OLD | NEW |
| (Empty) |
1 #!/usr/bin/perl | |
2 # | |
3 # CA - wrapper around ca to make it easier to use ... basically ca requires | |
4 # some setup stuff to be done before you can use it and this makes | |
5 # things easier between now and when Eric is convinced to fix it :-) | |
6 # | |
7 # CA -newca ... will setup the right stuff | |
8 # CA -newreq[-nodes] ... will generate a certificate request | |
9 # CA -sign ... will sign the generated request and output | |
10 # | |
11 # At the end of that grab newreq.pem and newcert.pem (one has the key | |
12 # and the other the certificate) and cat them together and that is what | |
13 # you want/need ... I'll make even this a little cleaner later. | |
14 # | |
15 # | |
16 # 12-Jan-96 tjh Added more things ... including CA -signcert which | |
17 # converts a certificate to a request and then signs it. | |
18 # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG | |
19 # environment variable so this can be driven from | |
20 # a script. | |
21 # 25-Jul-96 eay Cleaned up filenames some more. | |
22 # 11-Jun-96 eay Fixed a few filename missmatches. | |
23 # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. | |
24 # 18-Apr-96 tjh Original hacking | |
25 # | |
26 # Tim Hudson | |
27 # tjh@cryptsoft.com | |
28 # | |
29 | |
30 # 27-Apr-98 snh Translation into perl, fix existing CA bug. | |
31 # | |
32 # | |
33 # Steve Henson | |
34 # shenson@bigfoot.com | |
35 | |
36 # default openssl.cnf file has setup as per the following | |
37 # demoCA ... where everything is stored | |
38 | |
39 my $openssl; | |
40 if(defined $ENV{OPENSSL}) { | |
41 $openssl = $ENV{OPENSSL}; | |
42 } else { | |
43 $openssl = "openssl"; | |
44 $ENV{OPENSSL} = $openssl; | |
45 } | |
46 | |
47 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; | |
48 $DAYS="-days 365"; # 1 year | |
49 $CADAYS="-days 1095"; # 3 years | |
50 $REQ="$openssl req $SSLEAY_CONFIG"; | |
51 $CA="$openssl ca $SSLEAY_CONFIG"; | |
52 $VERIFY="$openssl verify"; | |
53 $X509="$openssl x509"; | |
54 $PKCS12="$openssl pkcs12"; | |
55 | |
56 $CATOP="./demoCA"; | |
57 $CAKEY="cakey.pem"; | |
58 $CAREQ="careq.pem"; | |
59 $CACERT="cacert.pem"; | |
60 | |
61 $DIRMODE = 0777; | |
62 | |
63 $RET = 0; | |
64 | |
65 foreach (@ARGV) { | |
66 if ( /^(-\?|-h|-help)$/ ) { | |
67 print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|
-verify\n"; | |
68 exit 0; | |
69 } elsif (/^-newcert$/) { | |
70 # create a certificate | |
71 system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS")
; | |
72 $RET=$?; | |
73 print "Certificate is in newcert.pem, private key is in newkey.pem\n
" | |
74 } elsif (/^-newreq$/) { | |
75 # create a certificate request | |
76 system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); | |
77 $RET=$?; | |
78 print "Request is in newreq.pem, private key is in newkey.pem\n"; | |
79 } elsif (/^-newreq-nodes$/) { | |
80 # create a certificate request | |
81 system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS")
; | |
82 $RET=$?; | |
83 print "Request is in newreq.pem, private key is in newkey.pem\n"; | |
84 } elsif (/^-newca$/) { | |
85 # if explicitly asked for or it doesn't exist then setup the | |
86 # directory structure that Eric likes to manage things | |
87 $NEW="1"; | |
88 if ( "$NEW" || ! -f "${CATOP}/serial" ) { | |
89 # create the directory hierarchy | |
90 mkdir $CATOP, $DIRMODE; | |
91 mkdir "${CATOP}/certs", $DIRMODE; | |
92 mkdir "${CATOP}/crl", $DIRMODE ; | |
93 mkdir "${CATOP}/newcerts", $DIRMODE; | |
94 mkdir "${CATOP}/private", $DIRMODE; | |
95 open OUT, ">${CATOP}/index.txt"; | |
96 close OUT; | |
97 open OUT, ">${CATOP}/crlnumber"; | |
98 print OUT "01\n"; | |
99 close OUT; | |
100 } | |
101 if ( ! -f "${CATOP}/private/$CAKEY" ) { | |
102 print "CA certificate filename (or enter to create)\n"; | |
103 $FILE = <STDIN>; | |
104 | |
105 chop $FILE; | |
106 | |
107 # ask user for existing CA certificate | |
108 if ($FILE) { | |
109 cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); | |
110 cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); | |
111 $RET=$?; | |
112 } else { | |
113 print "Making CA certificate ...\n"; | |
114 system ("$REQ -new -keyout " . | |
115 "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); | |
116 system ("$CA -create_serial " . | |
117 "-out ${CATOP}/$CACERT $CADAYS -batch " . | |
118 "-keyfile ${CATOP}/private/$CAKEY -selfsign " . | |
119 "-extensions v3_ca " . | |
120 "-infiles ${CATOP}/$CAREQ "); | |
121 $RET=$?; | |
122 } | |
123 } | |
124 } elsif (/^-pkcs12$/) { | |
125 my $cname = $ARGV[1]; | |
126 $cname = "My Certificate" unless defined $cname; | |
127 system ("$PKCS12 -in newcert.pem -inkey newkey.pem " . | |
128 "-certfile ${CATOP}/$CACERT -out newcert.p12 " . | |
129 "-export -name \"$cname\""); | |
130 $RET=$?; | |
131 print "PKCS #12 file is in newcert.p12\n"; | |
132 exit $RET; | |
133 } elsif (/^-xsign$/) { | |
134 system ("$CA -policy policy_anything -infiles newreq.pem"); | |
135 $RET=$?; | |
136 } elsif (/^(-sign|-signreq)$/) { | |
137 system ("$CA -policy policy_anything -out newcert.pem " . | |
138 "-infiles newreq.pem"); | |
139 $RET=$?; | |
140 print "Signed certificate is in newcert.pem\n"; | |
141 } elsif (/^(-signCA)$/) { | |
142 system ("$CA -policy policy_anything -out newcert.pem " . | |
143 "-extensions v3_ca -infiles newreq.pem")
; | |
144 $RET=$?; | |
145 print "Signed CA certificate is in newcert.pem\n"; | |
146 } elsif (/^-signcert$/) { | |
147 system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . | |
148 "-out tmp.pem"); | |
149 system ("$CA -policy policy_anything -out newcert.pem " . | |
150 "-infiles tmp.pem"); | |
151 $RET = $?; | |
152 print "Signed certificate is in newcert.pem\n"; | |
153 } elsif (/^-verify$/) { | |
154 if (shift) { | |
155 foreach $j (@ARGV) { | |
156 system ("$VERIFY -CAfile $CATOP/$CACERT $j"); | |
157 $RET=$? if ($? != 0); | |
158 } | |
159 exit $RET; | |
160 } else { | |
161 system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); | |
162 $RET=$?; | |
163 exit 0; | |
164 } | |
165 } else { | |
166 print STDERR "Unknown arg $_\n"; | |
167 print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|
-verify\n"; | |
168 exit 1; | |
169 } | |
170 } | |
171 | |
172 exit $RET; | |
173 | |
174 sub cp_pem { | |
175 my ($infile, $outfile, $bound) = @_; | |
176 open IN, $infile; | |
177 open OUT, ">$outfile"; | |
178 my $flag = 0; | |
179 while (<IN>) { | |
180 $flag = 1 if (/^-----BEGIN.*$bound/) ; | |
181 print OUT $_ if ($flag); | |
182 if (/^-----END.*$bound/) { | |
183 close IN; | |
184 close OUT; | |
185 return; | |
186 } | |
187 } | |
188 } | |
189 | |
OLD | NEW |