hx509: Show query expression parse errors

lib/hx509/cert.c

@@ -2979,12 +2979,21 @@ hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
 
     if (expr == NULL) {
 	q->match &= ~HX509_QUERY_MATCH_EXPR;
-    } else {
-	q->expr = _hx509_expr_parse(expr);
-	if (q->expr)
-	    q->match |= HX509_QUERY_MATCH_EXPR;
+        return 0;
     }
 
+    q->expr = _hx509_expr_parse(expr);
+    if (q->expr == NULL) {
+        const char *reason = _hx509_expr_parse_error();
+
+        hx509_set_error_string(context, 0, EINVAL,
+                               "Invalid certificate query match expression: "
+                               "%s (%s)", expr,
+                               reason ? reason : "syntax error");
+        return EINVAL;
+    }
+
+    q->match |= HX509_QUERY_MATCH_EXPR;
     return 0;
 }
 

lib/hx509/hxtool.c

@@ -2873,9 +2873,9 @@ acert(struct acert_options *opt, int argc, char **argv)
 
     hx509_query *q = NULL;
     if (opt->expr_string) {
-        if ((ret = hx509_query_alloc(context, &q)))
+        if ((ret = hx509_query_alloc(context, &q)) ||
+	    (ret = hx509_query_match_expr(context, q, opt->expr_string)))
             hx509_err(context, 1, ret, "Could not initialize query");
-	hx509_query_match_expr(context, q, opt->expr_string);
         if ((ret = hx509_certs_find(context, certs, q, &cert)) || !cert)
             hx509_err(context, 1, ret, "No matching certificate");
         ret = acert1(opt, -1, cert, &matched);

lib/hx509/sel.c

@@ -204,6 +204,7 @@ _hx509_expr_free(struct hx_expr *expr)
     free(expr);
 }
 
+/* XXX Horrible, no good cause not thread-safe */
 HX509_LIB_FUNCTION struct hx_expr * HX509_LIB_CALL
 _hx509_expr_parse(const char *buf)
 {
@@ -222,6 +223,12 @@ _hx509_expr_parse(const char *buf)
     return _hx509_expr_input.expr;
 }
 
+const char *
+_hx509_expr_parse_error(void)
+{
+    return _hx509_expr_input.error;
+}
+
 void
 _hx509_sel_yyerror (const char *s)
 {