[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CA.pl



Hello:
  CA.pl is a script to create a certifying authority for ssl and tls.
I found it while working on a Sendmail project.  Anyway I felt there were issues so I sent in a patch to openssl and made one for openbsd too.  Let me know if you use it.

Get your own FREE E-mail address at http://www.linuxfreemail.com
Linux FREE Mail is 100% FREE, 100% Linux, and 100% yours!
--- CA.pl	Wed May  9 10:44:10 2001
+++ /usr/src/lib/libssl/src/apps/CA.pl	Sat Apr 15 02:18:29 2000
@@ -12,11 +12,6 @@
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
-# 07-May-01 rjh    Code overhaul. Fixed perms on "private" directory, and
-#                  reliance on a good umask. cleaned unessary regexs,
-#                  enabled full strictures.
-#                  $SSLEAY_CONFIG removed. openssl binary
-#                  honors the OPENSSL_CONF environment variable.
 #
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
@@ -40,131 +35,121 @@
 
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
-use strict;
-use constant USAGEMSG => <<EOM
-Usage: CA -newcert|-newreq|-newca|-sign|-verify|-signcert
-EOM
-;
-my $DAYS="-days 365";
-my $REQ="openssl req";
-my $CA="openssl ca";
-my $VERIFY="openssl verify";
-my $X509="openssl x509";
-my $PKCS12="openssl pkcs12";
-my $CATOP;
-my $CAKEY = "cakey.pem";
-my $CACERT = "cacert.pem";
-my $DIRMODE = 0755;
-my $RET = 0;
-
-print "Enter a directory name for the CA to reside in [./demoCA]: ";
-$CATOP= <STDIN>;
-$CATOP = "demoCA" if $CATOP eq "\n";
-chomp($CATOP);
-$CATOP = "./" . $CATOP unless $CATOP =~ /^(?:\/|\.|\.\.)/;
-
-$_ = shift;
-
-if ( /^(?:-\?|-h|-help)$/ ) {
-    print STDERR USAGEMSG;
-    exit 0;
-} elsif ($_ eq "-newcert") {
-    # create a certificate
-    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
-    $RET=$?;
-    print "Certificate (and private key) is in newreq.pem\n" unless $RET;
-} elsif ($_ eq "-newreq") {
-    # create a certificate request
-    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
-    $RET=$?;
-    print "Request (and private key) is in newreq.pem\n" unless $RET;
-} elsif ($_ eq "-newca") {
-	# if explicitly asked for or it doesn't exist then setup the
-	# directory structure that Eric likes to manage things 
-    unless( -f "${CATOP}/serial" ) {
-	# create the directory hierarchy
-	mkdir $CATOP, $DIRMODE;
-	mkdir "${CATOP}/certs", $DIRMODE;
-	mkdir "${CATOP}/crl", $DIRMODE ;
-	mkdir "${CATOP}/newcerts", $DIRMODE;
-	mkdir "${CATOP}/private", 0700;
-	open OUT, ">${CATOP}/serial";
-	print OUT "01\n";
-	close OUT;
-	open OUT, ">${CATOP}/index.txt" && close OUT;
-    }
-    unless( -f "${CATOP}/private/$CAKEY" ) {
-	# ask user for existing CA certificate
-	print "CA certificate filename (or enter to create)\n";
-	my $FILE = <STDIN>;
-
-	chomp $FILE;
-
-	if ($FILE) {
-	    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
-	    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+
+$DAYS="-days 365";
+$REQ="openssl req $SSLEAY_CONFIG";
+$CA="openssl ca $SSLEAY_CONFIG";
+$VERIFY="openssl verify";
+$X509="openssl x509";
+$PKCS12="openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+	if ( /^(-\?|-h|-help)$/ ) {
+	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    exit 0;
+	} elsif (/^-newcert$/) {
+	    # create a certificate
+	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	} else {
-	    print "Making CA certificate ...\n";
-	    system ("$REQ -new -x509 -keyout " .
-		"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+	    print "Certificate (and private key) is in newreq.pem\n"
+	} elsif (/^-newreq$/) {
+	    # create a certificate request
+	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	}
-    }
-} elsif ($_ eq "-pkcs12") {
-    my $cname = $ARGV[1];
-    $cname = "My Certificate" unless defined $cname;
-    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
-		"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
-		"-export -name \"$cname\"");
-    $RET=$?;
-    exit $RET;
-} elsif ($_ eq "-xsign") {
-    system ("$CA -policy policy_anything -infiles newreq.pem");
-    $RET=$?;
-} elsif (/^(?:-sign|-signreq)$/) {
-    system ("$CA -policy policy_anything -out newcert.pem " .
-						"-infiles newreq.pem");
-    $RET=$?;
-    print "Signed certificate is in newcert.pem\n" unless $RET;
-} elsif ($_ eq "-signCA") {
-    system ("$CA -policy policy_anything -out newcert.pem " .
-				"-extensions v3_ca -infiles newreq.pem");
-    $RET=$?;
-    print "Signed CA certificate is in newcert.pem\n" unless $RET;
-} elsif ($_ eq "-signcert") {
-    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
-							"-out tmp.pem");
-    system ("$CA -policy policy_anything -out newcert.pem " .
-						"-infiles tmp.pem");
-    $RET = $?;
-    print "Signed certificate is in newcert.pem\n" unless $RET;
-} elsif ($_ eq "-verify") {
-    if (shift) {
-	foreach my $j (@ARGV) {
-	    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
-	    $RET=$? if ($? != 0);
-	}
-	exit $RET;
-    } else {
-	    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+	    print "Request (and private key) is in newreq.pem\n";
+	} elsif (/^-newca$/) {
+		# if explicitly asked for or it doesn't exist then setup the
+		# directory structure that Eric likes to manage things 
+	    $NEW="1";
+	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+		# create the directory hierarchy
+		mkdir $CATOP, $DIRMODE;
+		mkdir "${CATOP}/certs", $DIRMODE;
+		mkdir "${CATOP}/crl", $DIRMODE ;
+		mkdir "${CATOP}/newcerts", $DIRMODE;
+		mkdir "${CATOP}/private", $DIRMODE;
+		open OUT, ">${CATOP}/serial";
+		print OUT "01\n";
+		close OUT;
+		open OUT, ">${CATOP}/index.txt";
+		close OUT;
+	    }
+	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
+		print "CA certificate filename (or enter to create)\n";
+		$FILE = <STDIN>;
+
+		chop $FILE;
+
+		# ask user for existing CA certificate
+		if ($FILE) {
+		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+		    $RET=$?;
+		} else {
+		    print "Making CA certificate ...\n";
+		    system ("$REQ -new -x509 -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+		    $RET=$?;
+		}
+	    }
+	} elsif (/^-pkcs12$/) {
+	    my $cname = $ARGV[1];
+	    $cname = "My Certificate" unless defined $cname;
+	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+			"-export -name \"$cname\"");
 	    $RET=$?;
-    	    exit 0;
-    }
-} else {
-    print STDERR "Unknown arg $_\n";
-    print STDERR USAGEMSG;
-    exit 1;
+	    exit $RET;
+	} elsif (/^-xsign$/) {
+	    system ("$CA -policy policy_anything -infiles newreq.pem");
+	    $RET=$?;
+	} elsif (/^(-sign|-signreq)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-signcert$/) {
+	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+								"-out tmp.pem");
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles tmp.pem");
+	    $RET = $?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-verify$/) {
+	    if (shift) {
+		foreach $j (@ARGV) {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+		    $RET=$? if ($? != 0);
+		}
+		exit $RET;
+	    } else {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+		    $RET=$?;
+	    	    exit 0;
+	    }
+	} else {
+	    print STDERR "Unknown arg $_\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    exit 1;
+	}
 }
 
 exit $RET;
 
 sub cp_pem {
-   my ($infile, $outfile, $bound) = @_;
-   open IN, $infile;
-   open OUT, ">$outfile";
-   my $flag = 0;
-   while (<IN>) {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
 	$flag = 1 if (/^-----BEGIN.*$bound/) ;
 	print OUT $_ if ($flag);
 	if (/^-----END.*$bound/) {
@@ -172,5 +157,6 @@
 		close OUT;
 		return;
 	}
-   }
 }
+}
+