1#!/usr/local/bin/perl 2# 3# CA - wrapper around ca to make it easier to use ... basically ca requires 4# some setup stuff to be done before you can use it and this makes 5# things easier between now and when Eric is convinced to fix it :-) 6# 7# CA -newca ... will setup the right stuff 8# CA -newreq ... will generate a certificate request 9# CA -sign ... will sign the generated request and output 10# 11# At the end of that grab newreq.pem and newcert.pem (one has the key 12# and the other the certificate) and cat them together and that is what 13# you want/need ... I'll make even this a little cleaner later. 14# 15# 16# 12-Jan-96 tjh Added more things ... including CA -signcert which 17# converts a certificate to a request and then signs it. 18# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19# environment variable so this can be driven from 20# a script. 21# 25-Jul-96 eay Cleaned up filenames some more. 22# 11-Jun-96 eay Fixed a few filename missmatches. 23# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24# 18-Apr-96 tjh Original hacking 25# 26# Tim Hudson 27# tjh@cryptsoft.com 28# 29 30# 27-Apr-98 snh Translation into perl, fix existing CA bug. 31# 32# 33# Steve Henson 34# shenson@bigfoot.com 35 36# default openssl.cnf file has setup as per the following 37# demoCA ... where everything is stored 38 39$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; 40$DAYS="-days 365"; 41$REQ="openssl req $SSLEAY_CONFIG"; 42$CA="openssl ca $SSLEAY_CONFIG"; 43$VERIFY="openssl verify"; 44$X509="openssl x509"; 45$PKCS12="openssl pkcs12"; 46 47$CATOP="./demoCA"; 48$CAKEY="cakey.pem"; 49$CACERT="cacert.pem"; 50 51$DIRMODE = 0777; 52 53$RET = 0; 54 55foreach (@ARGV) { 56 if ( /^(-\?|-h|-help)$/ ) { 57 print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n"; 58 exit 0; 59 } elsif (/^-newcert$/) { 60 # create a certificate 61 system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS"); 62 $RET=$?; 63 print "Certificate (and private key) is in newreq.pem\n" 64 } elsif (/^-newreq$/) { 65 # create a certificate request 66 system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS"); 67 $RET=$?; 68 print "Request (and private key) is in newreq.pem\n"; 69 } elsif (/^-newca$/) { 70 # if explicitly asked for or it doesn't exist then setup the 71 # directory structure that Eric likes to manage things 72 $NEW="1"; 73 if ( "$NEW" || ! -f "${CATOP}/serial" ) { 74 # create the directory hierarchy 75 mkdir $CATOP, $DIRMODE; 76 mkdir "${CATOP}/certs", $DIRMODE; 77 mkdir "${CATOP}/crl", $DIRMODE ; 78 mkdir "${CATOP}/newcerts", $DIRMODE; 79 mkdir "${CATOP}/private", $DIRMODE; 80 open OUT, ">${CATOP}/serial"; 81 print OUT "01\n"; 82 close OUT; 83 open OUT, ">${CATOP}/index.txt"; 84 close OUT; 85 } 86 if ( ! -f "${CATOP}/private/$CAKEY" ) { 87 print "CA certificate filename (or enter to create)\n"; 88 $FILE = <STDIN>; 89 90 chop $FILE; 91 92 # ask user for existing CA certificate 93 if ($FILE) { 94 cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); 95 cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); 96 $RET=$?; 97 } else { 98 print "Making CA certificate ...\n"; 99 system ("$REQ -new -x509 -keyout " . 100 "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); 101 $RET=$?; 102 } 103 } 104 } elsif (/^-pkcs12$/) { 105 my $cname = $ARGV[1]; 106 $cname = "My Certificate" unless defined $cname; 107 system ("$PKCS12 -in newcert.pem -inkey newreq.pem " . 108 "-certfile ${CATOP}/$CACERT -out newcert.p12 " . 109 "-export -name \"$cname\""); 110 $RET=$?; 111 exit $RET; 112 } elsif (/^-xsign$/) { 113 system ("$CA -policy policy_anything -infiles newreq.pem"); 114 $RET=$?; 115 } elsif (/^(-sign|-signreq)$/) { 116 system ("$CA -policy policy_anything -out newcert.pem " . 117 "-infiles newreq.pem"); 118 $RET=$?; 119 print "Signed certificate is in newcert.pem\n"; 120 } elsif (/^(-signCA)$/) { 121 system ("$CA -policy policy_anything -out newcert.pem " . 122 "-extensions v3_ca -infiles newreq.pem"); 123 $RET=$?; 124 print "Signed CA certificate is in newcert.pem\n"; 125 } elsif (/^-signcert$/) { 126 system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . 127 "-out tmp.pem"); 128 system ("$CA -policy policy_anything -out newcert.pem " . 129 "-infiles tmp.pem"); 130 $RET = $?; 131 print "Signed certificate is in newcert.pem\n"; 132 } elsif (/^-verify$/) { 133 if (shift) { 134 foreach $j (@ARGV) { 135 system ("$VERIFY -CAfile $CATOP/$CACERT $j"); 136 $RET=$? if ($? != 0); 137 } 138 exit $RET; 139 } else { 140 system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); 141 $RET=$?; 142 exit 0; 143 } 144 } else { 145 print STDERR "Unknown arg $_\n"; 146 print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n"; 147 exit 1; 148 } 149} 150 151exit $RET; 152 153sub cp_pem { 154my ($infile, $outfile, $bound) = @_; 155open IN, $infile; 156open OUT, ">$outfile"; 157my $flag = 0; 158while (<IN>) { 159 $flag = 1 if (/^-----BEGIN.*$bound/) ; 160 print OUT $_ if ($flag); 161 if (/^-----END.*$bound/) { 162 close IN; 163 close OUT; 164 return; 165 } 166} 167} 168 169