1$! CA - wrapper around ca to make it easier to use ... basically ca requires
2$!      some setup stuff to be done before you can use it and this makes
3$!      things easier between now and when Eric is convinced to fix it :-)
4$!
5$! CA -newca ... will setup the right stuff
6$! CA -newreq ... will generate a certificate request 
7$! CA -sign ... will sign the generated request and output 
8$!
9$! At the end of that grab newreq.pem and newcert.pem (one has the key 
10$! and the other the certificate) and cat them together and that is what
11$! you want/need ... I'll make even this a little cleaner later.
12$!
13$!
14$! 12-Jan-96 tjh    Added more things ... including CA -signcert which
15$!                  converts a certificate to a request and then signs it.
16$! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
17$!                 environment variable so this can be driven from
18$!                 a script.
19$! 25-Jul-96 eay    Cleaned up filenames some more.
20$! 11-Jun-96 eay    Fixed a few filename missmatches.
21$! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
22$! 18-Apr-96 tjh    Original hacking
23$!
24$! Tim Hudson
25$! tjh@cryptsoft.com
26$!
27$!
28$! default ssleay.cnf file has setup as per the following
29$! demoCA ... where everything is stored
30$
31$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
32$
33$ DAYS   = "-days 365"
34$ REQ    = openssl + " req " + SSLEAY_CONFIG
35$ CA     = openssl + " ca " + SSLEAY_CONFIG
36$ VERIFY = openssl + " verify"
37$ X509   = openssl + " x509"
38$ PKCS12 = openssl + " pkcs12"
39$ echo   = "write sys$Output"
40$ RET = 1
41$!
42$! 2010-12-20 SMS.
43$! Use a concealed logical name to reduce command line lengths, to
44$! avoid DCL errors on VAX:
45$!     %DCL-W-TKNOVF, command element is too long - shorten
46$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
47$! quickly.)
48$!
49$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
50$ define /translation_attributes = concealed CATOP 'CATOP'
51$!
52$ on error then goto clean_up
53$ on control_y then goto clean_up
54$!
55$ CAKEY  = "CATOP:[private]cakey.pem"
56$ CACERT = "CATOP:[000000]cacert.pem"
57$
58$ __INPUT := SYS$COMMAND
59$!
60$ i = 1
61$opt_loop:
62$ if i .gt. 8 then goto opt_loop_end
63$
64$ prog_opt = F$EDIT(P'i',"lowercase")
65$
66$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
67$ THEN
68$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
69$   goto clean_up
70$ ENDIF
71$!
72$ IF (prog_opt .EQS. "-input")
73$ THEN
74$   ! Get input from somewhere other than SYS$COMMAND
75$   i = i + 1
76$   __INPUT = P'i'
77$   GOTO opt_loop_continue
78$ ENDIF
79$!
80$ IF (prog_opt .EQS. "-newcert")
81$ THEN
82$   ! Create a certificate.
83$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
84$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
85$   RET=$STATUS
86$   echo "Certificate (and private key) is in newreq.pem"
87$   GOTO opt_loop_continue
88$ ENDIF
89$!
90$ IF (prog_opt .EQS. "-newreq")
91$ THEN
92$   ! Create a certificate request
93$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
94$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
95$   RET=$STATUS
96$   echo "Request (and private key) is in newreq.pem"
97$   GOTO opt_loop_continue
98$ ENDIF
99$!
100$ IF (prog_opt .EQS. "-newca")
101$ THEN
102$   ! If explicitly asked for or it doesn't exist then setup the directory
103$   ! structure that Eric likes to manage things.
104$   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
105$   THEN
106$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
107$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
108$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
109$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
110$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
111$
112$     OPEN /WRITE ser_file CATOP:[000000]serial. 
113$     WRITE ser_file "01"
114$     CLOSE ser_file
115$     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
116$
117$     ! The following is to make sure access() doesn't get confused.  It
118$     ! really needs one file in the directory to give correct answers...
119$     COPY NLA0: CATOP:[certs].;
120$     COPY NLA0: CATOP:[crl].;
121$     COPY NLA0: CATOP:[newcerts].;
122$     COPY NLA0: CATOP:[private].;
123$   ENDIF
124$!
125$   IF F$SEARCH( CAKEY) .EQS. ""
126$   THEN
127$     READ '__INPUT' FILE -
128       /PROMPT="CA certificate filename (or enter to create): "
129$     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
130$     THEN
131$       COPY 'FILE' 'CAKEY'
132$       RET=$STATUS
133$     ELSE
134$       echo "Making CA certificate ..."
135$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
136$       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
137$       RET=$STATUS
138$     ENDIF
139$   ENDIF
140$   GOTO opt_loop_continue
141$ ENDIF
142$!
143$ IF (prog_opt .EQS. "-pkcs12")
144$ THEN
145$   i = i + 1
146$   cname = P'i'
147$   IF cname .EQS. "" THEN cname = "My certificate"
148$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
149     -out newcert.p12 -export -name "''cname'"
150$   RET=$STATUS
151$   goto clean_up
152$ ENDIF
153$!
154$ IF (prog_opt .EQS. "-xsign")
155$ THEN
156$!
157$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
158$   CA -policy policy_anything -infiles newreq.pem
159$   RET=$STATUS
160$   GOTO opt_loop_continue
161$ ENDIF
162$!
163$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
164$ THEN
165$!   
166$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
167$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
168$   RET=$STATUS
169$   type newcert.pem
170$   echo "Signed certificate is in newcert.pem"
171$   GOTO opt_loop_continue
172$ ENDIF
173$!
174$ IF (prog_opt .EQS. "-signcert")
175$  THEN
176$!   
177$   echo "Cert passphrase will be requested twice - bug?"
178$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
179$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
180$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
181$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
182y
183y
184$   type newcert.pem
185$   echo "Signed certificate is in newcert.pem"
186$   GOTO opt_loop_continue
187$ ENDIF
188$!
189$ IF (prog_opt .EQS. "-verify")
190$ THEN
191$!   
192$   i = i + 1
193$   IF (p'i' .EQS. "")
194$   THEN
195$     DEFINE /USER_MODE SYS$INPUT '__INPUT'
196$     VERIFY "-CAfile" 'CACERT' newcert.pem
197$   ELSE
198$     j = i
199$    verify_opt_loop:
200$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
201$     IF p'j' .NES. ""
202$     THEN 
203$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
204$       __tmp = p'j'
205$       VERIFY "-CAfile" 'CACERT' '__tmp'
206$       tmp=$STATUS
207$       IF tmp .NE. 0 THEN RET=tmp
208$     ENDIF
209$     j = j + 1
210$     GOTO verify_opt_loop
211$    verify_opt_loop_end:
212$   ENDIF
213$   
214$   GOTO opt_loop_end
215$ ENDIF
216$!
217$ IF (prog_opt .NES. "")
218$ THEN
219$!   
220$   echo "Unknown argument ''prog_opt'"
221$   RET = 3
222$   goto clean_up
223$ ENDIF
224$
225$opt_loop_continue:
226$ i = i + 1
227$ GOTO opt_loop
228$
229$opt_loop_end:
230$!
231$clean_up:
232$!
233$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
234   deassign /process CATOP
235$!
236$ EXIT 'RET'
237