123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236 |
- $! CA - wrapper around ca to make it easier to use ... basically ca requires
- $! some setup stuff to be done before you can use it and this makes
- $! things easier between now and when Eric is convinced to fix it :-)
- $!
- $! CA -newca ... will setup the right stuff
- $! CA -newreq ... will generate a certificate request
- $! CA -sign ... will sign the generated request and output
- $!
- $! At the end of that grab newreq.pem and newcert.pem (one has the key
- $! and the other the certificate) and cat them together and that is what
- $! you want/need ... I'll make even this a little cleaner later.
- $!
- $!
- $! 12-Jan-96 tjh Added more things ... including CA -signcert which
- $! converts a certificate to a request and then signs it.
- $! 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
- $! environment variable so this can be driven from
- $! a script.
- $! 25-Jul-96 eay Cleaned up filenames some more.
- $! 11-Jun-96 eay Fixed a few filename missmatches.
- $! 03-May-96 eay Modified to use 'openssl cmd' instead of 'cmd'.
- $! 18-Apr-96 tjh Original hacking
- $!
- $! Tim Hudson
- $! tjh@cryptsoft.com
- $!
- $!
- $! default ssleay.cnf file has setup as per the following
- $! demoCA ... where everything is stored
- $
- $ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
- $
- $ DAYS = "-days 365"
- $ REQ = openssl + " req " + SSLEAY_CONFIG
- $ CA = openssl + " ca " + SSLEAY_CONFIG
- $ VERIFY = openssl + " verify"
- $ X509 = openssl + " x509"
- $ PKCS12 = openssl + " pkcs12"
- $ echo = "write sys$Output"
- $ RET = 1
- $!
- $! 2010-12-20 SMS.
- $! Use a concealed logical name to reduce command line lengths, to
- $! avoid DCL errors on VAX:
- $! %DCL-W-TKNOVF, command element is too long - shorten
- $! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
- $! quickly.)
- $!
- $ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
- $ define /translation_attributes = concealed CATOP 'CATOP'
- $!
- $ on error then goto clean_up
- $ on control_y then goto clean_up
- $!
- $ CAKEY = "CATOP:[private]cakey.pem"
- $ CACERT = "CATOP:[000000]cacert.pem"
- $
- $ __INPUT := SYS$COMMAND
- $!
- $ i = 1
- $opt_loop:
- $ if i .gt. 8 then goto opt_loop_end
- $
- $ prog_opt = F$EDIT(P'i',"lowercase")
- $
- $ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help")
- $ THEN
- $ echo "usage: CA -newcert|-newreq|-newca|-sign|-verify"
- $ goto clean_up
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-input")
- $ THEN
- $ ! Get input from somewhere other than SYS$COMMAND
- $ i = i + 1
- $ __INPUT = P'i'
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-newcert")
- $ THEN
- $ ! Create a certificate.
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
- $ RET=$STATUS
- $ echo "Certificate (and private key) is in newreq.pem"
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-newreq")
- $ THEN
- $ ! Create a certificate request
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
- $ RET=$STATUS
- $ echo "Request (and private key) is in newreq.pem"
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-newca")
- $ THEN
- $ ! If explicitly asked for or it doesn't exist then setup the directory
- $ ! structure that Eric likes to manage things.
- $ IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
- $ THEN
- $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
- $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
- $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
- $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
- $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
- $
- $ OPEN /WRITE ser_file CATOP:[000000]serial.
- $ WRITE ser_file "01"
- $ CLOSE ser_file
- $ APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
- $
- $ ! The following is to make sure access() doesn't get confused. It
- $ ! really needs one file in the directory to give correct answers...
- $ COPY NLA0: CATOP:[certs].;
- $ COPY NLA0: CATOP:[crl].;
- $ COPY NLA0: CATOP:[newcerts].;
- $ COPY NLA0: CATOP:[private].;
- $ ENDIF
- $!
- $ IF F$SEARCH( CAKEY) .EQS. ""
- $ THEN
- $ READ '__INPUT' FILE -
- /PROMPT="CA certificate filename (or enter to create): "
- $ IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
- $ THEN
- $ COPY 'FILE' 'CAKEY'
- $ RET=$STATUS
- $ ELSE
- $ echo "Making CA certificate ..."
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
- $ RET=$STATUS
- $ ENDIF
- $ ENDIF
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-pkcs12")
- $ THEN
- $ i = i + 1
- $ cname = P'i'
- $ IF cname .EQS. "" THEN cname = "My certificate"
- $ PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
- -out newcert.p12 -export -name "''cname'"
- $ RET=$STATUS
- $ goto clean_up
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-xsign")
- $ THEN
- $!
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ CA -policy policy_anything -infiles newreq.pem
- $ RET=$STATUS
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
- $ THEN
- $!
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ CA -policy policy_anything -out newcert.pem -infiles newreq.pem
- $ RET=$STATUS
- $ type newcert.pem
- $ echo "Signed certificate is in newcert.pem"
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-signcert")
- $ THEN
- $!
- $ echo "Cert passphrase will be requested twice - bug?"
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ CA -policy policy_anything -out newcert.pem -infiles tmp.pem
- y
- y
- $ type newcert.pem
- $ echo "Signed certificate is in newcert.pem"
- $ GOTO opt_loop_continue
- $ ENDIF
- $!
- $ IF (prog_opt .EQS. "-verify")
- $ THEN
- $!
- $ i = i + 1
- $ IF (p'i' .EQS. "")
- $ THEN
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ VERIFY "-CAfile" 'CACERT' newcert.pem
- $ ELSE
- $ j = i
- $ verify_opt_loop:
- $ IF j .GT. 8 THEN GOTO verify_opt_loop_end
- $ IF p'j' .NES. ""
- $ THEN
- $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
- $ __tmp = p'j'
- $ VERIFY "-CAfile" 'CACERT' '__tmp'
- $ tmp=$STATUS
- $ IF tmp .NE. 0 THEN RET=tmp
- $ ENDIF
- $ j = j + 1
- $ GOTO verify_opt_loop
- $ verify_opt_loop_end:
- $ ENDIF
- $
- $ GOTO opt_loop_end
- $ ENDIF
- $!
- $ IF (prog_opt .NES. "")
- $ THEN
- $!
- $ echo "Unknown argument ''prog_opt'"
- $ RET = 3
- $ goto clean_up
- $ ENDIF
- $
- $opt_loop_continue:
- $ i = i + 1
- $ GOTO opt_loop
- $
- $opt_loop_end:
- $!
- $clean_up:
- $!
- $ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
- deassign /process CATOP
- $!
- $ EXIT 'RET'
|