+  { "no-p7-include-cert", no_argument, 0, CHAR_MAX + 37 },
+  { "p7-time", no_argument, 0, CHAR_MAX + 38 },
+  { "no-p7-time", no_argument, 0, CHAR_MAX + 39 },
+  { "p7-show-data", no_argument, 0, CHAR_MAX + 40 },
+  { "no-p7-show-data", no_argument, 0, CHAR_MAX + 41 },
+  { "p7-info", no_argument, 0, CHAR_MAX + 42 },
+  { "p7-verify", no_argument, 0, CHAR_MAX + 43 },
+  { "smime-to-p7", no_argument, 0, CHAR_MAX + 44 },
+  { "generate-dh-params", no_argument, 0, CHAR_MAX + 45 },
+  { "get-dh-params", no_argument, 0, CHAR_MAX + 46 },
+  { "dh-info", no_argument, 0, CHAR_MAX + 47 },
+  { "load-privkey", required_argument, 0, CHAR_MAX + 48 },
+  { "load-pubkey", required_argument, 0, CHAR_MAX + 49 },
+  { "load-request", required_argument, 0, CHAR_MAX + 50 },
+  { "load-certificate", required_argument, 0, CHAR_MAX + 51 },
+  { "load-ca-privkey", required_argument, 0, CHAR_MAX + 52 },
+  { "load-ca-certificate", required_argument, 0, CHAR_MAX + 53 },
+  { "load-crl", required_argument, 0, CHAR_MAX + 54 },
+  { "load-data", required_argument, 0, CHAR_MAX + 55 },
+  { "password", required_argument, 0, CHAR_MAX + 56 },
+  { "null-password", no_argument, 0, CHAR_MAX + 57 },
+  { "empty-password", no_argument, 0, CHAR_MAX + 58 },
+  { "hex-numbers", no_argument, 0, CHAR_MAX + 59 },
+  { "cprint", no_argument, 0, CHAR_MAX + 60 },
+  { "rsa", no_argument, 0, CHAR_MAX + 61 },
+  { "dsa", no_argument, 0, CHAR_MAX + 62 },
+  { "ecc", no_argument, 0, CHAR_MAX + 63 },
+  { "ecdsa", no_argument, 0, CHAR_MAX + 64 },
+  { "hash", required_argument, 0, CHAR_MAX + 65 },
+  { "salt-size", required_argument, 0, CHAR_MAX + 66 },
+  { "inder", no_argument, 0, CHAR_MAX + 67 },
+  { "inraw", no_argument, 0, CHAR_MAX + 69 },
+  { "no-inder", no_argument, 0, CHAR_MAX + 68 },
+  { "outder", no_argument, 0, CHAR_MAX + 70 },
+  { "outraw", no_argument, 0, CHAR_MAX + 72 },
+  { "no-outder", no_argument, 0, CHAR_MAX + 71 },
+  { "disable-quick-random", no_argument, 0, CHAR_MAX + 73 },
+  { "template", required_argument, 0, CHAR_MAX + 74 },
+  { "stdout-info", no_argument, 0, CHAR_MAX + 75 },
+  { "ask-pass", no_argument, 0, CHAR_MAX + 76 },
+  { "pkcs-cipher", required_argument, 0, CHAR_MAX + 77 },
+  { "provider", required_argument, 0, CHAR_MAX + 78 },
+  { "text", no_argument, 0, CHAR_MAX + 79 },
+  { "no-text", no_argument, 0, CHAR_MAX + 80 },
+  { "version", optional_argument, 0, 'v' },
+  { "help", no_argument, 0, 'h' },
+  { "more-help", no_argument, 0, '!' },
+  { 0, 0, 0, 0 }
+
+};
+
+int
+process_options (int argc, char **argv)
+{
+  struct certtool_options *opts = &certtool_options;
+  int opt;
+
+  opts->enabled.p7_include_cert = true;
+  opts->enabled.text = true;
+  while ((opt = getopt_long (argc, argv, "!8Vcd:ehiklpqsuv:",
+                             long_options, NULL)) != EOF)
+    switch (opt)
+      {
+      case '\0': /* Long option.  */
+        break;
+      case 'd':
+        opts->present.debug = true;
+        opts->arg.debug = optarg;
+        opts->value.debug = parse_number(optarg);
+        opts->enabled.debug = true;
+        break;
+      case 'V':
+        opts->present.verbose = true;
+        opts->enabled.verbose = true;
+        break;
+      case CHAR_MAX + 1: /* --infile */
+        opts->present.infile = true;
+        opts->arg.infile = optarg;
+        opts->enabled.infile = true;
+        break;
+      case CHAR_MAX + 2: /* --outfile */
+        opts->present.outfile = true;
+        opts->arg.outfile = optarg;
+        opts->enabled.outfile = true;
+        break;
+      case 'i':
+        opts->present.certificate_info = true;
+        opts->enabled.certificate_info = true;
+        break;
+      case CHAR_MAX + 3: /* --pubkey-info */
+        opts->present.pubkey_info = true;
+        opts->enabled.pubkey_info = true;
+        break;
+      case 's':
+        opts->present.generate_self_signed = true;
+        opts->enabled.generate_self_signed = true;
+        break;
+      case 'c':
+        opts->present.generate_certificate = true;
+        opts->enabled.generate_certificate = true;
+        break;
+      case CHAR_MAX + 4: /* --generate-proxy */
+        opts->present.generate_proxy = true;
+        opts->enabled.generate_proxy = true;
+        break;
+      case 'u':
+        opts->present.update_certificate = true;
+        opts->enabled.update_certificate = true;
+        break;
+      case CHAR_MAX + 5: /* --fingerprint */
+        opts->present.fingerprint = true;
+        opts->enabled.fingerprint = true;
+        break;
+      case CHAR_MAX + 6: /* --key-id */
+        opts->present.key_id = true;
+        opts->enabled.key_id = true;
+        break;
+      case CHAR_MAX + 7: /* --certificate-pubkey */
+        opts->present.certificate_pubkey = true;
+        opts->enabled.certificate_pubkey = true;
+        break;
+      case CHAR_MAX + 8: /* --v1 */
+        opts->present.v1 = true;
+        opts->enabled.v1 = true;
+        break;
+      case CHAR_MAX + 9: /* --sign-params */
+        opts->present.sign_params = true;
+        opts->arg.sign_params = optarg;
+        opts->enabled.sign_params = true;
+        break;
+      case CHAR_MAX + 10: /* --crq-info */
+        opts->present.crq_info = true;
+        opts->enabled.crq_info = true;
+        break;
+      case 'q':
+        opts->present.generate_request = true;
+        opts->enabled.generate_request = true;
+        break;
+      case CHAR_MAX + 11: /* --no-crq-extensions */
+        opts->present.no_crq_extensions = true;
+        opts->enabled.no_crq_extensions = true;
+        break;
+      case CHAR_MAX + 12: /* --p12-info */
+        opts->present.p12_info = true;
+        opts->enabled.p12_info = true;
+        break;
+      case CHAR_MAX + 13: /* --p12-name */
+        opts->present.p12_name = true;
+        opts->arg.p12_name = optarg;
+        opts->enabled.p12_name = true;
+        break;
+      case CHAR_MAX + 14: /* --to-p12 */
+        opts->present.to_p12 = true;
+        opts->enabled.to_p12 = true;
+        break;
+      case 'k':
+        opts->present.key_info = true;
+        opts->enabled.key_info = true;
+        break;
+      case CHAR_MAX + 15: /* --p8-info */
+        opts->present.p8_info = true;
+        opts->enabled.p8_info = true;
+        break;
+      case CHAR_MAX + 16: /* --to-rsa */
+        opts->present.to_rsa = true;
+        opts->enabled.to_rsa = true;
+        break;
+      case 'p':
+        opts->present.generate_privkey = true;
+        opts->enabled.generate_privkey = true;
+        break;
+      case CHAR_MAX + 17: /* --key-type */
+        opts->present.key_type = true;
+        opts->arg.key_type = optarg;
+        opts->enabled.key_type = true;
+        break;
+      case CHAR_MAX + 18: /* --bits */
+        opts->present.bits = true;
+        opts->arg.bits = optarg;
+        opts->value.bits = parse_number(optarg);
+        opts->enabled.bits = true;
+        break;
+      case CHAR_MAX + 19: /* --curve */
+        opts->present.curve = true;
+        opts->arg.curve = optarg;
+        opts->enabled.curve = true;
+        break;
+      case CHAR_MAX + 20: /* --sec-param */
+        opts->present.sec_param = true;
+        opts->arg.sec_param = optarg;
+        opts->enabled.sec_param = true;
+        break;
+      case CHAR_MAX + 21: /* --to-p8 */
+        opts->present.to_p8 = true;
+        opts->enabled.to_p8 = true;
+        break;
+      case '8':
+        opts->present.pkcs8 = true;
+        opts->enabled.pkcs8 = true;
+        break;
+      case CHAR_MAX + 22: /* --provable */
+        opts->present.provable = true;
+        opts->enabled.provable = true;
+        break;
+      case CHAR_MAX + 23: /* --verify-provable-privkey */
+        opts->present.verify_provable_privkey = true;
+        opts->enabled.verify_provable_privkey = true;
+        break;
+      case CHAR_MAX + 24: /* --seed */
+        opts->present.seed = true;
+        opts->arg.seed = optarg;
+        opts->enabled.seed = true;
+        break;
+      case 'l':
+        opts->present.crl_info = true;
+        opts->enabled.crl_info = true;
+        break;
+      case CHAR_MAX + 25: /* --generate-crl */
+        opts->present.generate_crl = true;
+        opts->enabled.generate_crl = true;
+        break;
+      case CHAR_MAX + 26: /* --verify-crl */
+        opts->present.verify_crl = true;
+        opts->enabled.verify_crl = true;
+        break;
+      case 'e':
+        opts->present.verify_chain = true;
+        opts->enabled.verify_chain = true;
+        break;
+      case CHAR_MAX + 27: /* --verify */
+        opts->present.verify = true;
+        opts->enabled.verify = true;
+        break;
+      case CHAR_MAX + 28: /* --verify-hostname */
+        opts->present.verify_hostname = true;
+        opts->arg.verify_hostname = optarg;
+        opts->enabled.verify_hostname = true;
+        break;
+      case CHAR_MAX + 29: /* --verify-email */
+        opts->present.verify_email = true;
+        opts->arg.verify_email = optarg;
+        opts->enabled.verify_email = true;
+        break;
+      case CHAR_MAX + 30: /* --verify-purpose */
+        opts->present.verify_purpose = true;
+        opts->arg.verify_purpose = optarg;
+        opts->enabled.verify_purpose = true;
+        break;
+      case CHAR_MAX + 31: /* --verify-allow-broken */
+        opts->present.verify_allow_broken = true;
+        opts->enabled.verify_allow_broken = true;
+        break;
+      case CHAR_MAX + 32: /* --verify-profile */
+        opts->present.verify_profile = true;
+        opts->arg.verify_profile = optarg;
+        opts->enabled.verify_profile = true;
+        break;
+      case CHAR_MAX + 33: /* --p7-generate */
+        opts->present.p7_generate = true;
+        opts->enabled.p7_generate = true;
+        break;
+      case CHAR_MAX + 34: /* --p7-sign */
+        opts->present.p7_sign = true;
+        opts->enabled.p7_sign = true;
+        break;
+      case CHAR_MAX + 35: /* --p7-detached-sign */
+        opts->present.p7_detached_sign = true;
+        opts->enabled.p7_detached_sign = true;
+        break;
+      case CHAR_MAX + 36: /* --p7-include-cert */
+        opts->present.p7_include_cert = true;
+        opts->enabled.p7_include_cert = true;
+        break;
+      case CHAR_MAX + 37: /* --no-p7-include-cert */
+        opts->present.p7_include_cert = true;
+        opts->enabled.p7_include_cert = false;
+        break;
+      case CHAR_MAX + 38: /* --p7-time */
+        opts->present.p7_time = true;
+        opts->enabled.p7_time = true;
+        break;
+      case CHAR_MAX + 39: /* --no-p7-time */
+        opts->present.p7_time = true;
+        opts->enabled.p7_time = false;
+        break;
+      case CHAR_MAX + 40: /* --p7-show-data */
+        opts->present.p7_show_data = true;
+        opts->enabled.p7_show_data = true;
+        break;
+      case CHAR_MAX + 41: /* --no-p7-show-data */
+        opts->present.p7_show_data = true;
+        opts->enabled.p7_show_data = false;
+        break;
+      case CHAR_MAX + 42: /* --p7-info */
+        opts->present.p7_info = true;
+        opts->enabled.p7_info = true;
+        break;
+      case CHAR_MAX + 43: /* --p7-verify */
+        opts->present.p7_verify = true;
+        opts->enabled.p7_verify = true;
+        break;
+      case CHAR_MAX + 44: /* --smime-to-p7 */
+        opts->present.smime_to_p7 = true;
+        opts->enabled.smime_to_p7 = true;
+        break;
+      case CHAR_MAX + 45: /* --generate-dh-params */
+        opts->present.generate_dh_params = true;
+        opts->enabled.generate_dh_params = true;
+        break;
+      case CHAR_MAX + 46: /* --get-dh-params */
+        opts->present.get_dh_params = true;
+        opts->enabled.get_dh_params = true;
+        break;
+      case CHAR_MAX + 47: /* --dh-info */
+        opts->present.dh_info = true;
+        opts->enabled.dh_info = true;
+        break;
+      case CHAR_MAX + 48: /* --load-privkey */
+        opts->present.load_privkey = true;
+        opts->arg.load_privkey = optarg;
+        opts->enabled.load_privkey = true;
+        break;
+      case CHAR_MAX + 49: /* --load-pubkey */
+        opts->present.load_pubkey = true;
+        opts->arg.load_pubkey = optarg;
+        opts->enabled.load_pubkey = true;
+        break;
+      case CHAR_MAX + 50: /* --load-request */
+        opts->present.load_request = true;
+        opts->arg.load_request = optarg;
+        opts->enabled.load_request = true;
+        break;
+      case CHAR_MAX + 51: /* --load-certificate */
+        opts->present.load_certificate = true;
+        opts->arg.load_certificate = optarg;
+        opts->enabled.load_certificate = true;
+        break;
+      case CHAR_MAX + 52: /* --load-ca-privkey */
+        opts->present.load_ca_privkey = true;
+        opts->arg.load_ca_privkey = optarg;
+        opts->enabled.load_ca_privkey = true;
+        break;
+      case CHAR_MAX + 53: /* --load-ca-certificate */
+        opts->present.load_ca_certificate = true;
+        opts->arg.load_ca_certificate = optarg;
+        opts->enabled.load_ca_certificate = true;
+        break;
+      case CHAR_MAX + 54: /* --load-crl */
+        opts->present.load_crl = true;
+        opts->arg.load_crl = optarg;
+        opts->enabled.load_crl = true;
+        break;
+      case CHAR_MAX + 55: /* --load-data */
+        opts->present.load_data = true;
+        opts->arg.load_data = optarg;
+        opts->enabled.load_data = true;
+        break;
+      case CHAR_MAX + 56: /* --password */
+        opts->present.password = true;
+        opts->arg.password = optarg;
+        opts->enabled.password = true;
+        break;
+      case CHAR_MAX + 57: /* --null-password */
+        opts->present.null_password = true;
+        opts->enabled.null_password = true;
+        break;
+      case CHAR_MAX + 58: /* --empty-password */
+        opts->present.empty_password = true;
+        opts->enabled.empty_password = true;
+        break;
+      case CHAR_MAX + 59: /* --hex-numbers */
+        opts->present.hex_numbers = true;
+        opts->enabled.hex_numbers = true;
+        break;
+      case CHAR_MAX + 60: /* --cprint */
+        opts->present.cprint = true;
+        opts->enabled.cprint = true;
+        break;
+      case CHAR_MAX + 61: /* --rsa */
+        opts->present.rsa = true;
+        opts->enabled.rsa = true;
+        break;
+      case CHAR_MAX + 62: /* --dsa */
+        opts->present.dsa = true;
+        opts->enabled.dsa = true;
+        break;
+      case CHAR_MAX + 63: /* --ecc */
+      case CHAR_MAX + 64: /* --ecdsa */
+        opts->present.ecc = true;
+        opts->enabled.ecc = true;
+        break;
+      case CHAR_MAX + 65: /* --hash */
+        opts->present.hash = true;
+        opts->arg.hash = optarg;
+        opts->enabled.hash = true;
+        break;
+      case CHAR_MAX + 66: /* --salt-size */
+        opts->present.salt_size = true;
+        opts->arg.salt_size = optarg;
+        opts->value.salt_size = parse_number(optarg);
+        opts->enabled.salt_size = true;
+        break;
+      case CHAR_MAX + 67: /* --inder */
+      case CHAR_MAX + 69: /* --inraw */
+        opts->present.inder = true;
+        opts->enabled.inder = true;
+        break;
+      case CHAR_MAX + 68: /* --no-inder */
+        opts->present.inder = true;
+        opts->enabled.inder = false;
+        break;
+      case CHAR_MAX + 70: /* --outder */
+      case CHAR_MAX + 72: /* --outraw */
+        opts->present.outder = true;
+        opts->enabled.outder = true;
+        break;
+      case CHAR_MAX + 71: /* --no-outder */
+        opts->present.outder = true;
+        opts->enabled.outder = false;
+        break;
+      case CHAR_MAX + 73: /* --disable-quick-random */
+        opts->present.disable_quick_random = true;
+        opts->enabled.disable_quick_random = true;
+        break;
+      case CHAR_MAX + 74: /* --template */
+        opts->present.template = true;
+        opts->arg.template = optarg;
+        opts->enabled.template = true;
+        break;
+      case CHAR_MAX + 75: /* --stdout-info */
+        opts->present.stdout_info = true;
+        opts->enabled.stdout_info = true;
+        break;
+      case CHAR_MAX + 76: /* --ask-pass */
+        opts->present.ask_pass = true;
+        opts->enabled.ask_pass = true;
+        break;
+      case CHAR_MAX + 77: /* --pkcs-cipher */
+        opts->present.pkcs_cipher = true;
+        opts->arg.pkcs_cipher = optarg;
+        opts->enabled.pkcs_cipher = true;
+        break;
+      case CHAR_MAX + 78: /* --provider */
+        opts->present.provider = true;
+        opts->arg.provider = optarg;
+        opts->enabled.provider = true;
+        break;
+      case CHAR_MAX + 79: /* --text */
+        opts->present.text = true;
+        opts->enabled.text = true;
+        break;
+      case CHAR_MAX + 80: /* --no-text */
+        opts->present.text = true;
+        opts->enabled.text = false;
+        break;
+      case 'v':
+        opts->present.version = true;
+        opts->arg.version = optarg;
+        opts->enabled.version = true;
+        break;
+      case 'h':
+        opts->present.help = true;
+        opts->enabled.help = true;
+        break;
+      case '!':
+        opts->present.more_help = true;
+        opts->enabled.more_help = true;
+        break;
+      default:
+        usage (stderr, EXIT_FAILURE);
+        break;
+      }
+
+  if (HAVE_OPT(DEBUG) && OPT_VALUE_DEBUG < 0)
+    {
+      error (EXIT_FAILURE, 0, "%s option value %d is out of range.",
+             "debug", opts->value.debug);
+    }
+  if (HAVE_OPT(DEBUG) && OPT_VALUE_DEBUG > 9999)
+    {
+      error (EXIT_FAILURE, 0, "%s option value %d is out of range",
+             "debug", opts->value.debug);
+    }
+  if (HAVE_OPT(GENERATE_REQUEST) && HAVE_OPT(INFILE))
+    {
+      error (EXIT_FAILURE, 0, "the '%s' and '%s' options conflict",
+             "generate-request", "infile");
+    }
+  if (HAVE_OPT(VERIFY_CRL) && !HAVE_OPT(LOAD_CA_CERTIFICATE))
+    {
+      error (EXIT_FAILURE, 0, "%s option requires the %s options",
+             "verify-crl", "load_ca_certificate");
+    }
+  if (HAVE_OPT(VERIFY_EMAIL) && HAVE_OPT(VERIFY_HOSTNAME))
+    {
+      error (EXIT_FAILURE, 0, "the '%s' and '%s' options conflict",
+             "verify-email", "verify_hostname");
+    }
+  if (optind < argc)
+    {
+      error (EXIT_FAILURE, 0, "Command line arguments are not allowed.");
+    }
+
+
+  if (HAVE_OPT(HELP))
+    {
+      USAGE(0);
+    }
+
+  if (HAVE_OPT(MORE_HELP))
+#ifdef _WIN32
+    {
+      USAGE(0);
+    }
+#else /* _WIN32 */
+    {
+      pid_t pid;
+      int pfds[2];
+
+      if (pipe (pfds) < 0)
+        error (EXIT_FAILURE, errno, "pipe");
+
+      pid = fork ();
+      if (pid < 0)
+        error (EXIT_FAILURE, errno, "fork");
+
+      if (pid == 0)
+        {
+          close (pfds[0]);
+          dup2 (pfds[1], STDOUT_FILENO);
+          close (pfds[1]);
+
+          usage (stdout, 0);
+        }
+      else
+        {
+          const char *args[2];
+          const char *envvar;
+
+          close (pfds[1]);
+          dup2 (pfds[0], STDIN_FILENO);
+          close (pfds[0]);
+
+          envvar = secure_getenv ("PAGER");
+          if (!envvar || *envvar == '\0')
+            args[0] = "more";
+          else
+            args[0] = envvar;
+
+          args[1] = NULL;
+
+          execvp (args[0], (char * const *)args);
+
+          exit (EXIT_FAILURE);
+        }
+    }
+#endif /* !_WIN32 */
+
+  if (HAVE_OPT(VERSION))
+    {
+      if (!OPT_ARG_VERSION || !strcmp (OPT_ARG_VERSION, "c"))
+        {
+          const char str[] =
+            "certtool 3.7.9\n"
+            "Copyright (C) 2000-2021 Free Software Foundation, and others\n"
+            "This is free software. It is licensed for use, modification and\n"
+            "redistribution under the terms of the GNU General Public License,\n"
+            "version 3 or later <http://gnu.org/licenses/gpl.html>\n"
+            "\n"
+            "Please send bug reports to:  <bugs@gnutls.org>            \n";
+          fprintf (stdout, "%s", str);
+          exit(0);
+        }
+      else if (!strcmp (OPT_ARG_VERSION, "v"))
+        {
+          const char str[] =
+            "certtool 3.7.9\n";
+          fprintf (stdout, "%s", str);
+          exit(0);
+        }
+      else if (!strcmp (OPT_ARG_VERSION, "n"))
+        {
+          const char str[] =
+            "certtool 3.7.9\n"
+            "Copyright (C) 2000-2021 Free Software Foundation, and others\n"
+            "This is free software. It is licensed for use, modification and\n"
+            "redistribution under the terms of the GNU General Public License,\n"
+            "version 3 or later <http://gnu.org/licenses/gpl.html>\n"
+            "\n"
+            "gnutls is free software: you can redistribute it and/or\n"
+            "modify it under the terms of the GNU General Public License\n"
+            "as published by the Free Software Foundation,\n"
+            "either version 3 of the License, or (at your option) any later version.\n"
+            "\n"
+            "gnutls is distributed in the hope that it will be useful,\n"
+            "but WITHOUT ANY WARRANTY; without even the implied warranty\n"
+            "of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"
+            "See the GNU General Public License for more details.\n"
+            "\n"
+            "You should have received a copy of the GNU General Public License\n"
+            "along with this program.  If not, see <http://www.gnu.org/licenses/>.\n"
+            "\n"
+            "Please send bug reports to:  <bugs@gnutls.org>            \n";
+          fprintf (stdout, "%s", str);
+          exit(0);
+        }
+      else
+        {
+          error (EXIT_FAILURE, 0,
+                 "version option argument 'a' invalid.  Use:\n"
+                 "	'v' - version only\n"
+                 "	'c' - version and copyright\n"
+                 "	'n' - version and full copyright notice");
+        }
+    }
+
+  return optind;
+}
+
+void
+usage (FILE *out, int status)
+{
+  const char str[] =
+    "certtool - GnuTLS certificate tool\n"
+    "Usage:  certtool [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \n"
+    "\n"
+    "None:\n"
+    "\n"
+    "   -d, --debug=num            Enable debugging\n"
+    "				- it must be in the range:\n"
+    "				  0 to 9999\n"
+    "   -V, --verbose              More verbose output\n"
+    "       --infile=file          Input file\n"
+    "				- file must pre-exist\n"
+    "       --outfile=str          Output file\n"
+    "\n"
+    "Certificate related options:\n"
+    "\n"
+    "   -i, --certificate-info     Print information on the given certificate\n"
+    "       --pubkey-info          Print information on a public key\n"
+    "   -s, --generate-self-signed Generate a self-signed certificate\n"
+    "   -c, --generate-certificate Generate a signed certificate\n"
+    "       --generate-proxy       Generates a proxy certificate\n"
+    "   -u, --update-certificate   Update a signed certificate\n"
+    "       --fingerprint          Print the fingerprint of the given certificate\n"
+    "       --key-id               Print the key ID of the given certificate\n"
+    "       --v1                   Generate an X.509 version 1 certificate (with no extensions)\n"
+    "       --sign-params=str      Sign a certificate with a specific signature algorithm\n"
+    "\n"
+    "Certificate request related options:\n"
+    "\n"
+    "       --crq-info             Print information on the given certificate request\n"
+    "   -q, --generate-request     Generate a PKCS #10 certificate request\n"
+    "				- prohibits the option 'infile'\n"
+    "       --no-crq-extensions    Do not use extensions in certificate requests\n"
+    "\n"
+    "PKCS#12 file related options:\n"
+    "\n"
+    "       --p12-info             Print information on a PKCS #12 structure\n"
+    "       --p12-name=str         The PKCS #12 friendly name to use\n"
+    "       --to-p12               Generate a PKCS #12 structure\n"
+    "\n"
+    "Private key related options:\n"
+    "\n"
+    "   -k, --key-info             Print information on a private key\n"
+    "       --p8-info              Print information on a PKCS #8 structure\n"
+    "       --to-rsa               Convert an RSA-PSS key to raw RSA format\n"
+    "   -p, --generate-privkey     Generate a private key\n"
+    "       --key-type=str         Specify the key type to use on key generation\n"
+    "       --bits=num             Specify the number of bits for key generation\n"
+    "       --curve=str            Specify the curve used for EC key generation\n"
+    "       --sec-param=str        Specify the security level [low, legacy, medium, high, ultra]\n"
+    "       --to-p8                Convert a given key to a PKCS #8 structure\n"
+    "   -8, --pkcs8                Use PKCS #8 format for private keys\n"
+    "       --provable             Generate a private key or parameters from a seed using a provable method\n"
+    "       --verify-provable-privkey  Verify a private key generated from a seed using a provable method\n"
+    "       --seed=str             When generating a private key use the given hex-encoded seed\n"
+    "\n"
+    "CRL related options:\n"
+    "\n"
+    "   -l, --crl-info             Print information on the given CRL structure\n"
+    "       --generate-crl         Generate a CRL\n"
+    "       --verify-crl           Verify a Certificate Revocation List using a trusted list\n"
+    "				- requires the option 'load-ca-certificate'\n"
+    "\n"
+    "Certificate verification related options:\n"
+    "\n"
+    "   -e, --verify-chain         Verify a PEM encoded certificate chain\n"
+    "       --verify               Verify a PEM encoded certificate (chain) against a trusted set\n"
+    "       --verify-hostname=str  Specify a hostname to be used for certificate chain verification\n"
+    "       --verify-email=str     Specify a email to be used for certificate chain verification\n"
+    "				- prohibits the option 'verify-hostname'\n"
+    "       --verify-purpose=str   Specify a purpose OID to be used for certificate chain verification\n"
+    "       --verify-allow-broken  Allow broken algorithms, such as MD5 for verification\n"
+    "       --verify-profile=str   Specify a security level profile to be used for verification\n"
+    "\n"
+    "PKCS#7 structure options:\n"
+    "\n"
+    "       --p7-generate          Generate a PKCS #7 structure\n"
+    "       --p7-sign              Signs using a PKCS #7 structure\n"
+    "       --p7-detached-sign     Signs using a detached PKCS #7 structure\n"
+    "       --p7-include-cert      The signer's certificate will be included in the cert list\n"
+    "				- enabled by default\n"
+    "				- disabled as '--no-p7-include-cert'\n"
+    "       --p7-time              Will include a timestamp in the PKCS #7 structure\n"
+    "       --p7-show-data         Will show the embedded data in the PKCS #7 structure\n"
+    "       --p7-info              Print information on a PKCS #7 structure\n"
+    "       --p7-verify            Verify the provided PKCS #7 structure\n"
+    "       --smime-to-p7          Convert S/MIME to PKCS #7 structure\n"
+    "\n"
+    "Other options:\n"
+    "\n"
+    "       --get-dh-params        List the included PKCS #3 encoded Diffie-Hellman parameters\n"
+    "       --dh-info              Print information PKCS #3 encoded Diffie-Hellman parameters\n"
+    "       --load-privkey=str     Loads a private key file\n"
+    "       --load-pubkey=str      Loads a public key file\n"
+    "       --load-request=str     Loads a certificate request file\n"
+    "       --load-certificate=str Loads a certificate file\n"
+    "       --load-ca-privkey=str  Loads the certificate authority's private key file\n"
+    "       --load-ca-certificate=str Loads the certificate authority's certificate file\n"
+    "       --load-crl=str         Loads the provided CRL\n"
+    "       --load-data=str        Loads auxiliary data\n"
+    "       --password=str         Password to use\n"
+    "       --null-password        Enforce a NULL password\n"
+    "       --empty-password       Enforce an empty password\n"
+    "       --hex-numbers          Print big number in an easier format to parse\n"
+    "       --cprint               In certain operations it prints the information in C-friendly format\n"
+    "       --hash=str             Hash algorithm to use for signing\n"
+    "       --salt-size=num        Specify the RSA-PSS key default salt size\n"
+    "       --inder                Use DER format for input certificates, private keys, and DH parameters \n"
+    "       --inraw                an alias for the 'inder' option\n"
+    "       --outder               Use DER format for output certificates, private keys, and DH parameters\n"
+    "       --outraw               an alias for the 'outder' option\n"
+    "       --template=str         Template file to use for non-interactive operation\n"
+    "       --stdout-info          Print information to stdout instead of stderr\n"
+    "       --ask-pass             Enable interaction for entering password when in batch mode\n"
+    "       --pkcs-cipher=str      Cipher to use for PKCS #8 and #12 operations\n"
+    "       --provider=str         Specify the PKCS #11 provider library\n"
+    "       --text                 Output textual information before PEM-encoded certificates, private keys, etc\n"
+    "				- enabled by default\n"
+    "				- disabled as '--no-text'\n"
+    "\n"
+    "Version, usage and configuration options:\n"
+    "\n"
+    "   -v, --version[=arg]        output version information and exit\n"
+    "   -h, --help                 display extended usage information and exit\n"
+    "   -!, --more-help            extended usage information passed thru pager\n"
+    "\n"
+    "Options are specified by doubled hyphens and their name or by a single\n"
+    "hyphen and the flag character.\n"
+    "\n"
+    "Tool to parse and generate X.509 certificates, requests and private keys.\n"
+    "It can be used interactively or non interactively by\n"
+    "specifying the template command line option.\n"
+    "\n"
+    "The tool accepts files or supported URIs via the --infile option. In case PIN\n"
+    "is required for URI access you can provide it using the environment variables GNUTLS_PIN \n"
+    "and GNUTLS_SO_PIN.\n"
+    "\n"
+    "\n"
+    "Please send bug reports to:  <bugs@gnutls.org>\n"
+    "\n";
+  fprintf (out, "%s", str);
+  exit (status);
+}