1: #!/usr/bin/perl 2: # 3: # CA - wrapper around ca to make it easier to use ... basically ca requires 4: # some setup stuff to be done before you can use it and this makes 5: # things easier between now and when Eric is convinced to fix it :-) 6: # 7: # CA -newca ... will setup the right stuff 8: # CA -newreq[-nodes] ... will generate a certificate request 9: # CA -sign ... will sign the generated request and output 10: # 11: # At the end of that grab newreq.pem and newcert.pem (one has the key 12: # and the other the certificate) and cat them together and that is what 13: # you want/need ... I'll make even this a little cleaner later. 14: # 15: # 16: # 12-Jan-96 tjh Added more things ... including CA -signcert which 17: # converts a certificate to a request and then signs it. 18: # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19: # environment variable so this can be driven from 20: # a script. 21: # 25-Jul-96 eay Cleaned up filenames some more. 22: # 11-Jun-96 eay Fixed a few filename missmatches. 23: # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24: # 18-Apr-96 tjh Original hacking 25: # 26: # Tim Hudson 27: # tjh@cryptsoft.com 28: # 29: 30: # 27-Apr-98 snh Translation into perl, fix existing CA bug. 31: # 32: # 33: # Steve Henson 34: # shenson@bigfoot.com 35: 36: # default openssl.cnf file has setup as per the following 37: # demoCA ... where everything is stored 38: 39: my $openssl; 40: if(defined $ENV{OPENSSL}) { 41: $openssl = $ENV{OPENSSL}; 42: } else { 43: $openssl = "openssl"; 44: $ENV{OPENSSL} = $openssl; 45: } 46: 47: $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; 48: $DAYS="-days 365"; # 1 year 49: $CADAYS="-days 1095"; # 3 years 50: $REQ="$openssl req $SSLEAY_CONFIG"; 51: $CA="$openssl ca $SSLEAY_CONFIG"; 52: $VERIFY="$openssl verify"; 53: $X509="$openssl x509"; 54: $PKCS12="$openssl pkcs12"; 55: 56: $CATOP="./demoCA"; 57: $CAKEY="cakey.pem"; 58: $CAREQ="careq.pem"; 59: $CACERT="cacert.pem"; 60: 61: $DIRMODE = 0777; 62: 63: $RET = 0; 64: 65: foreach (@ARGV) { 66: if ( /^(-\?|-h|-help)$/ ) { 67: print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; 68: exit 0; 69: } elsif (/^-newcert$/) { 70: # create a certificate 71: system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"); 72: $RET=$?; 73: print "Certificate is in newcert.pem, private key is in newkey.pem\n" 74: } elsif (/^-newreq$/) { 75: # create a certificate request 76: system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); 77: $RET=$?; 78: print "Request is in newreq.pem, private key is in newkey.pem\n"; 79: } elsif (/^-newreq-nodes$/) { 80: # create a certificate request 81: system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); 82: $RET=$?; 83: print "Request is in newreq.pem, private key is in newkey.pem\n"; 84: } elsif (/^-newca$/) { 85: # if explicitly asked for or it doesn't exist then setup the 86: # directory structure that Eric likes to manage things 87: $NEW="1"; 88: if ( "$NEW" || ! -f "${CATOP}/serial" ) { 89: # create the directory hierarchy 90: mkdir $CATOP, $DIRMODE; 91: mkdir "${CATOP}/certs", $DIRMODE; 92: mkdir "${CATOP}/crl", $DIRMODE ; 93: mkdir "${CATOP}/newcerts", $DIRMODE; 94: mkdir "${CATOP}/private", $DIRMODE; 95: open OUT, ">${CATOP}/index.txt"; 96: close OUT; 97: open OUT, ">${CATOP}/crlnumber"; 98: print OUT "01\n"; 99: close OUT; 100: } 101: if ( ! -f "${CATOP}/private/$CAKEY" ) { 102: print "CA certificate filename (or enter to create)\n"; 103: $FILE = <STDIN>; 104: 105: chop $FILE; 106: 107: # ask user for existing CA certificate 108: if ($FILE) { 109: cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); 110: cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); 111: $RET=$?; 112: } else { 113: print "Making CA certificate ...\n"; 114: system ("$REQ -new -keyout " . 115: "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); 116: system ("$CA -create_serial " . 117: "-out ${CATOP}/$CACERT $CADAYS -batch " . 118: "-keyfile ${CATOP}/private/$CAKEY -selfsign " . 119: "-extensions v3_ca " . 120: "-infiles ${CATOP}/$CAREQ "); 121: $RET=$?; 122: } 123: } 124: } elsif (/^-pkcs12$/) { 125: my $cname = $ARGV[1]; 126: $cname = "My Certificate" unless defined $cname; 127: system ("$PKCS12 -in newcert.pem -inkey newkey.pem " . 128: "-certfile ${CATOP}/$CACERT -out newcert.p12 " . 129: "-export -name \"$cname\""); 130: $RET=$?; 131: print "PKCS #12 file is in newcert.p12\n"; 132: exit $RET; 133: } elsif (/^-xsign$/) { 134: system ("$CA -policy policy_anything -infiles newreq.pem"); 135: $RET=$?; 136: } elsif (/^(-sign|-signreq)$/) { 137: system ("$CA -policy policy_anything -out newcert.pem " . 138: "-infiles newreq.pem"); 139: $RET=$?; 140: print "Signed certificate is in newcert.pem\n"; 141: } elsif (/^(-signCA)$/) { 142: system ("$CA -policy policy_anything -out newcert.pem " . 143: "-extensions v3_ca -infiles newreq.pem"); 144: $RET=$?; 145: print "Signed CA certificate is in newcert.pem\n"; 146: } elsif (/^-signcert$/) { 147: system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . 148: "-out tmp.pem"); 149: system ("$CA -policy policy_anything -out newcert.pem " . 150: "-infiles tmp.pem"); 151: $RET = $?; 152: print "Signed certificate is in newcert.pem\n"; 153: } elsif (/^-verify$/) { 154: if (shift) { 155: foreach $j (@ARGV) { 156: system ("$VERIFY -CAfile $CATOP/$CACERT $j"); 157: $RET=$? if ($? != 0); 158: } 159: exit $RET; 160: } else { 161: system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); 162: $RET=$?; 163: exit 0; 164: } 165: } else { 166: print STDERR "Unknown arg $_\n"; 167: print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; 168: exit 1; 169: } 170: } 171: 172: exit $RET; 173: 174: sub cp_pem { 175: my ($infile, $outfile, $bound) = @_; 176: open IN, $infile; 177: open OUT, ">$outfile"; 178: my $flag = 0; 179: while (<IN>) { 180: $flag = 1 if (/^-----BEGIN.*$bound/) ; 181: print OUT $_ if ($flag); 182: if (/^-----END.*$bound/) { 183: close IN; 184: close OUT; 185: return; 186: } 187: } 188: } 189: