1#!/usr/bin/perl 2# 3# CA - wrapper around ca to make it easier to use ... basically ca requires 4# some setup stuff to be done before you can use it and this makes 5# things easier between now and when Eric is convinced to fix it :-) 6# 7# CA -newca ... will setup the right stuff 8# CA -newreq[-nodes] ... will generate a certificate request 9# CA -sign ... will sign the generated request and output 10# 11# At the end of that grab newreq.pem and newcert.pem (one has the key 12# and the other the certificate) and cat them together and that is what 13# you want/need ... I'll make even this a little cleaner later. 14# 15# 16# 12-Jan-96 tjh Added more things ... including CA -signcert which 17# converts a certificate to a request and then signs it. 18# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19# environment variable so this can be driven from 20# a script. 21# 25-Jul-96 eay Cleaned up filenames some more. 22# 11-Jun-96 eay Fixed a few filename missmatches. 23# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24# 18-Apr-96 tjh Original hacking 25# 26# Tim Hudson 27# tjh@cryptsoft.com 28# 29 30# 27-Apr-98 snh Translation into perl, fix existing CA bug. 31# 32# 33# Steve Henson 34# shenson@bigfoot.com 35 36# default openssl.cnf file has setup as per the following 37# demoCA ... where everything is stored 38 39my $openssl; 40if(defined $ENV{OPENSSL}) { 41 $openssl = $ENV{OPENSSL}; 42} else { 43 $openssl = "openssl"; 44 $ENV{OPENSSL} = $openssl; 45} 46 47$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; 48$DAYS="-days 365"; 49$REQ="$openssl req $SSLEAY_CONFIG"; 50$CA="$openssl ca $SSLEAY_CONFIG"; 51$VERIFY="$openssl verify"; 52$X509="$openssl x509"; 53$PKCS12="$openssl pkcs12"; 54 55$CATOP="./demoCA"; 56$CAKEY="cakey.pem"; 57$CACERT="cacert.pem"; 58 59$DIRMODE = 0777; 60 61$RET = 0; 62 63foreach (@ARGV) { 64 if ( /^(-\?|-h|-help)$/ ) { 65 print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; 66 exit 0; 67 } elsif (/^-newcert$/) { 68 # create a certificate 69 system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS"); 70 $RET=$?; 71 print "Certificate (and private key) is in newreq.pem\n" 72 } elsif (/^-newreq$/) { 73 # create a certificate request 74 system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS"); 75 $RET=$?; 76 print "Request (and private key) is in newreq.pem\n"; 77 } elsif (/^-newreq-nodes$/) { 78 # create a certificate request 79 system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS"); 80 $RET=$?; 81 print "Request (and private key) is in newreq.pem\n"; 82 } elsif (/^-newca$/) { 83 # if explicitly asked for or it doesn't exist then setup the 84 # directory structure that Eric likes to manage things 85 $NEW="1"; 86 if ( "$NEW" || ! -f "${CATOP}/serial" ) { 87 # create the directory hierarchy 88 mkdir $CATOP, $DIRMODE; 89 mkdir "${CATOP}/certs", $DIRMODE; 90 mkdir "${CATOP}/crl", $DIRMODE ; 91 mkdir "${CATOP}/newcerts", $DIRMODE; 92 mkdir "${CATOP}/private", $DIRMODE; 93 open OUT, ">${CATOP}/index.txt"; 94 close OUT; 95 } 96 if ( ! -f "${CATOP}/private/$CAKEY" ) { 97 print "CA certificate filename (or enter to create)\n"; 98 $FILE = <STDIN>; 99 100 chop $FILE; 101 102 # ask user for existing CA certificate 103 if ($FILE) { 104 cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); 105 cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); 106 $RET=$?; 107 } else { 108 print "Making CA certificate ...\n"; 109 system ("$REQ -new -x509 -keyout " . 110 "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); 111 $RET=$?; 112 } 113 } 114 if (! -f "${CATOP}/serial" ) { 115 system ("$X509 -in ${CATOP}/$CACERT -noout " 116 . "-next_serial -out ${CATOP}/serial"); 117 } 118 } elsif (/^-pkcs12$/) { 119 my $cname = $ARGV[1]; 120 $cname = "My Certificate" unless defined $cname; 121 system ("$PKCS12 -in newcert.pem -inkey newreq.pem " . 122 "-certfile ${CATOP}/$CACERT -out newcert.p12 " . 123 "-export -name \"$cname\""); 124 $RET=$?; 125 exit $RET; 126 } elsif (/^-xsign$/) { 127 system ("$CA -policy policy_anything -infiles newreq.pem"); 128 $RET=$?; 129 } elsif (/^(-sign|-signreq)$/) { 130 system ("$CA -policy policy_anything -out newcert.pem " . 131 "-infiles newreq.pem"); 132 $RET=$?; 133 print "Signed certificate is in newcert.pem\n"; 134 } elsif (/^(-signCA)$/) { 135 system ("$CA -policy policy_anything -out newcert.pem " . 136 "-extensions v3_ca -infiles newreq.pem"); 137 $RET=$?; 138 print "Signed CA certificate is in newcert.pem\n"; 139 } elsif (/^-signcert$/) { 140 system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . 141 "-out tmp.pem"); 142 system ("$CA -policy policy_anything -out newcert.pem " . 143 "-infiles tmp.pem"); 144 $RET = $?; 145 print "Signed certificate is in newcert.pem\n"; 146 } elsif (/^-verify$/) { 147 if (shift) { 148 foreach $j (@ARGV) { 149 system ("$VERIFY -CAfile $CATOP/$CACERT $j"); 150 $RET=$? if ($? != 0); 151 } 152 exit $RET; 153 } else { 154 system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); 155 $RET=$?; 156 exit 0; 157 } 158 } else { 159 print STDERR "Unknown arg $_\n"; 160 print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; 161 exit 1; 162 } 163} 164 165exit $RET; 166 167sub cp_pem { 168my ($infile, $outfile, $bound) = @_; 169open IN, $infile; 170open OUT, ">$outfile"; 171my $flag = 0; 172while (<IN>) { 173 $flag = 1 if (/^-----BEGIN.*$bound/) ; 174 print OUT $_ if ($flag); 175 if (/^-----END.*$bound/) { 176 close IN; 177 close OUT; 178 return; 179 } 180} 181} 182 183