Etusivu Tutki Apua
Kirjaudu sisään
OWEALs
/
openssl
peilaus alkaen git://git.openssl.org/openssl.git
2
0
Fork 0
Tiedostot Ongelmat 1 Wiki
Haara: OpenSSL-fips-2_0-stable
Haarat Tagit
openssl
/
apps
/
CA.com

CA.com 6.6 KB
Pysyvä linkki Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236 
  1. $! CA - wrapper around ca to make it easier to use ... basically ca requires
    2. 

  2. $!      some setup stuff to be done before you can use it and this makes
    3. 

  3. $!      things easier between now and when Eric is convinced to fix it :-)
    4. 

  4. $!
    5. 

  5. $! CA -newca ... will setup the right stuff
    6. 

  6. $! CA -newreq ... will generate a certificate request 
    7. 

  7. $! CA -sign ... will sign the generated request and output 
    8. 

  8. $!
    9. 

  9. $! At the end of that grab newreq.pem and newcert.pem (one has the key 
    10. 

  10. $! and the other the certificate) and cat them together and that is what
    11. 

  11. $! you want/need ... I'll make even this a little cleaner later.
    12. 

  12. $!
    13. 

  13. $!
    14. 

  14. $! 12-Jan-96 tjh    Added more things ... including CA -signcert which
    15. 

  15. $!                  converts a certificate to a request and then signs it.
    16. 

  16. $! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
    17. 

  17. $!                 environment variable so this can be driven from
    18. 

  18. $!                 a script.
    19. 

  19. $! 25-Jul-96 eay    Cleaned up filenames some more.
    20. 

  20. $! 11-Jun-96 eay    Fixed a few filename missmatches.
    21. 

  21. $! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
    22. 

  22. $! 18-Apr-96 tjh    Original hacking
    23. 

  23. $!
    24. 

  24. $! Tim Hudson
    25. 

  25. $! tjh@cryptsoft.com
    26. 

  26. $!
    27. 

  27. $!
    28. 

  28. $! default ssleay.cnf file has setup as per the following
    29. 

  29. $! demoCA ... where everything is stored
    30. 

  30. $
    31. 

  31. $ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
    32. 

  32. $
    33. 

  33. $ DAYS   = "-days 365"
    34. 

  34. $ REQ    = openssl + " req " + SSLEAY_CONFIG
    35. 

  35. $ CA     = openssl + " ca " + SSLEAY_CONFIG
    36. 

  36. $ VERIFY = openssl + " verify"
    37. 

  37. $ X509   = openssl + " x509"
    38. 

  38. $ PKCS12 = openssl + " pkcs12"
    39. 

  39. $ echo   = "write sys$Output"
    40. 

  40. $ RET = 1
    41. 

  41. $!
    42. 

  42. $! 2010-12-20 SMS.
    43. 

  43. $! Use a concealed logical name to reduce command line lengths, to
    44. 

  44. $! avoid DCL errors on VAX:
    45. 

  45. $!     %DCL-W-TKNOVF, command element is too long - shorten
    46. 

  46. $! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
    47. 

  47. $! quickly.)
    48. 

  48. $!
    49. 

  49. $ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
    50. 

  50. $ define /translation_attributes = concealed CATOP 'CATOP'
    51. 

  51. $!
    52. 

  52. $ on error then goto clean_up
    53. 

  53. $ on control_y then goto clean_up
    54. 

  54. $!
    55. 

  55. $ CAKEY  = "CATOP:[private]cakey.pem"
    56. 

  56. $ CACERT = "CATOP:[000000]cacert.pem"
    57. 

  57. $
    58. 

  58. $ __INPUT := SYS$COMMAND
    59. 

  59. $!
    60. 

  60. $ i = 1
    61. 

  61. $opt_loop:
    62. 

  62. $ if i .gt. 8 then goto opt_loop_end
    63. 

  63. $
    64. 

  64. $ prog_opt = F$EDIT(P'i',"lowercase")
    65. 

  65. $
    66. 

  66. $ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
    67. 

  67. $ THEN
    68. 

  68. $   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
    69. 

  69. $   goto clean_up
    70. 

  70. $ ENDIF
    71. 

  71. $!
    72. 

  72. $ IF (prog_opt .EQS. "-input")
    73. 

  73. $ THEN
    74. 

  74. $   ! Get input from somewhere other than SYS$COMMAND
    75. 

  75. $   i = i + 1
    76. 

  76. $   __INPUT = P'i'
    77. 

  77. $   GOTO opt_loop_continue
    78. 

  78. $ ENDIF
    79. 

  79. $!
    80. 

  80. $ IF (prog_opt .EQS. "-newcert")
    81. 

  81. $ THEN
    82. 

  82. $   ! Create a certificate.
    83. 

  83. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    84. 

  84. $   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
    85. 

  85. $   RET=$STATUS
    86. 

  86. $   echo "Certificate (and private key) is in newreq.pem"
    87. 

  87. $   GOTO opt_loop_continue
    88. 

  88. $ ENDIF
    89. 

  89. $!
    90. 

  90. $ IF (prog_opt .EQS. "-newreq")
    91. 

  91. $ THEN
    92. 

  92. $   ! Create a certificate request
    93. 

  93. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    94. 

  94. $   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
    95. 

  95. $   RET=$STATUS
    96. 

  96. $   echo "Request (and private key) is in newreq.pem"
    97. 

  97. $   GOTO opt_loop_continue
    98. 

  98. $ ENDIF
    99. 

  99. $!
    100. 

  100. $ IF (prog_opt .EQS. "-newca")
    101. 

  101. $ THEN
    102. 

  102. $   ! If explicitly asked for or it doesn't exist then setup the directory
    103. 

  103. $   ! structure that Eric likes to manage things.
    104. 

  104. $   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
    105. 

  105. $   THEN
    106. 

  106. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
    107. 

  107. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
    108. 

  108. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
    109. 

  109. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
    110. 

  110. $     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
    111. 

  111. $
    112. 

  112. $     OPEN /WRITE ser_file CATOP:[000000]serial. 
    113. 

  113. $     WRITE ser_file "01"
    114. 

  114. $     CLOSE ser_file
    115. 

  115. $     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
    116. 

  116. $
    117. 

  117. $     ! The following is to make sure access() doesn't get confused.  It
    118. 

  118. $     ! really needs one file in the directory to give correct answers...
    119. 

  119. $     COPY NLA0: CATOP:[certs].;
    120. 

  120. $     COPY NLA0: CATOP:[crl].;
    121. 

  121. $     COPY NLA0: CATOP:[newcerts].;
    122. 

  122. $     COPY NLA0: CATOP:[private].;
    123. 

  123. $   ENDIF
    124. 

  124. $!
    125. 

  125. $   IF F$SEARCH( CAKEY) .EQS. ""
    126. 

  126. $   THEN
    127. 

  127. $     READ '__INPUT' FILE -
    128. 

  128.        /PROMPT="CA certificate filename (or enter to create): "
    129. 

  129. $     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
    130. 

  130. $     THEN
    131. 

  131. $       COPY 'FILE' 'CAKEY'
    132. 

  132. $       RET=$STATUS
    133. 

  133. $     ELSE
    134. 

  134. $       echo "Making CA certificate ..."
    135. 

  135. $       DEFINE /USER_MODE SYS$INPUT '__INPUT'
    136. 

  136. $       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
    137. 

  137. $       RET=$STATUS
    138. 

  138. $     ENDIF
    139. 

  139. $   ENDIF
    140. 

  140. $   GOTO opt_loop_continue
    141. 

  141. $ ENDIF
    142. 

  142. $!
    143. 

  143. $ IF (prog_opt .EQS. "-pkcs12")
    144. 

  144. $ THEN
    145. 

  145. $   i = i + 1
    146. 

  146. $   cname = P'i'
    147. 

  147. $   IF cname .EQS. "" THEN cname = "My certificate"
    148. 

  148. $   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
    149. 

  149.      -out newcert.p12 -export -name "''cname'"
    150. 

  150. $   RET=$STATUS
    151. 

  151. $   goto clean_up
    152. 

  152. $ ENDIF
    153. 

  153. $!
    154. 

  154. $ IF (prog_opt .EQS. "-xsign")
    155. 

  155. $ THEN
    156. 

  156. $!
    157. 

  157. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    158. 

  158. $   CA -policy policy_anything -infiles newreq.pem
    159. 

  159. $   RET=$STATUS
    160. 

  160. $   GOTO opt_loop_continue
    161. 

  161. $ ENDIF
    162. 

  162. $!
    163. 

  163. $ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
    164. 

  164. $ THEN
    165. 

  165. $!   
    166. 

  166. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    167. 

  167. $   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
    168. 

  168. $   RET=$STATUS
    169. 

  169. $   type newcert.pem
    170. 

  170. $   echo "Signed certificate is in newcert.pem"
    171. 

  171. $   GOTO opt_loop_continue
    172. 

  172. $ ENDIF
    173. 

  173. $!
    174. 

  174. $ IF (prog_opt .EQS. "-signcert")
    175. 

  175. $  THEN
    176. 

  176. $!   
    177. 

  177. $   echo "Cert passphrase will be requested twice - bug?"
    178. 

  178. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    179. 

  179. $   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    180. 

  180. $   DEFINE /USER_MODE SYS$INPUT '__INPUT'
    181. 

  181. $   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
    182. 

  182. y
    183. 

  183. y
    184. 

  184. $   type newcert.pem
    185. 

  185. $   echo "Signed certificate is in newcert.pem"
    186. 

  186. $   GOTO opt_loop_continue
    187. 

  187. $ ENDIF
    188. 

  188. $!
    189. 

  189. $ IF (prog_opt .EQS. "-verify")
    190. 

  190. $ THEN
    191. 

  191. $!   
    192. 

  192. $   i = i + 1
    193. 

  193. $   IF (p'i' .EQS. "")
    194. 

  194. $   THEN
    195. 

  195. $     DEFINE /USER_MODE SYS$INPUT '__INPUT'
    196. 

  196. $     VERIFY "-CAfile" 'CACERT' newcert.pem
    197. 

  197. $   ELSE
    198. 

  198. $     j = i
    199. 

  199. $    verify_opt_loop:
    200. 

  200. $     IF j .GT. 8 THEN GOTO verify_opt_loop_end
    201. 

  201. $     IF p'j' .NES. ""
    202. 

  202. $     THEN 
    203. 

  203. $       DEFINE /USER_MODE SYS$INPUT '__INPUT'
    204. 

  204. $       __tmp = p'j'
    205. 

  205. $       VERIFY "-CAfile" 'CACERT' '__tmp'
    206. 

  206. $       tmp=$STATUS
    207. 

  207. $       IF tmp .NE. 0 THEN RET=tmp
    208. 

  208. $     ENDIF
    209. 

  209. $     j = j + 1
    210. 

  210. $     GOTO verify_opt_loop
    211. 

  211. $    verify_opt_loop_end:
    212. 

  212. $   ENDIF
    213. 

  213. $   
    214. 

  214. $   GOTO opt_loop_end
    215. 

  215. $ ENDIF
    216. 

  216. $!
    217. 

  217. $ IF (prog_opt .NES. "")
    218. 

  218. $ THEN
    219. 

  219. $!   
    220. 

  220. $   echo "Unknown argument ''prog_opt'"
    221. 

  221. $   RET = 3
    222. 

  222. $   goto clean_up
    223. 

  223. $ ENDIF
    224. 

  224. $
    225. 

  225. $opt_loop_continue:
    226. 

  226. $ i = i + 1
    227. 

  227. $ GOTO opt_loop
    228. 

  228. $
    229. 

  229. $opt_loop_end:
    230. 

  230. $!
    231. 

  231. $clean_up:
    232. 

  232. $!
    233. 

  233. $ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
    234. 

  234.    deassign /process CATOP
    235. 

  235. $!
    236. 

  236. $ EXIT 'RET'
    237.