CA.com 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
  1. $! CA - wrapper around ca to make it easier to use ... basically ca requires
  2. $! some setup stuff to be done before you can use it and this makes
  3. $! things easier between now and when Eric is convinced to fix it :-)
  4. $!
  5. $! CA -newca ... will setup the right stuff
  6. $! CA -newreq ... will generate a certificate request
  7. $! CA -sign ... will sign the generated request and output
  8. $!
  9. $! At the end of that grab newreq.pem and newcert.pem (one has the key
  10. $! and the other the certificate) and cat them together and that is what
  11. $! you want/need ... I'll make even this a little cleaner later.
  12. $!
  13. $!
  14. $! 12-Jan-96 tjh Added more things ... including CA -signcert which
  15. $! converts a certificate to a request and then signs it.
  16. $! 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
  17. $! environment variable so this can be driven from
  18. $! a script.
  19. $! 25-Jul-96 eay Cleaned up filenames some more.
  20. $! 11-Jun-96 eay Fixed a few filename missmatches.
  21. $! 03-May-96 eay Modified to use 'openssl cmd' instead of 'cmd'.
  22. $! 18-Apr-96 tjh Original hacking
  23. $!
  24. $! Tim Hudson
  25. $! tjh@cryptsoft.com
  26. $!
  27. $!
  28. $! default ssleay.cnf file has setup as per the following
  29. $! demoCA ... where everything is stored
  30. $
  31. $ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
  32. $
  33. $ DAYS = "-days 365"
  34. $ REQ = openssl + " req " + SSLEAY_CONFIG
  35. $ CA = openssl + " ca " + SSLEAY_CONFIG
  36. $ VERIFY = openssl + " verify"
  37. $ X509 = openssl + " x509"
  38. $ PKCS12 = openssl + " pkcs12"
  39. $ echo = "write sys$Output"
  40. $ RET = 1
  41. $!
  42. $! 2010-12-20 SMS.
  43. $! Use a concealed logical name to reduce command line lengths, to
  44. $! avoid DCL errors on VAX:
  45. $! %DCL-W-TKNOVF, command element is too long - shorten
  46. $! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
  47. $! quickly.)
  48. $!
  49. $ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
  50. $ define /translation_attributes = concealed CATOP 'CATOP'
  51. $!
  52. $ on error then goto clean_up
  53. $ on control_y then goto clean_up
  54. $!
  55. $ CAKEY = "CATOP:[private]cakey.pem"
  56. $ CACERT = "CATOP:[000000]cacert.pem"
  57. $
  58. $ __INPUT := SYS$COMMAND
  59. $!
  60. $ i = 1
  61. $opt_loop:
  62. $ if i .gt. 8 then goto opt_loop_end
  63. $
  64. $ prog_opt = F$EDIT(P'i',"lowercase")
  65. $
  66. $ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help")
  67. $ THEN
  68. $ echo "usage: CA -newcert|-newreq|-newca|-sign|-verify"
  69. $ goto clean_up
  70. $ ENDIF
  71. $!
  72. $ IF (prog_opt .EQS. "-input")
  73. $ THEN
  74. $ ! Get input from somewhere other than SYS$COMMAND
  75. $ i = i + 1
  76. $ __INPUT = P'i'
  77. $ GOTO opt_loop_continue
  78. $ ENDIF
  79. $!
  80. $ IF (prog_opt .EQS. "-newcert")
  81. $ THEN
  82. $ ! Create a certificate.
  83. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  84. $ REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
  85. $ RET=$STATUS
  86. $ echo "Certificate (and private key) is in newreq.pem"
  87. $ GOTO opt_loop_continue
  88. $ ENDIF
  89. $!
  90. $ IF (prog_opt .EQS. "-newreq")
  91. $ THEN
  92. $ ! Create a certificate request
  93. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  94. $ REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
  95. $ RET=$STATUS
  96. $ echo "Request (and private key) is in newreq.pem"
  97. $ GOTO opt_loop_continue
  98. $ ENDIF
  99. $!
  100. $ IF (prog_opt .EQS. "-newca")
  101. $ THEN
  102. $ ! If explicitly asked for or it doesn't exist then setup the directory
  103. $ ! structure that Eric likes to manage things.
  104. $ IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
  105. $ THEN
  106. $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
  107. $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
  108. $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
  109. $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
  110. $ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
  111. $
  112. $ OPEN /WRITE ser_file CATOP:[000000]serial.
  113. $ WRITE ser_file "01"
  114. $ CLOSE ser_file
  115. $ APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
  116. $
  117. $ ! The following is to make sure access() doesn't get confused. It
  118. $ ! really needs one file in the directory to give correct answers...
  119. $ COPY NLA0: CATOP:[certs].;
  120. $ COPY NLA0: CATOP:[crl].;
  121. $ COPY NLA0: CATOP:[newcerts].;
  122. $ COPY NLA0: CATOP:[private].;
  123. $ ENDIF
  124. $!
  125. $ IF F$SEARCH( CAKEY) .EQS. ""
  126. $ THEN
  127. $ READ '__INPUT' FILE -
  128. /PROMPT="CA certificate filename (or enter to create): "
  129. $ IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
  130. $ THEN
  131. $ COPY 'FILE' 'CAKEY'
  132. $ RET=$STATUS
  133. $ ELSE
  134. $ echo "Making CA certificate ..."
  135. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  136. $ REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
  137. $ RET=$STATUS
  138. $ ENDIF
  139. $ ENDIF
  140. $ GOTO opt_loop_continue
  141. $ ENDIF
  142. $!
  143. $ IF (prog_opt .EQS. "-pkcs12")
  144. $ THEN
  145. $ i = i + 1
  146. $ cname = P'i'
  147. $ IF cname .EQS. "" THEN cname = "My certificate"
  148. $ PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
  149. -out newcert.p12 -export -name "''cname'"
  150. $ RET=$STATUS
  151. $ goto clean_up
  152. $ ENDIF
  153. $!
  154. $ IF (prog_opt .EQS. "-xsign")
  155. $ THEN
  156. $!
  157. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  158. $ CA -policy policy_anything -infiles newreq.pem
  159. $ RET=$STATUS
  160. $ GOTO opt_loop_continue
  161. $ ENDIF
  162. $!
  163. $ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
  164. $ THEN
  165. $!
  166. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  167. $ CA -policy policy_anything -out newcert.pem -infiles newreq.pem
  168. $ RET=$STATUS
  169. $ type newcert.pem
  170. $ echo "Signed certificate is in newcert.pem"
  171. $ GOTO opt_loop_continue
  172. $ ENDIF
  173. $!
  174. $ IF (prog_opt .EQS. "-signcert")
  175. $ THEN
  176. $!
  177. $ echo "Cert passphrase will be requested twice - bug?"
  178. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  179. $ X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
  180. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  181. $ CA -policy policy_anything -out newcert.pem -infiles tmp.pem
  182. y
  183. y
  184. $ type newcert.pem
  185. $ echo "Signed certificate is in newcert.pem"
  186. $ GOTO opt_loop_continue
  187. $ ENDIF
  188. $!
  189. $ IF (prog_opt .EQS. "-verify")
  190. $ THEN
  191. $!
  192. $ i = i + 1
  193. $ IF (p'i' .EQS. "")
  194. $ THEN
  195. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  196. $ VERIFY "-CAfile" 'CACERT' newcert.pem
  197. $ ELSE
  198. $ j = i
  199. $ verify_opt_loop:
  200. $ IF j .GT. 8 THEN GOTO verify_opt_loop_end
  201. $ IF p'j' .NES. ""
  202. $ THEN
  203. $ DEFINE /USER_MODE SYS$INPUT '__INPUT'
  204. $ __tmp = p'j'
  205. $ VERIFY "-CAfile" 'CACERT' '__tmp'
  206. $ tmp=$STATUS
  207. $ IF tmp .NE. 0 THEN RET=tmp
  208. $ ENDIF
  209. $ j = j + 1
  210. $ GOTO verify_opt_loop
  211. $ verify_opt_loop_end:
  212. $ ENDIF
  213. $
  214. $ GOTO opt_loop_end
  215. $ ENDIF
  216. $!
  217. $ IF (prog_opt .NES. "")
  218. $ THEN
  219. $!
  220. $ echo "Unknown argument ''prog_opt'"
  221. $ RET = 3
  222. $ goto clean_up
  223. $ ENDIF
  224. $
  225. $opt_loop_continue:
  226. $ i = i + 1
  227. $ GOTO opt_loop
  228. $
  229. $opt_loop_end:
  230. $!
  231. $clean_up:
  232. $!
  233. $ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
  234. deassign /process CATOP
  235. $!
  236. $ EXIT 'RET'