root/main/trunk/greenstone3/bin/windows/openssl/misc/CA.pl @ 32476

Revision 32476, 7.6 KB (checked in by ak19, 8 months ago)

Compiled up 32 bit OpenSSL v 1.1.1 on Windows to use in place of ZeroSSL to generate keys. Works on 64 bit to generate keys. Committing just the products (with folder structure) we need for generating keys, as that's all we'll be using openSSL for on Windows, to save on binary size. Instructions on compiling OpenSSL (32 and 64 bit targets, openSSL versions 1.0.2p and 1.1.1) and instructions on packaging up it up for SVN are at internal wiki page Compiling OpenSSL on Windows

Line 
1#!/usr/bin/env perl
2# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the OpenSSL license (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9#
10# Wrapper around the ca to make it easier to use
11#
12# WARNING: do not edit!
13# Generated by makefile from apps\CA.pl.in
14
15use strict;
16use warnings;
17
18my $openssl = "openssl";
19if(defined $ENV{'OPENSSL'}) {
20    $openssl = $ENV{'OPENSSL'};
21} else {
22    $ENV{'OPENSSL'} = $openssl;
23}
24
25my $verbose = 1;
26
27my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
28my $DAYS = "-days 365";
29my $CADAYS = "-days 1095";  # 3 years
30my $REQ = "$openssl req $OPENSSL_CONFIG";
31my $CA = "$openssl ca $OPENSSL_CONFIG";
32my $VERIFY = "$openssl verify";
33my $X509 = "$openssl x509";
34my $PKCS12 = "$openssl pkcs12";
35
36# default openssl.cnf file has setup as per the following
37my $CATOP = "./demoCA";
38my $CAKEY = "cakey.pem";
39my $CAREQ = "careq.pem";
40my $CACERT = "cacert.pem";
41my $CACRL = "crl.pem";
42my $DIRMODE = 0777;
43
44my $NEWKEY = "newkey.pem";
45my $NEWREQ = "newreq.pem";
46my $NEWCERT = "newcert.pem";
47my $NEWP12 = "newcert.p12";
48my $RET = 0;
49my $WHAT = shift @ARGV || "";
50my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
51my %EXTRA = extra_args(\@ARGV, "-extra-");
52my $FILE;
53
54sub extra_args {
55    my ($args_ref, $arg_prefix) = @_;
56    my %eargs = map {
57    if ($_ < $#$args_ref) {
58        my ($arg, $value) = splice(@$args_ref, $_, 2);
59        $arg =~ s/$arg_prefix//;
60        ($arg, $value);
61    } else {
62        ();
63    }
64    } reverse grep($$args_ref[$_] =~ /$arg_prefix/, 0..$#$args_ref);
65    my %empty = map { ($_, "") } @OPENSSL_CMDS;
66    return (%empty, %eargs);
67}
68
69# See if reason for a CRL entry is valid; exit if not.
70sub crl_reason_ok
71{
72    my $r = shift;
73
74    if ($r eq 'unspecified' || $r eq 'keyCompromise'
75        || $r eq 'CACompromise' || $r eq 'affiliationChanged'
76        || $r eq 'superseded' || $r eq 'cessationOfOperation'
77        || $r eq 'certificateHold' || $r eq 'removeFromCRL') {
78        return 1;
79    }
80    print STDERR "Invalid CRL reason; must be one of:\n";
81    print STDERR "    unspecified, keyCompromise, CACompromise,\n";
82    print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
83    print STDERR "    certificateHold, removeFromCRL";
84    exit 1;
85}
86
87# Copy a PEM-format file; return like exit status (zero means ok)
88sub copy_pemfile
89{
90    my ($infile, $outfile, $bound) = @_;
91    my $found = 0;
92
93    open IN, $infile || die "Cannot open $infile, $!";
94    open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
95    while (<IN>) {
96        $found = 1 if /^-----BEGIN.*$bound/;
97        print OUT $_ if $found;
98        $found = 2, last if /^-----END.*$bound/;
99    }
100    close IN;
101    close OUT;
102    return $found == 2 ? 0 : 1;
103}
104
105# Wrapper around system; useful for debugging.  Returns just the exit status
106sub run
107{
108    my $cmd = shift;
109    print "====\n$cmd\n" if $verbose;
110    my $status = system($cmd);
111    print "==> $status\n====\n" if $verbose;
112    return $status >> 8;
113}
114
115
116if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
117    print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
118    print STDERR "       CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
119    print STDERR "       CA.pl -verify [-extra-verify extra-params] certfile ...\n";
120    print STDERR "       CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
121    exit 0;
122}
123if ($WHAT eq '-newcert' ) {
124    # create a certificate
125    $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
126    print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
127} elsif ($WHAT eq '-precert' ) {
128    # create a pre-certificate
129    $RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
130    print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
131} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
132    # create a certificate request
133    $RET = run("$REQ -new $1 -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
134    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
135} elsif ($WHAT eq '-newca' ) {
136    # create the directory hierarchy
137    mkdir ${CATOP}, $DIRMODE;
138    mkdir "${CATOP}/certs", $DIRMODE;
139    mkdir "${CATOP}/crl", $DIRMODE ;
140    mkdir "${CATOP}/newcerts", $DIRMODE;
141    mkdir "${CATOP}/private", $DIRMODE;
142    open OUT, ">${CATOP}/index.txt";
143    close OUT;
144    open OUT, ">${CATOP}/crlnumber";
145    print OUT "01\n";
146    close OUT;
147    # ask user for existing CA certificate
148    print "CA certificate filename (or enter to create)\n";
149    $FILE = "" unless defined($FILE = <STDIN>);
150    $FILE =~ s{\R$}{};
151    if ($FILE ne "") {
152        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
153        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
154    } else {
155        print "Making CA certificate ...\n";
156        $RET = run("$REQ -new -keyout"
157                . " ${CATOP}/private/$CAKEY"
158                . " -out ${CATOP}/$CAREQ $EXTRA{req}");
159        $RET = run("$CA -create_serial"
160                . " -out ${CATOP}/$CACERT $CADAYS -batch"
161                . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
162                . " -extensions v3_ca $EXTRA{ca}"
163                . " -infiles ${CATOP}/$CAREQ") if $RET == 0;
164        print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
165    }
166} elsif ($WHAT eq '-pkcs12' ) {
167    my $cname = $ARGV[0];
168    $cname = "My Certificate" unless defined $cname;
169    $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
170            . " -certfile ${CATOP}/$CACERT"
171            . " -out $NEWP12"
172            . " -export -name \"$cname\" $EXTRA{pkcs12}");
173    print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
174} elsif ($WHAT eq '-xsign' ) {
175    $RET = run("$CA -policy policy_anything $EXTRA{ca} -infiles $NEWREQ");
176} elsif ($WHAT eq '-sign' ) {
177    $RET = run("$CA -policy policy_anything -out $NEWCERT $EXTRA{ca} -infiles $NEWREQ");
178    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
179} elsif ($WHAT eq '-signCA' ) {
180    $RET = run("$CA -policy policy_anything -out $NEWCERT"
181            . " -extensions v3_ca $EXTRA{ca} -infiles $NEWREQ");
182    print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
183} elsif ($WHAT eq '-signcert' ) {
184    $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
185            . " -out tmp.pem $EXTRA{x509}");
186    $RET = run("$CA -policy policy_anything -out $NEWCERT"
187            . "$EXTRA{ca} -infiles tmp.pem") if $RET == 0;
188    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
189} elsif ($WHAT eq '-verify' ) {
190    my @files = @ARGV ? @ARGV : ( $NEWCERT );
191    my $file;
192    foreach $file (@files) {
193        my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}");
194        $RET = $status if $status != 0;
195    }
196} elsif ($WHAT eq '-crl' ) {
197    $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL $EXTRA{ca}");
198    print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
199} elsif ($WHAT eq '-revoke' ) {
200    my $cname = $ARGV[0];
201    if (!defined $cname) {
202        print "Certificate filename is required; reason optional.\n";
203        exit 1;
204    }
205    my $reason = $ARGV[1];
206    $reason = " -crl_reason $reason"
207        if defined $reason && crl_reason_ok($reason);
208    $RET = run("$CA -revoke \"$cname\"" . $reason . $EXTRA{ca});
209} else {
210    print STDERR "Unknown arg \"$WHAT\"\n";
211    print STDERR "Use -help for help.\n";
212    exit 1;
213}
214
215exit $RET;
Note: See TracBrowser for help on using the browser.