~ubuntu-branches/ubuntu/lucid/openssl/lucid-security

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
$! CA - wrapper around ca to make it easier to use ... basically ca requires
$!      some setup stuff to be done before you can use it and this makes
$!      things easier between now and when Eric is convinced to fix it :-)
$!
$! CA -newca ... will setup the right stuff
$! CA -newreq ... will generate a certificate request 
$! CA -sign ... will sign the generated request and output 
$!
$! At the end of that grab newreq.pem and newcert.pem (one has the key 
$! and the other the certificate) and cat them together and that is what
$! you want/need ... I'll make even this a little cleaner later.
$!
$!
$! 12-Jan-96 tjh    Added more things ... including CA -signcert which
$!                  converts a certificate to a request and then signs it.
$! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
$!                 environment variable so this can be driven from
$!                 a script.
$! 25-Jul-96 eay    Cleaned up filenames some more.
$! 11-Jun-96 eay    Fixed a few filename missmatches.
$! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
$! 18-Apr-96 tjh    Original hacking
$!
$! Tim Hudson
$! tjh@cryptsoft.com
$!
$!
$! default ssleay.cnf file has setup as per the following
$! demoCA ... where everything is stored
$
$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
$
$ DAYS   = "-days 365"
$ REQ    = openssl + " req " + SSLEAY_CONFIG
$ CA     = openssl + " ca " + SSLEAY_CONFIG
$ VERIFY = openssl + " verify"
$ X509   = openssl + " x509"
$ PKCS12 = openssl + " pkcs12"
$ echo   = "write sys$Output"
$!
$ s = F$PARSE(F$ENVIRONMENT("DEFAULT"),"[]") - "].;"
$ CATOP  := 's'.demoCA
$ CAKEY  := ]cakey.pem
$ CACERT := ]cacert.pem
$
$ __INPUT := SYS$COMMAND
$ RET = 1
$!
$ i = 1
$opt_loop:
$ if i .gt. 8 then goto opt_loop_end
$
$ prog_opt = F$EDIT(P'i',"lowercase")
$
$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
$ THEN
$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
$   exit
$ ENDIF
$!
$ IF (prog_opt .EQS. "-input")
$ THEN
$   ! Get input from somewhere other than SYS$COMMAND
$   i = i + 1
$   __INPUT = P'i'
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newcert")
$ THEN
$   ! Create a certificate.
$   DEFINE/USER SYS$INPUT '__INPUT'
$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
$   RET=$STATUS
$   echo "Certificate (and private key) is in newreq.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newreq")
$ THEN
$   ! Create a certificate request
$   DEFINE/USER SYS$INPUT '__INPUT'
$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
$   RET=$STATUS
$   echo "Request (and private key) is in newreq.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newca")
$ THEN
$   ! If explicitly asked for or it doesn't exist then setup the directory
$   ! structure that Eric likes to manage things.
$   IF F$SEARCH(CATOP+"]serial.") .EQS. ""
$   THEN
$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP']
$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.certs]
$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.crl]
$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.newcerts]
$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.private]
$
$     OPEN   /WRITE ser_file 'CATOP']serial. 
$     WRITE ser_file "01"
$     CLOSE ser_file
$     APPEND/NEW NL: 'CATOP']index.txt
$
$     ! The following is to make sure access() doesn't get confused.  It
$     ! really needs one file in the directory to give correct answers...
$     COPY NLA0: 'CATOP'.certs].;
$     COPY NLA0: 'CATOP'.crl].;
$     COPY NLA0: 'CATOP'.newcerts].;
$     COPY NLA0: 'CATOP'.private].;
$   ENDIF
$!
$   IF F$SEARCH(CATOP+".private"+CAKEY) .EQS. ""
$   THEN
$     READ '__INPUT' FILE -
	   /PROMT="CA certificate filename (or enter to create)"
$     IF F$SEARCH(FILE) .NES. ""
$     THEN
$       COPY 'FILE' 'CATOP'.private'CAKEY'
$	RET=$STATUS
$     ELSE
$       echo "Making CA certificate ..."
$       DEFINE/USER SYS$INPUT '__INPUT'
$       REQ -new -x509 -keyout 'CATOP'.private'CAKEY' -
		       -out 'CATOP''CACERT' 'DAYS'
$	RET=$STATUS
$     ENDIF
$   ENDIF
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-pkcs12")
$ THEN
$   i = i + 1
$   cname = P'i'
$   IF cname .EQS. "" THEN cname = "My certificate"
$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CATOP''CACERT -
	   -out newcert.p12 -export -name "''cname'"
$   RET=$STATUS
$   exit RET
$ ENDIF
$!
$ IF (prog_opt .EQS. "-xsign")
$ THEN
$!
$   DEFINE/USER SYS$INPUT '__INPUT'
$   CA -policy policy_anything -infiles newreq.pem
$   RET=$STATUS
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
$ THEN
$!   
$   DEFINE/USER SYS$INPUT '__INPUT'
$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
$   RET=$STATUS
$   type newcert.pem
$   echo "Signed certificate is in newcert.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-signcert")
$  THEN
$!   
$   echo "Cert passphrase will be requested twice - bug?"
$   DEFINE/USER SYS$INPUT '__INPUT'
$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$   DEFINE/USER SYS$INPUT '__INPUT'
$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
y
y
$   type newcert.pem
$   echo "Signed certificate is in newcert.pem"
$   GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-verify")
$ THEN
$!   
$   i = i + 1
$   IF (p'i' .EQS. "")
$   THEN
$     DEFINE/USER SYS$INPUT '__INPUT'
$     VERIFY "-CAfile" 'CATOP''CACERT' newcert.pem
$   ELSE
$     j = i
$    verify_opt_loop:
$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
$     IF p'j' .NES. ""
$     THEN 
$       DEFINE/USER SYS$INPUT '__INPUT'
$       __tmp = p'j'
$       VERIFY "-CAfile" 'CATOP''CACERT' '__tmp'
$       tmp=$STATUS
$       IF tmp .NE. 0 THEN RET=tmp
$     ENDIF
$     j = j + 1
$     GOTO verify_opt_loop
$    verify_opt_loop_end:
$   ENDIF
$   
$   GOTO opt_loop_end
$ ENDIF
$!
$ IF (prog_opt .NES. "")
$ THEN
$!   
$   echo "Unknown argument ''prog_opt'"
$   
$   EXIT 3
$ ENDIF
$
$opt_loop_continue:
$ i = i + 1
$ GOTO opt_loop
$
$opt_loop_end:
$ EXIT 'RET'