1 #!/usr/local/bin/perl 2 # 3 # CA - wrapper around ca to make it easier to use ... basically ca requires 4 # some setup stuff to be done before you can use it and this makes 5 # things easier between now and when Eric is convinced to fix it :-) 6 # 7 # CA -newca ... will setup the right stuff 8 # CA -newreq[-nodes] ... will generate a certificate request 9 # CA -sign ... will sign the generated request and output 10 # 11 # At the end of that grab newreq.pem and newcert.pem (one has the key 12 # and the other the certificate) and cat them together and that is what 13 # you want/need ... I'll make even this a little cleaner later. 14 # 15 # 16 # 12-Jan-96 tjh Added more things ... including CA -signcert which 17 # converts a certificate to a request and then signs it. 18 # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19 # environment variable so this can be driven from 20 # a script. 21 # 25-Jul-96 eay Cleaned up filenames some more. 22 # 11-Jun-96 eay Fixed a few filename missmatches. 23 # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24 # 18-Apr-96 tjh Original hacking 25 # 26 # Tim Hudson 27 # tjh (at] cryptsoft.com 28 # 29 30 # 27-Apr-98 snh Translation into perl, fix existing CA bug. 31 # 32 # 33 # Steve Henson 34 # shenson (at] bigfoot.com 35 36 # default openssl.cnf file has setup as per the following 37 # demoCA ... where everything is stored 38 39 my $openssl; 40 if(defined $ENV{OPENSSL}) { 41 $openssl = $ENV{OPENSSL}; 42 } else { 43 $openssl = "openssl"; 44 $ENV{OPENSSL} = $openssl; 45 } 46 47 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; 48 $DAYS="-days 365"; # 1 year 49 $CADAYS="-days 1095"; # 3 years 50 $REQ="$openssl req $SSLEAY_CONFIG"; 51 $CA="$openssl ca $SSLEAY_CONFIG"; 52 $VERIFY="$openssl verify"; 53 $X509="$openssl x509"; 54 $PKCS12="$openssl pkcs12"; 55 56 $CATOP="./demoCA"; 57 $CAKEY="cakey.pem"; 58 $CAREQ="careq.pem"; 59 $CACERT="cacert.pem"; 60 61 $DIRMODE = 0777; 62 63 $RET = 0; 64 65 foreach (@ARGV) { 66 if ( /^(-\?|-h|-help)$/ ) { 67 print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; 68 exit 0; 69 } elsif (/^-newcert$/) { 70 # create a certificate 71 system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"); 72 $RET=$?; 73 print "Certificate is in newcert.pem, private key is in newkey.pem\n" 74 } elsif (/^-newreq$/) { 75 # create a certificate request 76 system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); 77 $RET=$?; 78 print "Request is in newreq.pem, private key is in newkey.pem\n"; 79 } elsif (/^-newreq-nodes$/) { 80 # create a certificate request 81 system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); 82 $RET=$?; 83 print "Request is in newreq.pem, private key is in newkey.pem\n"; 84 } elsif (/^-newca$/) { 85 # if explicitly asked for or it doesn't exist then setup the 86 # directory structure that Eric likes to manage things 87 $NEW="1"; 88 if ( "$NEW" || ! -f "${CATOP}/serial" ) { 89 # create the directory hierarchy 90 mkdir $CATOP, $DIRMODE; 91 mkdir "${CATOP}/certs", $DIRMODE; 92 mkdir "${CATOP}/crl", $DIRMODE ; 93 mkdir "${CATOP}/newcerts", $DIRMODE; 94 mkdir "${CATOP}/private", $DIRMODE; 95 open OUT, ">${CATOP}/index.txt"; 96 close OUT; 97 open OUT, ">${CATOP}/crlnumber"; 98 print OUT "01\n"; 99 close OUT; 100 } 101 if ( ! -f "${CATOP}/private/$CAKEY" ) { 102 print "CA certificate filename (or enter to create)\n"; 103 $FILE = <STDIN>; 104 105 chop $FILE; 106 107 # ask user for existing CA certificate 108 if ($FILE) { 109 cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); 110 cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); 111 $RET=$?; 112 } else { 113 print "Making CA certificate ...\n"; 114 system ("$REQ -new -keyout " . 115 "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); 116 system ("$CA -create_serial " . 117 "-out ${CATOP}/$CACERT $CADAYS -batch " . 118 "-keyfile ${CATOP}/private/$CAKEY -selfsign " . 119 "-extensions v3_ca " . 120 "-infiles ${CATOP}/$CAREQ "); 121 $RET=$?; 122 } 123 } 124 } elsif (/^-pkcs12$/) { 125 my $cname = $ARGV[1]; 126 $cname = "My Certificate" unless defined $cname; 127 system ("$PKCS12 -in newcert.pem -inkey newkey.pem " . 128 "-certfile ${CATOP}/$CACERT -out newcert.p12 " . 129 "-export -name \"$cname\""); 130 $RET=$?; 131 print "PKCS #12 file is in newcert.p12\n"; 132 exit $RET; 133 } elsif (/^-xsign$/) { 134 system ("$CA -policy policy_anything -infiles newreq.pem"); 135 $RET=$?; 136 } elsif (/^(-sign|-signreq)$/) { 137 system ("$CA -policy policy_anything -out newcert.pem " . 138 "-infiles newreq.pem"); 139 $RET=$?; 140 print "Signed certificate is in newcert.pem\n"; 141 } elsif (/^(-signCA)$/) { 142 system ("$CA -policy policy_anything -out newcert.pem " . 143 "-extensions v3_ca -infiles newreq.pem"); 144 $RET=$?; 145 print "Signed CA certificate is in newcert.pem\n"; 146 } elsif (/^-signcert$/) { 147 system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . 148 "-out tmp.pem"); 149 system ("$CA -policy policy_anything -out newcert.pem " . 150 "-infiles tmp.pem"); 151 $RET = $?; 152 print "Signed certificate is in newcert.pem\n"; 153 } elsif (/^-verify$/) { 154 if (shift) { 155 foreach $j (@ARGV) { 156 system ("$VERIFY -CAfile $CATOP/$CACERT $j"); 157 $RET=$? if ($? != 0); 158 } 159 exit $RET; 160 } else { 161 system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); 162 $RET=$?; 163 exit 0; 164 } 165 } else { 166 print STDERR "Unknown arg $_\n"; 167 print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; 168 exit 1; 169 } 170 } 171 172 exit $RET; 173 174 sub cp_pem { 175 my ($infile, $outfile, $bound) = @_; 176 open IN, $infile; 177 open OUT, ">$outfile"; 178 my $flag = 0; 179 while (<IN>) { 180 $flag = 1 if (/^-----BEGIN.*$bound/) ; 181 print OUT $_ if ($flag); 182 if (/^-----END.*$bound/) { 183 close IN; 184 close OUT; 185 return; 186 } 187 } 188 } 189 190
