1#!/bin/sh
2#
3# CA - wrapper around ca to make it easier to use ... basically ca requires
4#      some setup stuff to be done before you can use it and this makes
5#      things easier between now and when Eric is convinced to fix it :-)
6#
7# CA -newca ... will setup the right stuff
8# CA -newreq ... will generate a certificate request
9# CA -sign ... will sign the generated request and output
10#
11# At the end of that grab newreq.pem and newcert.pem (one has the key
12# and the other the certificate) and cat them together and that is what
13# you want/need ... I'll make even this a little cleaner later.
14#
15#
16# 12-Jan-96 tjh    Added more things ... including CA -signcert which
17#                  converts a certificate to a request and then signs it.
18# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
19#                  environment variable so this can be driven from
20#                  a script.
21# 25-Jul-96 eay    Cleaned up filenames some more.
22# 11-Jun-96 eay    Fixed a few filename missmatches.
23# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
24# 18-Apr-96 tjh    Original hacking
25#
26# Tim Hudson
27# tjh@cryptsoft.com
28#
29
30# default openssl.cnf file has setup as per the following
31# demoCA ... where everything is stored
32cp_pem() {
33    infile=$1
34    outfile=$2
35    bound=$3
36    flag=0
37    exec <$infile;
38    while read line; do
39	if [ $flag -eq 1 ]; then
40		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
41		if [ $? -eq 0 ] ; then
42			echo $line >>$outfile
43			break
44		else
45			echo $line >>$outfile
46		fi
47	fi
48
49	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
50	if [ $? -eq 0 ]; then
51		echo $line >$outfile
52		flag=1
53	fi
54    done
55}
56
57usage() {
58 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
59}
60
61if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
62
63if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
64CADAYS="-days 1095"	# 3 years
65REQ="$OPENSSL req $SSLEAY_CONFIG"
66CA="$OPENSSL ca $SSLEAY_CONFIG"
67VERIFY="$OPENSSL verify"
68X509="$OPENSSL x509"
69PKCS12="openssl pkcs12"
70
71if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
72CAKEY=./cakey.pem
73CAREQ=./careq.pem
74CACERT=./cacert.pem
75
76RET=0
77
78while [ "$1" != "" ] ; do
79case $1 in
80-\?|-h|-help)
81    usage
82    exit 0
83    ;;
84-newcert)
85    # create a certificate
86    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
87    RET=$?
88    echo "Certificate is in newcert.pem, private key is in newkey.pem"
89    ;;
90-newreq)
91    # create a certificate request
92    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
93    RET=$?
94    echo "Request is in newreq.pem, private key is in newkey.pem"
95    ;;
96-newreq-nodes) 
97    # create a certificate request
98    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
99    RET=$?
100    echo "Request (and private key) is in newreq.pem"
101    ;;
102-newca)
103    # if explicitly asked for or it doesn't exist then setup the directory
104    # structure that Eric likes to manage things
105    NEW="1"
106    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
107	# create the directory hierarchy
108	mkdir -p ${CATOP}
109	mkdir -p ${CATOP}/certs
110	mkdir -p ${CATOP}/crl
111	mkdir -p ${CATOP}/newcerts
112	mkdir -p ${CATOP}/private
113	touch ${CATOP}/index.txt
114    fi
115    if [ ! -f ${CATOP}/private/$CAKEY ]; then
116	echo "CA certificate filename (or enter to create)"
117	read FILE
118
119	# ask user for existing CA certificate
120	if [ "$FILE" ]; then
121	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
122	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
123	    RET=$?
124	    if [ ! -f "${CATOP}/serial" ]; then
125		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
126		      -out ${CATOP}/serial
127	    fi
128	else
129	    echo "Making CA certificate ..."
130	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
131			   -out ${CATOP}/$CAREQ
132	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
133			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
134			   -extensions v3_ca \
135			   -infiles ${CATOP}/$CAREQ
136	    RET=$?
137	fi
138    fi
139    ;;
140-xsign)
141    $CA -policy policy_anything -infiles newreq.pem
142    RET=$?
143    ;;
144-pkcs12)
145    if [ -z "$2" ] ; then
146	CNAME="My Certificate"
147    else
148	CNAME="$2"
149    fi
150    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
151	    -out newcert.p12 -export -name "$CNAME"
152    RET=$?
153    exit $RET
154    ;;
155-sign|-signreq)
156    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
157    RET=$?
158    cat newcert.pem
159    echo "Signed certificate is in newcert.pem"
160    ;;
161-signCA)
162    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
163    RET=$?
164    echo "Signed CA certificate is in newcert.pem"
165    ;;
166-signcert)
167    echo "Cert passphrase will be requested twice - bug?"
168    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
169    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
170    RET=$?
171    cat newcert.pem
172    echo "Signed certificate is in newcert.pem"
173    ;;
174-verify)
175    shift
176    if [ -z "$1" ]; then
177	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
178	    RET=$?
179    else
180	for j
181	do
182	    $VERIFY -CAfile $CATOP/$CACERT $j
183	    if [ $? != 0 ]; then
184		    RET=$?
185	    fi
186	done
187    fi
188    exit $RET
189    ;;
190*)
191    echo "Unknown arg $i" >&2
192    usage
193    exit 1
194    ;;
195esac
196shift
197done
198exit $RET
199