Skip to content
GitLab
Find file Normal viewHistoryPermalink
CA.com 6.59 KB
Newer Older
powelld's avatar
OpenSSL implementing mctls version 0.1
powelld committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 
$! CA - wrapper around ca to make it easier to use ... basically ca requires
$!      some setup stuff to be done before you can use it and this makes
$!      things easier between now and when Eric is convinced to fix it :-)
$!
$! CA -newca ... will setup the right stuff
$! CA -newreq ... will generate a certificate request 
$! CA -sign ... will sign the generated request and output 
$!
$! At the end of that grab newreq.pem and newcert.pem (one has the key 
$! and the other the certificate) and cat them together and that is what
$! you want/need ... I'll make even this a little cleaner later.
$!
$!
$! 12-Jan-96 tjh    Added more things ... including CA -signcert which
$!                  converts a certificate to a request and then signs it.
$! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
$!                 environment variable so this can be driven from
$!                 a script.
$! 25-Jul-96 eay    Cleaned up filenames some more.
$! 11-Jun-96 eay    Fixed a few filename missmatches.
$! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
$! 18-Apr-96 tjh    Original hacking
$!
$! Tim Hudson
$! tjh@cryptsoft.com
$!
$!
$! default ssleay.cnf file has setup as per the following
$! demoCA ... where everything is stored
$
$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
$
$ DAYS   = "-days 365"
$ REQ    = openssl + " req " + SSLEAY_CONFIG
$ CA     = openssl + " ca " + SSLEAY_CONFIG
$ VERIFY = openssl + " verify"
$ X509   = openssl + " x509"
$ PKCS12 = openssl + " pkcs12"
$ echo   = "write sys$Output"
$ RET = 1
$!
$! 2010-12-20 SMS.
$! Use a concealed logical name to reduce command line lengths, to
$! avoid DCL errors on VAX:
$!     %DCL-W-TKNOVF, command element is too long - shorten
$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
$! quickly.)
$!
$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
$ define /translation_attributes = concealed CATOP 'CATOP'
$!
$ on error then goto clean_up
$ on control_y then goto clean_up
$!
$ CAKEY  = "CATOP:[private]cakey.pem"
$ CACERT = "CATOP:[000000]cacert.pem"
$
$ __INPUT := SYS$COMMAND
$!
$ i = 1
$opt_loop:
$ if i .gt. 8 then goto opt_loop_end
$
$ prog_opt = F$EDIT(P'i',"lowercase")
$
$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
$ THEN
$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
$   goto clean_up
$ ENDIF
$!
$ IF (prog_opt .EQS. "-input")
$ THEN
$   ! Get input from somewhere other than SYS$COMMAND
$   i = i + 1
$   __INPUT = P'i'
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newcert")
$ THEN
$   ! Create a certificate.
$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
$   RET=$STATUS
$   echo "Certificate (and private key) is in newreq.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newreq")
$ THEN
$   ! Create a certificate request
$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
$   RET=$STATUS
$   echo "Request (and private key) is in newreq.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newca")
$ THEN
$   ! If explicitly asked for or it doesn't exist then setup the directory
$   ! structure that Eric likes to manage things.
$   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
$   THEN
$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
$
$     OPEN /WRITE ser_file CATOP:[000000]serial. 
$     WRITE ser_file "01"
$     CLOSE ser_file
$     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
$
$     ! The following is to make sure access() doesn't get confused.  It
$     ! really needs one file in the directory to give correct answers...
$     COPY NLA0: CATOP:[certs].;
$     COPY NLA0: CATOP:[crl].;
$     COPY NLA0: CATOP:[newcerts].;
$     COPY NLA0: CATOP:[private].;
$   ENDIF
$!
$   IF F$SEARCH( CAKEY) .EQS. ""
$   THEN
$     READ '__INPUT' FILE -
       /PROMPT="CA certificate filename (or enter to create): "
$     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
$     THEN
$       COPY 'FILE' 'CAKEY'
$       RET=$STATUS
$     ELSE
$       echo "Making CA certificate ..."
$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
$       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
$       RET=$STATUS
$     ENDIF
$   ENDIF
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-pkcs12")
$ THEN
$   i = i + 1
$   cname = P'i'
$   IF cname .EQS. "" THEN cname = "My certificate"
$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
     -out newcert.p12 -export -name "''cname'"
$   RET=$STATUS
$   goto clean_up
$ ENDIF
$!
$ IF (prog_opt .EQS. "-xsign")
$ THEN
$!
$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
$   CA -policy policy_anything -infiles newreq.pem
$   RET=$STATUS
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
$ THEN
$!   
$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
$   RET=$STATUS
$   type newcert.pem
$   echo "Signed certificate is in newcert.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-signcert")
$  THEN
$!   
$   echo "Cert passphrase will be requested twice - bug?"
$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
y
y
$   type newcert.pem
$   echo "Signed certificate is in newcert.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-verify")
$ THEN
$!   
$   i = i + 1
$   IF (p'i' .EQS. "")
$   THEN
$     DEFINE /USER_MODE SYS$INPUT '__INPUT'
$     VERIFY "-CAfile" 'CACERT' newcert.pem
$   ELSE
$     j = i
$    verify_opt_loop:
$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
$     IF p'j' .NES. ""
$     THEN 
$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
$       __tmp = p'j'
$       VERIFY "-CAfile" 'CACERT' '__tmp'
$       tmp=$STATUS
$       IF tmp .NE. 0 THEN RET=tmp
$     ENDIF
$     j = j + 1
$     GOTO verify_opt_loop
$    verify_opt_loop_end:
$   ENDIF
$   
$   GOTO opt_loop_end
$ ENDIF
$!
$ IF (prog_opt .NES. "")
$ THEN
$!   
$   echo "Unknown argument ''prog_opt'"
$   RET = 3
$   goto clean_up
$ ENDIF
$
$opt_loop_continue:
$ i = i + 1
$ GOTO opt_loop
$
$opt_loop_end:
$!
$clean_up:
$!
$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
   deassign /process CATOP
$!
$ EXIT 'RET'