source: main/trunk/greenstone3/bin/windows/openssl/misc/CA.pl@ 32476

Last change on this file since 32476 was 32476, checked in by ak19, 6 years ago

Compiled up 32 bit OpenSSL v 1.1.1 on Windows to use in place of ZeroSSL to generate keys. Works on 64 bit to generate keys. Committing just the products (with folder structure) we need for generating keys, as that's all we'll be using openSSL for on Windows, to save on binary size. Instructions on compiling OpenSSL (32 and 64 bit targets, openSSL versions 1.0.2p and 1.1.1) and instructions on packaging up it up for SVN are at internal wiki page Compiling OpenSSL on Windows
File size: 7.6 KB
RevLine 
[32476]1#!/usr/bin/env perl
2# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the OpenSSL license (the "License"). You may not use
5# this file except in compliance with the License. You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9#
10# Wrapper around the ca to make it easier to use
11#
12# WARNING: do not edit!
13# Generated by makefile from apps\CA.pl.in
14
15use strict;
16use warnings;
17
18my $openssl = "openssl";
19if(defined $ENV{'OPENSSL'}) {
20 $openssl = $ENV{'OPENSSL'};
21} else {
22 $ENV{'OPENSSL'} = $openssl;
23}
24
25my $verbose = 1;
26
27my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
28my $DAYS = "-days 365";
29my $CADAYS = "-days 1095"; # 3 years
30my $REQ = "$openssl req $OPENSSL_CONFIG";
31my $CA = "$openssl ca $OPENSSL_CONFIG";
32my $VERIFY = "$openssl verify";
33my $X509 = "$openssl x509";
34my $PKCS12 = "$openssl pkcs12";
35
36# default openssl.cnf file has setup as per the following
37my $CATOP = "./demoCA";
38my $CAKEY = "cakey.pem";
39my $CAREQ = "careq.pem";
40my $CACERT = "cacert.pem";
41my $CACRL = "crl.pem";
42my $DIRMODE = 0777;
43
44my $NEWKEY = "newkey.pem";
45my $NEWREQ = "newreq.pem";
46my $NEWCERT = "newcert.pem";
47my $NEWP12 = "newcert.p12";
48my $RET = 0;
49my $WHAT = shift @ARGV || "";
50my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
51my %EXTRA = extra_args(\@ARGV, "-extra-");
52my $FILE;
53
54sub extra_args {
55 my ($args_ref, $arg_prefix) = @_;
56 my %eargs = map {
57 if ($_ < $#$args_ref) {
58 my ($arg, $value) = splice(@$args_ref, $_, 2);
59 $arg =~ s/$arg_prefix//;
60 ($arg, $value);
61 } else {
62 ();
63 }
64 } reverse grep($$args_ref[$_] =~ /$arg_prefix/, 0..$#$args_ref);
65 my %empty = map { ($_, "") } @OPENSSL_CMDS;
66 return (%empty, %eargs);
67}
68
69# See if reason for a CRL entry is valid; exit if not.
70sub crl_reason_ok
71{
72 my $r = shift;
73
74 if ($r eq 'unspecified' || $r eq 'keyCompromise'
75 || $r eq 'CACompromise' || $r eq 'affiliationChanged'
76 || $r eq 'superseded' || $r eq 'cessationOfOperation'
77 || $r eq 'certificateHold' || $r eq 'removeFromCRL') {
78 return 1;
79 }
80 print STDERR "Invalid CRL reason; must be one of:\n";
81 print STDERR " unspecified, keyCompromise, CACompromise,\n";
82 print STDERR " affiliationChanged, superseded, cessationOfOperation\n";
83 print STDERR " certificateHold, removeFromCRL";
84 exit 1;
85}
86
87# Copy a PEM-format file; return like exit status (zero means ok)
88sub copy_pemfile
89{
90 my ($infile, $outfile, $bound) = @_;
91 my $found = 0;
92
93 open IN, $infile || die "Cannot open $infile, $!";
94 open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
95 while (<IN>) {
96 $found = 1 if /^-----BEGIN.*$bound/;
97 print OUT $_ if $found;
98 $found = 2, last if /^-----END.*$bound/;
99 }
100 close IN;
101 close OUT;
102 return $found == 2 ? 0 : 1;
103}
104
105# Wrapper around system; useful for debugging. Returns just the exit status
106sub run
107{
108 my $cmd = shift;
109 print "====\n$cmd\n" if $verbose;
110 my $status = system($cmd);
111 print "==> $status\n====\n" if $verbose;
112 return $status >> 8;
113}
114
115
116if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
117 print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
118 print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
119 print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n";
120 print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
121 exit 0;
122}
123if ($WHAT eq '-newcert' ) {
124 # create a certificate
125 $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
126 print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
127} elsif ($WHAT eq '-precert' ) {
128 # create a pre-certificate
129 $RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
130 print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
131} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
132 # create a certificate request
133 $RET = run("$REQ -new $1 -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
134 print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
135} elsif ($WHAT eq '-newca' ) {
136 # create the directory hierarchy
137 mkdir ${CATOP}, $DIRMODE;
138 mkdir "${CATOP}/certs", $DIRMODE;
139 mkdir "${CATOP}/crl", $DIRMODE ;
140 mkdir "${CATOP}/newcerts", $DIRMODE;
141 mkdir "${CATOP}/private", $DIRMODE;
142 open OUT, ">${CATOP}/index.txt";
143 close OUT;
144 open OUT, ">${CATOP}/crlnumber";
145 print OUT "01\n";
146 close OUT;
147 # ask user for existing CA certificate
148 print "CA certificate filename (or enter to create)\n";
149 $FILE = "" unless defined($FILE = <STDIN>);
150 $FILE =~ s{\R$}{};
151 if ($FILE ne "") {
152 copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
153 copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
154 } else {
155 print "Making CA certificate ...\n";
156 $RET = run("$REQ -new -keyout"
157 . " ${CATOP}/private/$CAKEY"
158 . " -out ${CATOP}/$CAREQ $EXTRA{req}");
159 $RET = run("$CA -create_serial"
160 . " -out ${CATOP}/$CACERT $CADAYS -batch"
161 . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
162 . " -extensions v3_ca $EXTRA{ca}"
163 . " -infiles ${CATOP}/$CAREQ") if $RET == 0;
164 print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
165 }
166} elsif ($WHAT eq '-pkcs12' ) {
167 my $cname = $ARGV[0];
168 $cname = "My Certificate" unless defined $cname;
169 $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
170 . " -certfile ${CATOP}/$CACERT"
171 . " -out $NEWP12"
172 . " -export -name \"$cname\" $EXTRA{pkcs12}");
173 print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
174} elsif ($WHAT eq '-xsign' ) {
175 $RET = run("$CA -policy policy_anything $EXTRA{ca} -infiles $NEWREQ");
176} elsif ($WHAT eq '-sign' ) {
177 $RET = run("$CA -policy policy_anything -out $NEWCERT $EXTRA{ca} -infiles $NEWREQ");
178 print "Signed certificate is in $NEWCERT\n" if $RET == 0;
179} elsif ($WHAT eq '-signCA' ) {
180 $RET = run("$CA -policy policy_anything -out $NEWCERT"
181 . " -extensions v3_ca $EXTRA{ca} -infiles $NEWREQ");
182 print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
183} elsif ($WHAT eq '-signcert' ) {
184 $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
185 . " -out tmp.pem $EXTRA{x509}");
186 $RET = run("$CA -policy policy_anything -out $NEWCERT"
187 . "$EXTRA{ca} -infiles tmp.pem") if $RET == 0;
188 print "Signed certificate is in $NEWCERT\n" if $RET == 0;
189} elsif ($WHAT eq '-verify' ) {
190 my @files = @ARGV ? @ARGV : ( $NEWCERT );
191 my $file;
192 foreach $file (@files) {
193 my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}");
194 $RET = $status if $status != 0;
195 }
196} elsif ($WHAT eq '-crl' ) {
197 $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL $EXTRA{ca}");
198 print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
199} elsif ($WHAT eq '-revoke' ) {
200 my $cname = $ARGV[0];
201 if (!defined $cname) {
202 print "Certificate filename is required; reason optional.\n";
203 exit 1;
204 }
205 my $reason = $ARGV[1];
206 $reason = " -crl_reason $reason"
207 if defined $reason && crl_reason_ok($reason);
208 $RET = run("$CA -revoke \"$cname\"" . $reason . $EXTRA{ca});
209} else {
210 print STDERR "Unknown arg \"$WHAT\"\n";
211 print STDERR "Use -help for help.\n";
212 exit 1;
213}
214
215exit $RET;
Note: See TracBrowser for help on using the repository browser.