CA.com revision bdfb8ad83da0647e9b9a32792598e8ce7ba3ef4d
1$! CA - wrapper around ca to make it easier to use ... basically ca requires 2$! some setup stuff to be done before you can use it and this makes 3$! things easier between now and when Eric is convinced to fix it :-) 4$! 5$! CA -newca ... will setup the right stuff 6$! CA -newreq ... will generate a certificate request 7$! CA -sign ... will sign the generated request and output 8$! 9$! At the end of that grab newreq.pem and newcert.pem (one has the key 10$! and the other the certificate) and cat them together and that is what 11$! you want/need ... I'll make even this a little cleaner later. 12$! 13$! 14$! 12-Jan-96 tjh Added more things ... including CA -signcert which 15$! converts a certificate to a request and then signs it. 16$! 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 17$! environment variable so this can be driven from 18$! a script. 19$! 25-Jul-96 eay Cleaned up filenames some more. 20$! 11-Jun-96 eay Fixed a few filename missmatches. 21$! 03-May-96 eay Modified to use 'openssl cmd' instead of 'cmd'. 22$! 18-Apr-96 tjh Original hacking 23$! 24$! Tim Hudson 25$! tjh@cryptsoft.com 26$! 27$! 28$! default ssleay.cnf file has setup as per the following 29$! demoCA ... where everything is stored 30$ 31$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF 32$ 33$ DAYS = "-days 365" 34$ REQ = openssl + " req " + SSLEAY_CONFIG 35$ CA = openssl + " ca " + SSLEAY_CONFIG 36$ VERIFY = openssl + " verify" 37$ X509 = openssl + " x509" 38$ PKCS12 = openssl + " pkcs12" 39$ echo = "write sys$Output" 40$! 41$ s = F$PARSE(F$ENVIRONMENT("DEFAULT"),"[]") - "].;" 42$ CATOP := 's'.demoCA 43$ CAKEY := ]cakey.pem 44$ CACERT := ]cacert.pem 45$ 46$ __INPUT := SYS$COMMAND 47$ RET = 1 48$! 49$ i = 1 50$opt_loop: 51$ if i .gt. 8 then goto opt_loop_end 52$ 53$ prog_opt = F$EDIT(P'i',"lowercase") 54$ 55$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 56$ THEN 57$ echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 58$ exit 59$ ENDIF 60$! 61$ IF (prog_opt .EQS. "-input") 62$ THEN 63$ ! Get input from somewhere other than SYS$COMMAND 64$ i = i + 1 65$ __INPUT = P'i' 66$ GOTO opt_loop_continue 67$ ENDIF 68$! 69$ IF (prog_opt .EQS. "-newcert") 70$ THEN 71$ ! Create a certificate. 72$ DEFINE/USER SYS$INPUT '__INPUT' 73$ REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS' 74$ RET=$STATUS 75$ echo "Certificate (and private key) is in newreq.pem" 76$ GOTO opt_loop_continue 77$ ENDIF 78$! 79$ IF (prog_opt .EQS. "-newreq") 80$ THEN 81$ ! Create a certificate request 82$ DEFINE/USER SYS$INPUT '__INPUT' 83$ REQ -new -keyout newreq.pem -out newreq.pem 'DAYS' 84$ RET=$STATUS 85$ echo "Request (and private key) is in newreq.pem" 86$ GOTO opt_loop_continue 87$ ENDIF 88$! 89$ IF (prog_opt .EQS. "-newca") 90$ THEN 91$ ! If explicitly asked for or it doesn't exist then setup the directory 92$ ! structure that Eric likes to manage things. 93$ IF F$SEARCH(CATOP+"]serial.") .EQS. "" 94$ THEN 95$ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'] 96$ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.certs] 97$ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.crl] 98$ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.newcerts] 99$ CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.private] 100$ 101$ OPEN /WRITE ser_file 'CATOP']serial. 102$ WRITE ser_file "01" 103$ CLOSE ser_file 104$ APPEND/NEW NL: 'CATOP']index.txt 105$ 106$ ! The following is to make sure access() doesn't get confused. It 107$ ! really needs one file in the directory to give correct answers... 108$ COPY NLA0: 'CATOP'.certs].; 109$ COPY NLA0: 'CATOP'.crl].; 110$ COPY NLA0: 'CATOP'.newcerts].; 111$ COPY NLA0: 'CATOP'.private].; 112$ ENDIF 113$! 114$ IF F$SEARCH(CATOP+".private"+CAKEY) .EQS. "" 115$ THEN 116$ READ '__INPUT' FILE - 117 /PROMT="CA certificate filename (or enter to create)" 118$ IF F$SEARCH(FILE) .NES. "" 119$ THEN 120$ COPY 'FILE' 'CATOP'.private'CAKEY' 121$ RET=$STATUS 122$ ELSE 123$ echo "Making CA certificate ..." 124$ DEFINE/USER SYS$INPUT '__INPUT' 125$ REQ -new -x509 -keyout 'CATOP'.private'CAKEY' - 126 -out 'CATOP''CACERT' 'DAYS' 127$ RET=$STATUS 128$ ENDIF 129$ ENDIF 130$ GOTO opt_loop_continue 131$ ENDIF 132$! 133$ IF (prog_opt .EQS. "-pkcs12") 134$ THEN 135$ i = i + 1 136$ cname = P'i' 137$ IF cname .EQS. "" THEN cname = "My certificate" 138$ PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CATOP''CACERT - 139 -out newcert.p12 -export -name "''cname'" 140$ RET=$STATUS 141$ exit RET 142$ ENDIF 143$! 144$ IF (prog_opt .EQS. "-xsign") 145$ THEN 146$! 147$ DEFINE/USER SYS$INPUT '__INPUT' 148$ CA -policy policy_anything -infiles newreq.pem 149$ RET=$STATUS 150$ GOTO opt_loop_continue 151$ ENDIF 152$! 153$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq")) 154$ THEN 155$! 156$ DEFINE/USER SYS$INPUT '__INPUT' 157$ CA -policy policy_anything -out newcert.pem -infiles newreq.pem 158$ RET=$STATUS 159$ type newcert.pem 160$ echo "Signed certificate is in newcert.pem" 161$ GOTO opt_loop_continue 162$ ENDIF 163$! 164$ IF (prog_opt .EQS. "-signcert") 165$ THEN 166$! 167$ echo "Cert passphrase will be requested twice - bug?" 168$ DEFINE/USER SYS$INPUT '__INPUT' 169$ X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 170$ DEFINE/USER SYS$INPUT '__INPUT' 171$ CA -policy policy_anything -out newcert.pem -infiles tmp.pem 172y 173y 174$ type newcert.pem 175$ echo "Signed certificate is in newcert.pem" 176$ GOTO opt_loop_continue 177$ ENDIF 178$! 179$ IF (prog_opt .EQS. "-verify") 180$ THEN 181$! 182$ i = i + 1 183$ IF (p'i' .EQS. "") 184$ THEN 185$ DEFINE/USER SYS$INPUT '__INPUT' 186$ VERIFY "-CAfile" 'CATOP''CACERT' newcert.pem 187$ ELSE 188$ j = i 189$ verify_opt_loop: 190$ IF j .GT. 8 THEN GOTO verify_opt_loop_end 191$ IF p'j' .NES. "" 192$ THEN 193$ DEFINE/USER SYS$INPUT '__INPUT' 194$ __tmp = p'j' 195$ VERIFY "-CAfile" 'CATOP''CACERT' '__tmp' 196$ tmp=$STATUS 197$ IF tmp .NE. 0 THEN RET=tmp 198$ ENDIF 199$ j = j + 1 200$ GOTO verify_opt_loop 201$ verify_opt_loop_end: 202$ ENDIF 203$ 204$ GOTO opt_loop_end 205$ ENDIF 206$! 207$ IF (prog_opt .NES. "") 208$ THEN 209$! 210$ echo "Unknown argument ''prog_opt'" 211$ 212$ EXIT 3 213$ ENDIF 214$ 215$opt_loop_continue: 216$ i = i + 1 217$ GOTO opt_loop 218$ 219$opt_loop_end: 220$ EXIT 'RET' 221