Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: 3aeb934865
Branches Tags
openssl
/
apps
/
CA.com

CA.com 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221 
  1. $! CA - wrapper around ca to make it easier to use ... basically ca requires
    2. 

  2. $!      some setup stuff to be done before you can use it and this makes
    3. 

  3. $!      things easier between now and when Eric is convinced to fix it :-)
    4. 

  4. $!
    5. 

  5. $! CA -newca ... will setup the right stuff
    6. 

  6. $! CA -newreq ... will generate a certificate request 
    7. 

  7. $! CA -sign ... will sign the generated request and output 
    8. 

  8. $!
    9. 

  9. $! At the end of that grab newreq.pem and newcert.pem (one has the key 
    10. 

  10. $! and the other the certificate) and cat them together and that is what
    11. 

  11. $! you want/need ... I'll make even this a little cleaner later.
    12. 

  12. $!
    13. 

  13. $! default openssl.cnf file has setup as per the following
    14. 

  14. $! demoCA ... where everything is stored
    15. 

  15. $
    16. 

  16. $ IF F$TYPE(OPENSSL_CONFIG) .EQS. "" THEN OPENSSL_CONFIG := SSLLIB:OPENSSL.CNF
    17. 

  17. $
    18. 

  18. $ DAYS   = "-days 365"
    19. 

  19. $ REQ    = openssl + " req " + OPENSSL_CONFIG
    20. 

  20. $ CA     = openssl + " ca " + OPENSSL_CONFIG
    21. 

  21. $ VERIFY = openssl + " verify"
    22. 

  22. $ X509   = openssl + " x509"
    23. 

  23. $ PKCS12 = openssl + " pkcs12"
    24. 

  24. $ echo   = "write sys$Output"
    25. 

  25. $ RET = 1
    26. 

  26. $!
    27. 

  27. $! 2010-12-20 SMS.
    28. 

  28. $! Use a concealed logical name to reduce command line lengths, to
    29. 

  29. $! avoid DCL errors on VAX:
    30. 

  30. $!     %DCL-W-TKNOVF, command element is too long - shorten
    31. 

  31. $! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
    32. 

  32. $! quickly.)
    33. 

  33. $!
    34. 

  34. $ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
    35. 

  35. $ define /translation_attributes = concealed CATOP 'CATOP'
    36. 

  36. $!
    37. 

  37. $ on error then goto clean_up
    38. 

  38. $ on control_y then goto clean_up
    39. 

  39. $!
    40. 

  40. $ CAKEY  = "CATOP:[private]cakey.pem"
    41. 

  41. $ CACERT = "CATOP:[000000]cacert.pem"
    42. 

  42. $
    43. 

  43. $ __INPUT := SYS$COMMAND
    44. 

  44. $!
    45. 

  45. $ i = 1
    46. 

  46. $opt_loop:
    47. 

  47. $ if i .gt. 8 then goto opt_loop_end
    48. 

  48. $
    49. 

  49. $ prog_opt = F$EDIT(P'i',"lowercase")
    50. 

  50. $
    51. 

  51. $ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
    52. 

  52. $ THEN
    53. 

  53. $   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
    54. 

  54. $   goto clean_up
    55. 

  55. $ ENDIF
    56. 

  56. $!
    57. 

  57. $ IF (prog_opt .EQS. "-input")
    58. 

  58. $ THEN
    59. 

  59. $   ! Get input from somewhere other than SYS$COMMAND
    60. 

  60. $   i = i + 1
    61. 

  61. $   __INPUT = P'i'
    62. 

  62. $   GOTO opt_loop_continue
    63. 

  63. $ ENDIF
    64. 

  64. $!
    65. 

  65. $ IF (prog_opt .EQS. "-newcert")
    66. 

  66. $ THEN
    67. 

  67. $   ! Create a certificate.
    68. 

  68. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    69. 

  69. $   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
    70. 

  70. $   RET=$STATUS
    71. 

  71. $   echo "Certificate (and private key) is in newreq.pem"
    72. 

  72. $   GOTO opt_loop_continue
    73. 

  73. $ ENDIF
    74. 

  74. $!
    75. 

  75. $ IF (prog_opt .EQS. "-newreq")
    76. 

  76. $ THEN
    77. 

  77. $   ! Create a certificate request
    78. 

  78. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    79. 

  79. $   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
    80. 

  80. $   RET=$STATUS
    81. 

  81. $   echo "Request (and private key) is in newreq.pem"
    82. 

  82. $   GOTO opt_loop_continue
    83. 

  83. $ ENDIF
    84. 

  84. $!
    85. 

  85. $ IF (prog_opt .EQS. "-newca")
    86. 

  86. $ THEN
    87. 

  87. $   ! If explicitly asked for or it doesn't exist then setup the directory
    88. 

  88. $   ! structure that Eric likes to manage things.
    89. 

  89. $   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
    90. 

  90. $   THEN
    91. 

  91. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
    92. 

  92. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
    93. 

  93. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
    94. 

  94. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
    95. 

  95. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
    96. 

  96. $
    97. 

  97. $     OPEN /WRITE ser_file CATOP:[000000]serial. 
    98. 

  98. $     WRITE ser_file "01"
    99. 

  99. $     CLOSE ser_file
    100. 

  100. $     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
    101. 

  101. $
    102. 

  102. $     ! The following is to make sure access() doesn't get confused.  It
    103. 

  103. $     ! really needs one file in the directory to give correct answers...
    104. 

  104. $     COPY NLA0: CATOP:[certs].;
    105. 

  105. $     COPY NLA0: CATOP:[crl].;
    106. 

  106. $     COPY NLA0: CATOP:[newcerts].;
    107. 

  107. $     COPY NLA0: CATOP:[private].;
    108. 

  108. $   ENDIF
    109. 

  109. $!
    110. 

  110. $   IF F$SEARCH( CAKEY) .EQS. ""
    111. 

  111. $   THEN
    112. 

  112. $     READ '__INPUT' FILE -
    113. 

  113.        /PROMPT="CA certificate filename (or enter to create): "
    114. 

  114. $     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
    115. 

  115. $     THEN
    116. 

  116. $       COPY 'FILE' 'CAKEY'
    117. 

  117. $       RET=$STATUS
    118. 

  118. $     ELSE
    119. 

  119. $       echo "Making CA certificate ..."
    120. 

  120. $       DEFINE /USER_MODE SYS$INPUT '__INPUT'
    121. 

  121. $       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
    122. 

  122. $       RET=$STATUS
    123. 

  123. $     ENDIF
    124. 

  124. $   ENDIF
    125. 

  125. $   GOTO opt_loop_continue
    126. 

  126. $ ENDIF
    127. 

  127. $!
    128. 

  128. $ IF (prog_opt .EQS. "-pkcs12")
    129. 

  129. $ THEN
    130. 

  130. $   i = i + 1
    131. 

  131. $   cname = P'i'
    132. 

  132. $   IF cname .EQS. "" THEN cname = "My certificate"
    133. 

  133. $   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
    134. 

  134.      -out newcert.p12 -export -name "''cname'"
    135. 

  135. $   RET=$STATUS
    136. 

  136. $   goto clean_up
    137. 

  137. $ ENDIF
    138. 

  138. $!
    139. 

  139. $ IF (prog_opt .EQS. "-xsign")
    140. 

  140. $ THEN
    141. 

  141. $!
    142. 

  142. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    143. 

  143. $   CA -policy policy_anything -infiles newreq.pem
    144. 

  144. $   RET=$STATUS
    145. 

  145. $   GOTO opt_loop_continue
    146. 

  146. $ ENDIF
    147. 

  147. $!
    148. 

  148. $ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
    149. 

  149. $ THEN
    150. 

  150. $!   
    151. 

  151. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    152. 

  152. $   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
    153. 

  153. $   RET=$STATUS
    154. 

  154. $   type newcert.pem
    155. 

  155. $   echo "Signed certificate is in newcert.pem"
    156. 

  156. $   GOTO opt_loop_continue
    157. 

  157. $ ENDIF
    158. 

  158. $!
    159. 

  159. $ IF (prog_opt .EQS. "-signcert")
    160. 

  160. $  THEN
    161. 

  161. $!   
    162. 

  162. $   echo "Cert passphrase will be requested twice - bug?"
    163. 

  163. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    164. 

  164. $   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    165. 

  165. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    166. 

  166. $   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
    167. 

  167. y
    168. 

  168. y
    169. 

  169. $   type newcert.pem
    170. 

  170. $   echo "Signed certificate is in newcert.pem"
    171. 

  171. $   GOTO opt_loop_continue
    172. 

  172. $ ENDIF
    173. 

  173. $!
    174. 

  174. $ IF (prog_opt .EQS. "-verify")
    175. 

  175. $ THEN
    176. 

  176. $!   
    177. 

  177. $   i = i + 1
    178. 

  178. $   IF (p'i' .EQS. "")
    179. 

  179. $   THEN
    180. 

  180. $     DEFINE /USER_MODE SYS$INPUT '__INPUT'
    181. 

  181. $     VERIFY "-CAfile" 'CACERT' newcert.pem
    182. 

  182. $   ELSE
    183. 

  183. $     j = i
    184. 

  184. $    verify_opt_loop:
    185. 

  185. $     IF j .GT. 8 THEN GOTO verify_opt_loop_end
    186. 

  186. $     IF p'j' .NES. ""
    187. 

  187. $     THEN 
    188. 

  188. $       DEFINE /USER_MODE SYS$INPUT '__INPUT'
    189. 

  189. $       __tmp = p'j'
    190. 

  190. $       VERIFY "-CAfile" 'CACERT' '__tmp'
    191. 

  191. $       tmp=$STATUS
    192. 

  192. $       IF tmp .NE. 0 THEN RET=tmp
    193. 

  193. $     ENDIF
    194. 

  194. $     j = j + 1
    195. 

  195. $     GOTO verify_opt_loop
    196. 

  196. $    verify_opt_loop_end:
    197. 

  197. $   ENDIF
    198. 

  198. $   
    199. 

  199. $   GOTO opt_loop_end
    200. 

  200. $ ENDIF
    201. 

  201. $!
    202. 

  202. $ IF (prog_opt .NES. "")
    203. 

  203. $ THEN
    204. 

  204. $!   
    205. 

  205. $   echo "Unknown argument ''prog_opt'"
    206. 

  206. $   RET = 3
    207. 

  207. $   goto clean_up
    208. 

  208. $ ENDIF
    209. 

  209. $
    210. 

  210. $opt_loop_continue:
    211. 

  211. $ i = i + 1
    212. 

  212. $ GOTO opt_loop
    213. 

  213. $
    214. 

  214. $opt_loop_end:
    215. 

  215. $!
    216. 

  216. $clean_up:
    217. 

  217. $!
    218. 

  218. $ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
    219. 

  219.    deassign /process CATOP
    220. 

  220. $!
    221. 

  221. $ EXIT 'RET'
    222.