155714Skris#!/bin/sh
255714Skris#
355714Skris# CA - wrapper around ca to make it easier to use ... basically ca requires
455714Skris#      some setup stuff to be done before you can use it and this makes
555714Skris#      things easier between now and when Eric is convinced to fix it :-)
655714Skris#
755714Skris# CA -newca ... will setup the right stuff
8205128Ssimon# CA -newreq ... will generate a certificate request
9205128Ssimon# CA -sign ... will sign the generated request and output
1055714Skris#
11205128Ssimon# At the end of that grab newreq.pem and newcert.pem (one has the key
1255714Skris# and the other the certificate) and cat them together and that is what
1355714Skris# you want/need ... I'll make even this a little cleaner later.
1455714Skris#
1555714Skris#
1655714Skris# 12-Jan-96 tjh    Added more things ... including CA -signcert which
1755714Skris#                  converts a certificate to a request and then signs it.
1855714Skris# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
19205128Ssimon#                  environment variable so this can be driven from
20205128Ssimon#                  a script.
2155714Skris# 25-Jul-96 eay    Cleaned up filenames some more.
2255714Skris# 11-Jun-96 eay    Fixed a few filename missmatches.
2355714Skris# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
2455714Skris# 18-Apr-96 tjh    Original hacking
2555714Skris#
2655714Skris# Tim Hudson
2755714Skris# tjh@cryptsoft.com
2855714Skris#
2955714Skris
3055714Skris# default openssl.cnf file has setup as per the following
3155714Skris# demoCA ... where everything is stored
32205128Ssimoncp_pem() {
33205128Ssimon    infile=$1
34205128Ssimon    outfile=$2
35205128Ssimon    bound=$3
36205128Ssimon    flag=0
37205128Ssimon    exec <$infile;
38205128Ssimon    while read line; do
39205128Ssimon	if [ $flag -eq 1 ]; then
40205128Ssimon		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
41205128Ssimon		if [ $? -eq 0 ] ; then
42205128Ssimon			echo $line >>$outfile
43205128Ssimon			break
44205128Ssimon		else
45205128Ssimon			echo $line >>$outfile
46205128Ssimon		fi
47205128Ssimon	fi
4855714Skris
49205128Ssimon	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
50205128Ssimon	if [ $? -eq 0 ]; then
51205128Ssimon		echo $line >$outfile
52205128Ssimon		flag=1
53205128Ssimon	fi
54205128Ssimon    done
55205128Ssimon}
56205128Ssimon
57205128Ssimonusage() {
58205128Ssimon echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
59205128Ssimon}
60205128Ssimon
61160814Ssimonif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
6255714Skris
63205128Ssimonif [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
64160814SsimonCADAYS="-days 1095"	# 3 years
65160814SsimonREQ="$OPENSSL req $SSLEAY_CONFIG"
66160814SsimonCA="$OPENSSL ca $SSLEAY_CONFIG"
67160814SsimonVERIFY="$OPENSSL verify"
68160814SsimonX509="$OPENSSL x509"
69205128SsimonPKCS12="openssl pkcs12"
70160814Ssimon
71205128Ssimonif [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
7255714SkrisCAKEY=./cakey.pem
73160814SsimonCAREQ=./careq.pem
7455714SkrisCACERT=./cacert.pem
7555714Skris
76205128SsimonRET=0
77205128Ssimon
78205128Ssimonwhile [ "$1" != "" ] ; do
79205128Ssimoncase $1 in
8055714Skris-\?|-h|-help)
81205128Ssimon    usage
8255714Skris    exit 0
8355714Skris    ;;
84205128Ssimon-newcert)
8555714Skris    # create a certificate
86160814Ssimon    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
8755714Skris    RET=$?
88160814Ssimon    echo "Certificate is in newcert.pem, private key is in newkey.pem"
8955714Skris    ;;
90205128Ssimon-newreq)
9155714Skris    # create a certificate request
92160814Ssimon    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
9355714Skris    RET=$?
94160814Ssimon    echo "Request is in newreq.pem, private key is in newkey.pem"
9555714Skris    ;;
96205128Ssimon-newreq-nodes) 
97205128Ssimon    # create a certificate request
98205128Ssimon    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
99205128Ssimon    RET=$?
100205128Ssimon    echo "Request (and private key) is in newreq.pem"
101205128Ssimon    ;;
102205128Ssimon-newca)
10359191Skris    # if explicitly asked for or it doesn't exist then setup the directory
104205128Ssimon    # structure that Eric likes to manage things
10555714Skris    NEW="1"
10655714Skris    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
10755714Skris	# create the directory hierarchy
108205128Ssimon	mkdir -p ${CATOP}
109205128Ssimon	mkdir -p ${CATOP}/certs
110205128Ssimon	mkdir -p ${CATOP}/crl
111205128Ssimon	mkdir -p ${CATOP}/newcerts
112205128Ssimon	mkdir -p ${CATOP}/private
11355714Skris	touch ${CATOP}/index.txt
11455714Skris    fi
11555714Skris    if [ ! -f ${CATOP}/private/$CAKEY ]; then
11655714Skris	echo "CA certificate filename (or enter to create)"
11755714Skris	read FILE
11855714Skris
11955714Skris	# ask user for existing CA certificate
12055714Skris	if [ "$FILE" ]; then
121205128Ssimon	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
122205128Ssimon	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
12355714Skris	    RET=$?
124205128Ssimon	    if [ ! -f "${CATOP}/serial" ]; then
125205128Ssimon		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
126205128Ssimon		      -out ${CATOP}/serial
127205128Ssimon	    fi
12855714Skris	else
12955714Skris	    echo "Making CA certificate ..."
130160814Ssimon	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
131160814Ssimon			   -out ${CATOP}/$CAREQ
132205128Ssimon	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
133160814Ssimon			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
134205128Ssimon			   -extensions v3_ca \
135205128Ssimon			   -infiles ${CATOP}/$CAREQ
13655714Skris	    RET=$?
13755714Skris	fi
13855714Skris    fi
13955714Skris    ;;
14055714Skris-xsign)
141205128Ssimon    $CA -policy policy_anything -infiles newreq.pem
14255714Skris    RET=$?
14355714Skris    ;;
144205128Ssimon-pkcs12)
145205128Ssimon    if [ -z "$2" ] ; then
146205128Ssimon	CNAME="My Certificate"
147205128Ssimon    else
148205128Ssimon	CNAME="$2"
149205128Ssimon    fi
150205128Ssimon    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
151205128Ssimon	    -out newcert.p12 -export -name "$CNAME"
152205128Ssimon    RET=$?
153205128Ssimon    exit $RET
154205128Ssimon    ;;
155205128Ssimon-sign|-signreq)
15655714Skris    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
15755714Skris    RET=$?
15855714Skris    cat newcert.pem
15955714Skris    echo "Signed certificate is in newcert.pem"
16055714Skris    ;;
161205128Ssimon-signCA)
162205128Ssimon    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
163205128Ssimon    RET=$?
164205128Ssimon    echo "Signed CA certificate is in newcert.pem"
165205128Ssimon    ;;
166205128Ssimon-signcert)
16755714Skris    echo "Cert passphrase will be requested twice - bug?"
16855714Skris    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
16955714Skris    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
170205128Ssimon    RET=$?
17155714Skris    cat newcert.pem
17255714Skris    echo "Signed certificate is in newcert.pem"
17355714Skris    ;;
174205128Ssimon-verify)
17555714Skris    shift
17655714Skris    if [ -z "$1" ]; then
17755714Skris	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
17855714Skris	    RET=$?
17955714Skris    else
18055714Skris	for j
18155714Skris	do
18255714Skris	    $VERIFY -CAfile $CATOP/$CACERT $j
18355714Skris	    if [ $? != 0 ]; then
18455714Skris		    RET=$?
18555714Skris	    fi
18655714Skris	done
18755714Skris    fi
188205128Ssimon    exit $RET
18955714Skris    ;;
19055714Skris*)
191205128Ssimon    echo "Unknown arg $i" >&2
192205128Ssimon    usage
19355714Skris    exit 1
19455714Skris    ;;
19555714Skrisesac
196205128Ssimonshift
19755714Skrisdone
19855714Skrisexit $RET
199