2
0

CA.com 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220
  1. $! CA - wrapper around ca to make it easier to use ... basically ca requires
  2. $! some setup stuff to be done before you can use it and this makes
  3. $! things easier between now and when Eric is convinced to fix it :-)
  4. $!
  5. $! CA -newca ... will setup the right stuff
  6. $! CA -newreq ... will generate a certificate request
  7. $! CA -sign ... will sign the generated request and output
  8. $!
  9. $! At the end of that grab newreq.pem and newcert.pem (one has the key
  10. $! and the other the certificate) and cat them together and that is what
  11. $! you want/need ... I'll make even this a little cleaner later.
  12. $!
  13. $!
  14. $! 12-Jan-96 tjh Added more things ... including CA -signcert which
  15. $! converts a certificate to a request and then signs it.
  16. $! 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
  17. $! environment variable so this can be driven from
  18. $! a script.
  19. $! 25-Jul-96 eay Cleaned up filenames some more.
  20. $! 11-Jun-96 eay Fixed a few filename missmatches.
  21. $! 03-May-96 eay Modified to use 'openssl cmd' instead of 'cmd'.
  22. $! 18-Apr-96 tjh Original hacking
  23. $!
  24. $! Tim Hudson
  25. $! tjh@cryptsoft.com
  26. $!
  27. $!
  28. $! default ssleay.cnf file has setup as per the following
  29. $! demoCA ... where everything is stored
  30. $
  31. $ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
  32. $
  33. $ DAYS = "-days 365"
  34. $ REQ = openssl + " req " + SSLEAY_CONFIG
  35. $ CA = openssl + " ca " + SSLEAY_CONFIG
  36. $ VERIFY = openssl + " verify"
  37. $ X509 = openssl + " x509"
  38. $ PKCS12 = openssl + " pkcs12"
  39. $ echo = "write sys$Output"
  40. $!
  41. $ s = F$PARSE(F$ENVIRONMENT("DEFAULT"),"[]") - "].;"
  42. $ CATOP := 's'.demoCA
  43. $ CAKEY := ]cakey.pem
  44. $ CACERT := ]cacert.pem
  45. $
  46. $ __INPUT := SYS$COMMAND
  47. $ RET = 1
  48. $!
  49. $ i = 1
  50. $opt_loop:
  51. $ if i .gt. 8 then goto opt_loop_end
  52. $
  53. $ prog_opt = F$EDIT(P'i',"lowercase")
  54. $
  55. $ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help")
  56. $ THEN
  57. $ echo "usage: CA -newcert|-newreq|-newca|-sign|-verify"
  58. $ exit
  59. $ ENDIF
  60. $!
  61. $ IF (prog_opt .EQS. "-input")
  62. $ THEN
  63. $ ! Get input from somewhere other than SYS$COMMAND
  64. $ i = i + 1
  65. $ __INPUT = P'i'
  66. $ GOTO opt_loop_continue
  67. $ ENDIF
  68. $!
  69. $ IF (prog_opt .EQS. "-newcert")
  70. $ THEN
  71. $ ! Create a certificate.
  72. $ DEFINE/USER SYS$INPUT '__INPUT'
  73. $ REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
  74. $ RET=$STATUS
  75. $ echo "Certificate (and private key) is in newreq.pem"
  76. $ GOTO opt_loop_continue
  77. $ ENDIF
  78. $!
  79. $ IF (prog_opt .EQS. "-newreq")
  80. $ THEN
  81. $ ! Create a certificate request
  82. $ DEFINE/USER SYS$INPUT '__INPUT'
  83. $ REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
  84. $ RET=$STATUS
  85. $ echo "Request (and private key) is in newreq.pem"
  86. $ GOTO opt_loop_continue
  87. $ ENDIF
  88. $!
  89. $ IF (prog_opt .EQS. "-newca")
  90. $ THEN
  91. $ ! If explicitly asked for or it doesn't exist then setup the directory
  92. $ ! structure that Eric likes to manage things.
  93. $ IF F$SEARCH(CATOP+"]serial.") .EQS. ""
  94. $ THEN
  95. $ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP']
  96. $ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.certs]
  97. $ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.crl]
  98. $ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.newcerts]
  99. $ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.private]
  100. $
  101. $ OPEN /WRITE ser_file 'CATOP']serial.
  102. $ WRITE ser_file "01"
  103. $ CLOSE ser_file
  104. $ APPEND/NEW NL: 'CATOP']index.txt
  105. $
  106. $ ! The following is to make sure access() doesn't get confused. It
  107. $ ! really needs one file in the directory to give correct answers...
  108. $ COPY NLA0: 'CATOP'.certs].;
  109. $ COPY NLA0: 'CATOP'.crl].;
  110. $ COPY NLA0: 'CATOP'.newcerts].;
  111. $ COPY NLA0: 'CATOP'.private].;
  112. $ ENDIF
  113. $!
  114. $ IF F$SEARCH(CATOP+".private"+CAKEY) .EQS. ""
  115. $ THEN
  116. $ READ '__INPUT' FILE -
  117. /PROMT="CA certificate filename (or enter to create)"
  118. $ IF F$SEARCH(FILE) .NES. ""
  119. $ THEN
  120. $ COPY 'FILE' 'CATOP'.private'CAKEY'
  121. $ RET=$STATUS
  122. $ ELSE
  123. $ echo "Making CA certificate ..."
  124. $ DEFINE/USER SYS$INPUT '__INPUT'
  125. $ REQ -new -x509 -keyout 'CATOP'.private'CAKEY' -
  126. -out 'CATOP''CACERT' 'DAYS'
  127. $ RET=$STATUS
  128. $ ENDIF
  129. $ ENDIF
  130. $ GOTO opt_loop_continue
  131. $ ENDIF
  132. $!
  133. $ IF (prog_opt .EQS. "-pkcs12")
  134. $ THEN
  135. $ i = i + 1
  136. $ cname = P'i'
  137. $ IF cname .EQS. "" THEN cname = "My certificate"
  138. $ PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CATOP''CACERT -
  139. -out newcert.p12 -export -name "''cname'"
  140. $ RET=$STATUS
  141. $ exit RET
  142. $ ENDIF
  143. $!
  144. $ IF (prog_opt .EQS. "-xsign")
  145. $ THEN
  146. $!
  147. $ DEFINE/USER SYS$INPUT '__INPUT'
  148. $ CA -policy policy_anything -infiles newreq.pem
  149. $ RET=$STATUS
  150. $ GOTO opt_loop_continue
  151. $ ENDIF
  152. $!
  153. $ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
  154. $ THEN
  155. $!
  156. $ DEFINE/USER SYS$INPUT '__INPUT'
  157. $ CA -policy policy_anything -out newcert.pem -infiles newreq.pem
  158. $ RET=$STATUS
  159. $ type newcert.pem
  160. $ echo "Signed certificate is in newcert.pem"
  161. $ GOTO opt_loop_continue
  162. $ ENDIF
  163. $!
  164. $ IF (prog_opt .EQS. "-signcert")
  165. $ THEN
  166. $!
  167. $ echo "Cert passphrase will be requested twice - bug?"
  168. $ DEFINE/USER SYS$INPUT '__INPUT'
  169. $ X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
  170. $ DEFINE/USER SYS$INPUT '__INPUT'
  171. $ CA -policy policy_anything -out newcert.pem -infiles tmp.pem
  172. y
  173. y
  174. $ type newcert.pem
  175. $ echo "Signed certificate is in newcert.pem"
  176. $ GOTO opt_loop_continue
  177. $ ENDIF
  178. $!
  179. $ IF (prog_opt .EQS. "-verify")
  180. $ THEN
  181. $!
  182. $ i = i + 1
  183. $ IF (p'i' .EQS. "")
  184. $ THEN
  185. $ DEFINE/USER SYS$INPUT '__INPUT'
  186. $ VERIFY "-CAfile" 'CATOP''CACERT' newcert.pem
  187. $ ELSE
  188. $ j = i
  189. $ verify_opt_loop:
  190. $ IF j .GT. 8 THEN GOTO verify_opt_loop_end
  191. $ IF p'j' .NES. ""
  192. $ THEN
  193. $ DEFINE/USER SYS$INPUT '__INPUT'
  194. $ __tmp = p'j'
  195. $ VERIFY "-CAfile" 'CATOP''CACERT' '__tmp'
  196. $ tmp=$STATUS
  197. $ IF tmp .NE. 0 THEN RET=tmp
  198. $ ENDIF
  199. $ j = j + 1
  200. $ GOTO verify_opt_loop
  201. $ verify_opt_loop_end:
  202. $ ENDIF
  203. $
  204. $ GOTO opt_loop_end
  205. $ ENDIF
  206. $!
  207. $ IF (prog_opt .NES. "")
  208. $ THEN
  209. $!
  210. $ echo "Unknown argument ''prog_opt'"
  211. $
  212. $ EXIT 3
  213. $ ENDIF
  214. $
  215. $opt_loop_continue:
  216. $ i = i + 1
  217. $ GOTO opt_loop
  218. $
  219. $opt_loop_end:
  220. $ EXIT 'RET'