1*ebfedea0SLionel Sambuc$! CA - wrapper around ca to make it easier to use ... basically ca requires 2*ebfedea0SLionel Sambuc$! some setup stuff to be done before you can use it and this makes 3*ebfedea0SLionel Sambuc$! things easier between now and when Eric is convinced to fix it :-) 4*ebfedea0SLionel Sambuc$! 5*ebfedea0SLionel Sambuc$! CA -newca ... will setup the right stuff 6*ebfedea0SLionel Sambuc$! CA -newreq ... will generate a certificate request 7*ebfedea0SLionel Sambuc$! CA -sign ... will sign the generated request and output 8*ebfedea0SLionel Sambuc$! 9*ebfedea0SLionel Sambuc$! At the end of that grab newreq.pem and newcert.pem (one has the key 10*ebfedea0SLionel Sambuc$! and the other the certificate) and cat them together and that is what 11*ebfedea0SLionel Sambuc$! you want/need ... I'll make even this a little cleaner later. 12*ebfedea0SLionel Sambuc$! 13*ebfedea0SLionel Sambuc$! 14*ebfedea0SLionel Sambuc$! 12-Jan-96 tjh Added more things ... including CA -signcert which 15*ebfedea0SLionel Sambuc$! converts a certificate to a request and then signs it. 16*ebfedea0SLionel Sambuc$! 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 17*ebfedea0SLionel Sambuc$! environment variable so this can be driven from 18*ebfedea0SLionel Sambuc$! a script. 19*ebfedea0SLionel Sambuc$! 25-Jul-96 eay Cleaned up filenames some more. 20*ebfedea0SLionel Sambuc$! 11-Jun-96 eay Fixed a few filename missmatches. 21*ebfedea0SLionel Sambuc$! 03-May-96 eay Modified to use 'openssl cmd' instead of 'cmd'. 22*ebfedea0SLionel Sambuc$! 18-Apr-96 tjh Original hacking 23*ebfedea0SLionel Sambuc$! 24*ebfedea0SLionel Sambuc$! Tim Hudson 25*ebfedea0SLionel Sambuc$! tjh@cryptsoft.com 26*ebfedea0SLionel Sambuc$! 27*ebfedea0SLionel Sambuc$! 28*ebfedea0SLionel Sambuc$! default ssleay.cnf file has setup as per the following 29*ebfedea0SLionel Sambuc$! demoCA ... where everything is stored 30*ebfedea0SLionel Sambuc$ 31*ebfedea0SLionel Sambuc$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF 32*ebfedea0SLionel Sambuc$ 33*ebfedea0SLionel Sambuc$ DAYS = "-days 365" 34*ebfedea0SLionel Sambuc$ REQ = openssl + " req " + SSLEAY_CONFIG 35*ebfedea0SLionel Sambuc$ CA = openssl + " ca " + SSLEAY_CONFIG 36*ebfedea0SLionel Sambuc$ VERIFY = openssl + " verify" 37*ebfedea0SLionel Sambuc$ X509 = openssl + " x509" 38*ebfedea0SLionel Sambuc$ PKCS12 = openssl + " pkcs12" 39*ebfedea0SLionel Sambuc$ echo = "write sys$Output" 40*ebfedea0SLionel Sambuc$ RET = 1 41*ebfedea0SLionel Sambuc$! 42*ebfedea0SLionel Sambuc$! 2010-12-20 SMS. 43*ebfedea0SLionel Sambuc$! Use a concealed logical name to reduce command line lengths, to 44*ebfedea0SLionel Sambuc$! avoid DCL errors on VAX: 45*ebfedea0SLionel Sambuc$! %DCL-W-TKNOVF, command element is too long - shorten 46*ebfedea0SLionel Sambuc$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate 47*ebfedea0SLionel Sambuc$! quickly.) 48*ebfedea0SLionel Sambuc$! 49*ebfedea0SLionel Sambuc$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]" 50*ebfedea0SLionel Sambuc$ define /translation_attributes = concealed CATOP 'CATOP' 51*ebfedea0SLionel Sambuc$! 52*ebfedea0SLionel Sambuc$ on error then goto clean_up 53*ebfedea0SLionel Sambuc$ on control_y then goto clean_up 54*ebfedea0SLionel Sambuc$! 55*ebfedea0SLionel Sambuc$ CAKEY = "CATOP:[private]cakey.pem" 56*ebfedea0SLionel Sambuc$ CACERT = "CATOP:[000000]cacert.pem" 57*ebfedea0SLionel Sambuc$ 58*ebfedea0SLionel Sambuc$ __INPUT := SYS$COMMAND 59*ebfedea0SLionel Sambuc$! 60*ebfedea0SLionel Sambuc$ i = 1 61*ebfedea0SLionel Sambuc$opt_loop: 62*ebfedea0SLionel Sambuc$ if i .gt. 8 then goto opt_loop_end 63*ebfedea0SLionel Sambuc$ 64*ebfedea0SLionel Sambuc$ prog_opt = F$EDIT(P'i',"lowercase") 65*ebfedea0SLionel Sambuc$ 66*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 67*ebfedea0SLionel Sambuc$ THEN 68*ebfedea0SLionel Sambuc$ echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 69*ebfedea0SLionel Sambuc$ goto clean_up 70*ebfedea0SLionel Sambuc$ ENDIF 71*ebfedea0SLionel Sambuc$! 72*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-input") 73*ebfedea0SLionel Sambuc$ THEN 74*ebfedea0SLionel Sambuc$ ! Get input from somewhere other than SYS$COMMAND 75*ebfedea0SLionel Sambuc$ i = i + 1 76*ebfedea0SLionel Sambuc$ __INPUT = P'i' 77*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 78*ebfedea0SLionel Sambuc$ ENDIF 79*ebfedea0SLionel Sambuc$! 80*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-newcert") 81*ebfedea0SLionel Sambuc$ THEN 82*ebfedea0SLionel Sambuc$ ! Create a certificate. 83*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 84*ebfedea0SLionel Sambuc$ REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS' 85*ebfedea0SLionel Sambuc$ RET=$STATUS 86*ebfedea0SLionel Sambuc$ echo "Certificate (and private key) is in newreq.pem" 87*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 88*ebfedea0SLionel Sambuc$ ENDIF 89*ebfedea0SLionel Sambuc$! 90*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-newreq") 91*ebfedea0SLionel Sambuc$ THEN 92*ebfedea0SLionel Sambuc$ ! Create a certificate request 93*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 94*ebfedea0SLionel Sambuc$ REQ -new -keyout newreq.pem -out newreq.pem 'DAYS' 95*ebfedea0SLionel Sambuc$ RET=$STATUS 96*ebfedea0SLionel Sambuc$ echo "Request (and private key) is in newreq.pem" 97*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 98*ebfedea0SLionel Sambuc$ ENDIF 99*ebfedea0SLionel Sambuc$! 100*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-newca") 101*ebfedea0SLionel Sambuc$ THEN 102*ebfedea0SLionel Sambuc$ ! If explicitly asked for or it doesn't exist then setup the directory 103*ebfedea0SLionel Sambuc$ ! structure that Eric likes to manage things. 104*ebfedea0SLionel Sambuc$ IF F$SEARCH( "CATOP:[000000]serial.") .EQS. "" 105*ebfedea0SLionel Sambuc$ THEN 106*ebfedea0SLionel Sambuc$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000] 107*ebfedea0SLionel Sambuc$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs] 108*ebfedea0SLionel Sambuc$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl] 109*ebfedea0SLionel Sambuc$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts] 110*ebfedea0SLionel Sambuc$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private] 111*ebfedea0SLionel Sambuc$ 112*ebfedea0SLionel Sambuc$ OPEN /WRITE ser_file CATOP:[000000]serial. 113*ebfedea0SLionel Sambuc$ WRITE ser_file "01" 114*ebfedea0SLionel Sambuc$ CLOSE ser_file 115*ebfedea0SLionel Sambuc$ APPEND /NEW_VERSION NL: CATOP:[000000]index.txt 116*ebfedea0SLionel Sambuc$ 117*ebfedea0SLionel Sambuc$ ! The following is to make sure access() doesn't get confused. It 118*ebfedea0SLionel Sambuc$ ! really needs one file in the directory to give correct answers... 119*ebfedea0SLionel Sambuc$ COPY NLA0: CATOP:[certs].; 120*ebfedea0SLionel Sambuc$ COPY NLA0: CATOP:[crl].; 121*ebfedea0SLionel Sambuc$ COPY NLA0: CATOP:[newcerts].; 122*ebfedea0SLionel Sambuc$ COPY NLA0: CATOP:[private].; 123*ebfedea0SLionel Sambuc$ ENDIF 124*ebfedea0SLionel Sambuc$! 125*ebfedea0SLionel Sambuc$ IF F$SEARCH( CAKEY) .EQS. "" 126*ebfedea0SLionel Sambuc$ THEN 127*ebfedea0SLionel Sambuc$ READ '__INPUT' FILE - 128*ebfedea0SLionel Sambuc /PROMPT="CA certificate filename (or enter to create): " 129*ebfedea0SLionel Sambuc$ IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "") 130*ebfedea0SLionel Sambuc$ THEN 131*ebfedea0SLionel Sambuc$ COPY 'FILE' 'CAKEY' 132*ebfedea0SLionel Sambuc$ RET=$STATUS 133*ebfedea0SLionel Sambuc$ ELSE 134*ebfedea0SLionel Sambuc$ echo "Making CA certificate ..." 135*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 136*ebfedea0SLionel Sambuc$ REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS' 137*ebfedea0SLionel Sambuc$ RET=$STATUS 138*ebfedea0SLionel Sambuc$ ENDIF 139*ebfedea0SLionel Sambuc$ ENDIF 140*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 141*ebfedea0SLionel Sambuc$ ENDIF 142*ebfedea0SLionel Sambuc$! 143*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-pkcs12") 144*ebfedea0SLionel Sambuc$ THEN 145*ebfedea0SLionel Sambuc$ i = i + 1 146*ebfedea0SLionel Sambuc$ cname = P'i' 147*ebfedea0SLionel Sambuc$ IF cname .EQS. "" THEN cname = "My certificate" 148*ebfedea0SLionel Sambuc$ PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' - 149*ebfedea0SLionel Sambuc -out newcert.p12 -export -name "''cname'" 150*ebfedea0SLionel Sambuc$ RET=$STATUS 151*ebfedea0SLionel Sambuc$ goto clean_up 152*ebfedea0SLionel Sambuc$ ENDIF 153*ebfedea0SLionel Sambuc$! 154*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-xsign") 155*ebfedea0SLionel Sambuc$ THEN 156*ebfedea0SLionel Sambuc$! 157*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 158*ebfedea0SLionel Sambuc$ CA -policy policy_anything -infiles newreq.pem 159*ebfedea0SLionel Sambuc$ RET=$STATUS 160*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 161*ebfedea0SLionel Sambuc$ ENDIF 162*ebfedea0SLionel Sambuc$! 163*ebfedea0SLionel Sambuc$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq")) 164*ebfedea0SLionel Sambuc$ THEN 165*ebfedea0SLionel Sambuc$! 166*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 167*ebfedea0SLionel Sambuc$ CA -policy policy_anything -out newcert.pem -infiles newreq.pem 168*ebfedea0SLionel Sambuc$ RET=$STATUS 169*ebfedea0SLionel Sambuc$ type newcert.pem 170*ebfedea0SLionel Sambuc$ echo "Signed certificate is in newcert.pem" 171*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 172*ebfedea0SLionel Sambuc$ ENDIF 173*ebfedea0SLionel Sambuc$! 174*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-signcert") 175*ebfedea0SLionel Sambuc$ THEN 176*ebfedea0SLionel Sambuc$! 177*ebfedea0SLionel Sambuc$ echo "Cert passphrase will be requested twice - bug?" 178*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 179*ebfedea0SLionel Sambuc$ X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 180*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 181*ebfedea0SLionel Sambuc$ CA -policy policy_anything -out newcert.pem -infiles tmp.pem 182*ebfedea0SLionel Sambucy 183*ebfedea0SLionel Sambucy 184*ebfedea0SLionel Sambuc$ type newcert.pem 185*ebfedea0SLionel Sambuc$ echo "Signed certificate is in newcert.pem" 186*ebfedea0SLionel Sambuc$ GOTO opt_loop_continue 187*ebfedea0SLionel Sambuc$ ENDIF 188*ebfedea0SLionel Sambuc$! 189*ebfedea0SLionel Sambuc$ IF (prog_opt .EQS. "-verify") 190*ebfedea0SLionel Sambuc$ THEN 191*ebfedea0SLionel Sambuc$! 192*ebfedea0SLionel Sambuc$ i = i + 1 193*ebfedea0SLionel Sambuc$ IF (p'i' .EQS. "") 194*ebfedea0SLionel Sambuc$ THEN 195*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 196*ebfedea0SLionel Sambuc$ VERIFY "-CAfile" 'CACERT' newcert.pem 197*ebfedea0SLionel Sambuc$ ELSE 198*ebfedea0SLionel Sambuc$ j = i 199*ebfedea0SLionel Sambuc$ verify_opt_loop: 200*ebfedea0SLionel Sambuc$ IF j .GT. 8 THEN GOTO verify_opt_loop_end 201*ebfedea0SLionel Sambuc$ IF p'j' .NES. "" 202*ebfedea0SLionel Sambuc$ THEN 203*ebfedea0SLionel Sambuc$ DEFINE /USER_MODE SYS$INPUT '__INPUT' 204*ebfedea0SLionel Sambuc$ __tmp = p'j' 205*ebfedea0SLionel Sambuc$ VERIFY "-CAfile" 'CACERT' '__tmp' 206*ebfedea0SLionel Sambuc$ tmp=$STATUS 207*ebfedea0SLionel Sambuc$ IF tmp .NE. 0 THEN RET=tmp 208*ebfedea0SLionel Sambuc$ ENDIF 209*ebfedea0SLionel Sambuc$ j = j + 1 210*ebfedea0SLionel Sambuc$ GOTO verify_opt_loop 211*ebfedea0SLionel Sambuc$ verify_opt_loop_end: 212*ebfedea0SLionel Sambuc$ ENDIF 213*ebfedea0SLionel Sambuc$ 214*ebfedea0SLionel Sambuc$ GOTO opt_loop_end 215*ebfedea0SLionel Sambuc$ ENDIF 216*ebfedea0SLionel Sambuc$! 217*ebfedea0SLionel Sambuc$ IF (prog_opt .NES. "") 218*ebfedea0SLionel Sambuc$ THEN 219*ebfedea0SLionel Sambuc$! 220*ebfedea0SLionel Sambuc$ echo "Unknown argument ''prog_opt'" 221*ebfedea0SLionel Sambuc$ RET = 3 222*ebfedea0SLionel Sambuc$ goto clean_up 223*ebfedea0SLionel Sambuc$ ENDIF 224*ebfedea0SLionel Sambuc$ 225*ebfedea0SLionel Sambuc$opt_loop_continue: 226*ebfedea0SLionel Sambuc$ i = i + 1 227*ebfedea0SLionel Sambuc$ GOTO opt_loop 228*ebfedea0SLionel Sambuc$ 229*ebfedea0SLionel Sambuc$opt_loop_end: 230*ebfedea0SLionel Sambuc$! 231*ebfedea0SLionel Sambuc$clean_up: 232*ebfedea0SLionel Sambuc$! 233*ebfedea0SLionel Sambuc$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then - 234*ebfedea0SLionel Sambuc deassign /process CATOP 235*ebfedea0SLionel Sambuc$! 236*ebfedea0SLionel Sambuc$ EXIT 'RET' 237