openssl/apps/CA.pl.in

#!/usr/bin/perl
#
# Wrapper around the ca to make it easier to use
# Edit CA.pl.in not CA.pl!


use strict;
use warnings;

my $openssl = "openssl";
if(defined $ENV{'OPENSSL'}) {
    $openssl = $ENV{'OPENSSL'};
} else {
    $ENV{'OPENSSL'} = $openssl;
}

my $verbose = 1;

my $SSLEAY_CONFIG = $ENV{"SSLEAY_CONFIG"};
my $DAYS = "-days 365";
my $CADAYS = "-days 1095";	# 3 years
my $REQ = "$openssl req $SSLEAY_CONFIG";
my $CA = "$openssl ca $SSLEAY_CONFIG";
my $VERIFY = "$openssl verify";
my $X509 = "$openssl x509";
my $PKCS12 = "$openssl pkcs12";

# default openssl.cnf file has setup as per the following
my $CATOP = "./demoCA";
my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";
my $CACRL = "crl.pem";
my $DIRMODE = 0777;

my $NEWKEY = "newkey.pem";
my $NEWREQ = "newreq.pem";
my $NEWCERT = "newcert.pem";
my $NEWP12 = "newcert.p12";
my $RET = 0;
my $WHAT = shift @ARGV;
my $FILE;

# See if reason for a CRL entry is valid; exit if not.
sub crl_reason_ok
{
    my $r = shift;

    if ($r eq 'unspecified' || $r eq 'keyCompromise'
        || $r eq 'CACompromise' || $r eq 'affiliationChanged'
        || $r eq 'superseded' || $r eq 'cessationOfOperation'
        || $r eq 'certificateHold' || $r eq 'removeFromCRL') {
        return 1;
    }
    print STDERR "Invalid CRL reason; must be one of:\n";
    print STDERR "    unspecified, keyCompromise, CACompromise,\n";
    print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
    print STDERR "    certificateHold, removeFromCRL";
    exit 1;
}

# Copy a PEM-format file; return like exit status (zero means ok)
sub copy_pemfile
{
    my ($infile, $outfile, $bound) = @_;
    my $found = 0;

    open IN, $infile || die "Cannot open $infile, $!";
    open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
    while (<IN>) {
        $found = 1 if /^-----BEGIN.*$bound/;
        print OUT $_ if $found;
        $found = 2, last if /^-----END.*$bound/;
    }
    close IN;
    close OUT;
    return $found == 2 ? 0 : 1;
}

# Wrapper around system; useful for debugging.  Returns just the exit status
sub run
{
    my $cmd = shift;
    print "====\n$cmd\n" if $verbose;
    my $status = system($cmd);
    print "==> $status\n====\n" if $verbose;
    return $status >> 8;
}


if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
    print STDERR "       CA -pkcs12 [certname]\n";
    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
    exit 0;
}
if ($WHAT eq '-newcert' ) {
    # create a certificate
    $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS");
    print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT eq '-newreq' ) {
    # create a certificate request
    $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS");
    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT eq '-newreq-nodes' ) {
    # create a certificate request
    $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS");
    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT eq '-newca' ) {
    # create the directory hierarchy
    mkdir ${CATOP}, $DIRMODE;
    mkdir "${CATOP}/certs", $DIRMODE;
    mkdir "${CATOP}/crl", $DIRMODE ;
    mkdir "${CATOP}/newcerts", $DIRMODE;
    mkdir "${CATOP}/private", $DIRMODE;
    open OUT, ">${CATOP}/index.txt";
    close OUT;
    open OUT, ">${CATOP}/crlnumber";
    print OUT "01\n";
    close OUT;
    # ask user for existing CA certificate
    print "CA certificate filename (or enter to create)\n";
    $FILE = <STDIN>;
    chop $FILE;
    if ($FILE) {
        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
    } else {
        print "Making CA certificate ...\n";
        $RET = run("$REQ -new -keyout"
                . " ${CATOP}/private/$CAKEY"
                . " -out ${CATOP}/$CAREQ");
        $RET = run("$CA -create_serial"
                . " -out ${CATOP}/$CACERT $CADAYS -batch"
                . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
                . " -extensions v3_ca"
                . " -infiles ${CATOP}/$CAREQ") if $RET == 0;
        print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
    }
} elsif ($WHAT eq '-pkcs12' ) {
    my $cname = $ARGV[1];
    $cname = "My Certificate" unless defined $cname;
    $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
            . " -certfile ${CATOP}/$CACERT"
            . " -out $NEWP12"
            . " -export -name \"$cname\"");
    print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
} elsif ($WHAT eq '-xsign' ) {
    $RET = run("$CA -policy policy_anything -infiles $NEWREQ");
} elsif ($WHAT eq '-sign' ) {
    $RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ");
    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
} elsif ($WHAT eq '-signCA' ) {
    $RET = run("$CA -policy policy_anything -out $NEWCERT"
            . " -extensions v3_ca -infiles $NEWREQ");
    print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
} elsif ($WHAT eq '-signcert' ) {
    $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
            . " -out tmp.pem");
    $RET = run("$CA -policy policy_anything -out $NEWCERT"
            . " -infiles tmp.pem") if $RET == 0;
    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
} elsif ($WHAT eq '-verify' ) {
    my @files = @ARGV ? @ARGV : ( $NEWCVERT );
    foreach $file (@files) {
        my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file");
        $RET = $status if $status != 0;
    }
} elsif ($WHAT eq '-crl' ) {
    $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL");
    print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
} elsif ($WHAT eq '-revoke' ) {
    my $cname = $ARGV[1];
    if (!defined $cname) {
        print "Certificate filename is required; reason optional.\n";
        exit 1;
    }
    my $reason = $ARGV[2];
    $reason = " -crl_reason $reason"
        if defined $reason && crl_reason_ok($reason);
    $RET = run("$CA -revoke \"$cname\"" . $reason);
} else {
    print STDERR "Unknown arg \"$WHAT\"\n";
    print STDERR "Use -help for help.\n";
    exit 1;
}

exit $RET;
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`#!/usr/bin/perl`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00			`#`
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`# Wrapper around the ca to make it easier to use`
			`# Edit CA.pl.in not CA.pl!`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00

Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`use strict;`
			`use warnings;`

			`my $openssl = "openssl";`
			`if(defined $ENV{'OPENSSL'}) {`
			`$openssl = $ENV{'OPENSSL'};`
Address run-time linker problems: LD_PRELOAD issue on multi-ABI platforms and SafeDllSearchMode in Windows. Submitted by: Richard Levitte 2005-02-01 23:48:37 +00:00			`} else {`
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`$ENV{'OPENSSL'} = $openssl;`
Address run-time linker problems: LD_PRELOAD issue on multi-ABI platforms and SafeDllSearchMode in Windows. Submitted by: Richard Levitte 2005-02-01 23:48:37 +00:00			`}`

Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`my $verbose = 1;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`my $SSLEAY_CONFIG = $ENV{"SSLEAY_CONFIG"};`
			`my $DAYS = "-days 365";`
			`my $CADAYS = "-days 1095"; # 3 years`
			`my $REQ = "$openssl req $SSLEAY_CONFIG";`
			`my $CA = "$openssl ca $SSLEAY_CONFIG";`
			`my $VERIFY = "$openssl verify";`
			`my $X509 = "$openssl x509";`
			`my $PKCS12 = "$openssl pkcs12";`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`# default openssl.cnf file has setup as per the following`
			`my $CATOP = "./demoCA";`
			`my $CAKEY = "cakey.pem";`
			`my $CAREQ = "careq.pem";`
			`my $CACERT = "cacert.pem";`
			`my $CACRL = "crl.pem";`
			`my $DIRMODE = 0777;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`my $NEWKEY = "newkey.pem";`
			`my $NEWREQ = "newreq.pem";`
			`my $NEWCERT = "newcert.pem";`
			`my $NEWP12 = "newcert.p12";`
			`my $RET = 0;`
			`my $WHAT = shift @ARGV;`
			`my $FILE;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`# See if reason for a CRL entry is valid; exit if not.`
			`sub crl_reason_ok`
			`{`
			`my $r = shift;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`if ($r eq 'unspecified' \|\| $r eq 'keyCompromise'`
			`\|\| $r eq 'CACompromise' \|\| $r eq 'affiliationChanged'`
			`\|\| $r eq 'superseded' \|\| $r eq 'cessationOfOperation'`
			`\|\| $r eq 'certificateHold' \|\| $r eq 'removeFromCRL') {`
			`return 1;`
			`}`
			`print STDERR "Invalid CRL reason; must be one of:\n";`
			`print STDERR " unspecified, keyCompromise, CACompromise,\n";`
			`print STDERR " affiliationChanged, superseded, cessationOfOperation\n";`
			`print STDERR " certificateHold, removeFromCRL";`
			`exit 1;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00			`}`

Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`# Copy a PEM-format file; return like exit status (zero means ok)`
			`sub copy_pemfile`
			`{`
			`my ($infile, $outfile, $bound) = @_;`
			`my $found = 0;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`open IN, $infile \|\| die "Cannot open $infile, $!";`
			`open OUT, ">$outfile" \|\| die "Cannot write to $outfile, $!";`
			`while (<IN>) {`
			`$found = 1 if /^-----BEGIN.*$bound/;`
			`print OUT $_ if $found;`
			`$found = 2, last if /^-----END.*$bound/;`
			`}`
			`close IN;`
			`close OUT;`
			`return $found == 2 ? 0 : 1;`
RT3291: Add -crl and -revoke options to CA.pl I added some error-checking while integrating this patch. Reviewed-by: Tim Hudson <tjh@openssl.org> 2014-09-04 20:59:44 +00:00			`}`

Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`# Wrapper around system; useful for debugging. Returns just the exit status`
			`sub run`
			`{`
			`my $cmd = shift;`
			`print "====\n$cmd\n" if $verbose;`
			`my $status = system($cmd);`
			`print "==> $status\n====\n" if $verbose;`
			`return $status >> 8;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00			`}`
Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00

			`if ( $WHAT =~ /^(-\?\|-h\|-help)$/ ) {`
			`print STDERR "usage: CA -newcert\|-newreq\|-newreq-nodes\|-newca\|-sign\|-verify\n";`
			`print STDERR " CA -pkcs12 [certname]\n";`
			`print STDERR " CA -crl\|-revoke cert-filename [reason]\n";`
			`exit 0;`
			`}`
			`if ($WHAT eq '-newcert' ) {`
			`# create a certificate`
			`$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS");`
			`print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;`
			`} elsif ($WHAT eq '-newreq' ) {`
			`# create a certificate request`
			`$RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS");`
			`print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;`
			`} elsif ($WHAT eq '-newreq-nodes' ) {`
			`# create a certificate request`
			`$RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS");`
			`print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;`
			`} elsif ($WHAT eq '-newca' ) {`
			`# create the directory hierarchy`
			`mkdir ${CATOP}, $DIRMODE;`
			`mkdir "${CATOP}/certs", $DIRMODE;`
			`mkdir "${CATOP}/crl", $DIRMODE ;`
			`mkdir "${CATOP}/newcerts", $DIRMODE;`
			`mkdir "${CATOP}/private", $DIRMODE;`
			`open OUT, ">${CATOP}/index.txt";`
			`close OUT;`
			`open OUT, ">${CATOP}/crlnumber";`
			`print OUT "01\n";`
			`close OUT;`
			`# ask user for existing CA certificate`
			`print "CA certificate filename (or enter to create)\n";`
			`$FILE = <STDIN>;`
			`chop $FILE;`
			`if ($FILE) {`
			`copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");`
			`copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");`
			`} else {`
			`print "Making CA certificate ...\n";`
			`$RET = run("$REQ -new -keyout"`
			`. " ${CATOP}/private/$CAKEY"`
			`. " -out ${CATOP}/$CAREQ");`
			`$RET = run("$CA -create_serial"`
			`. " -out ${CATOP}/$CACERT $CADAYS -batch"`
			`. " -keyfile ${CATOP}/private/$CAKEY -selfsign"`
			`. " -extensions v3_ca"`
			`. " -infiles ${CATOP}/$CAREQ") if $RET == 0;`
			`print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;`
			`}`
			`} elsif ($WHAT eq '-pkcs12' ) {`
			`my $cname = $ARGV[1];`
			`$cname = "My Certificate" unless defined $cname;`
			`$RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"`
			`. " -certfile ${CATOP}/$CACERT"`
			`. " -out $NEWP12"`
			`. " -export -name \"$cname\"");`
			`print "PKCS #12 file is in $NEWP12\n" if $RET == 0;`
			`} elsif ($WHAT eq '-xsign' ) {`
			`$RET = run("$CA -policy policy_anything -infiles $NEWREQ");`
			`} elsif ($WHAT eq '-sign' ) {`
			`$RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ");`
			`print "Signed certificate is in $NEWCERT\n" if $RET == 0;`
			`} elsif ($WHAT eq '-signCA' ) {`
			`$RET = run("$CA -policy policy_anything -out $NEWCERT"`
			`. " -extensions v3_ca -infiles $NEWREQ");`
			`print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;`
			`} elsif ($WHAT eq '-signcert' ) {`
			`$RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"`
			`. " -out tmp.pem");`
			`$RET = run("$CA -policy policy_anything -out $NEWCERT"`
			`. " -infiles tmp.pem") if $RET == 0;`
			`print "Signed certificate is in $NEWCERT\n" if $RET == 0;`
			`} elsif ($WHAT eq '-verify' ) {`
			`my @files = @ARGV ? @ARGV : ( $NEWCVERT );`
			`foreach $file (@files) {`
			`my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file");`
			`$RET = $status if $status != 0;`
			`}`
			`} elsif ($WHAT eq '-crl' ) {`
			`$RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL");`
			`print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;`
			`} elsif ($WHAT eq '-revoke' ) {`
			`my $cname = $ARGV[1];`
			`if (!defined $cname) {`
			`print "Certificate filename is required; reason optional.\n";`
			`exit 1;`
			`}`
			`my $reason = $ARGV[2];`
			`$reason = " -crl_reason $reason"`
			`if defined $reason && crl_reason_ok($reason);`
			`$RET = run("$CA -revoke \"$cname\"" . $reason);`
			`} else {`
			`print STDERR "Unknown arg \"$WHAT\"\n";`
			`print STDERR "Use -help for help.\n";`
			`exit 1;`
This is a quick hack conversion of the 'CA.sh' script to perl. It fixes one bug in the original but is otherwise just as horrible :-) 1999-01-01 00:54:48 +00:00			`}`

Rewrite CA.pl.in Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-05-01 01:44:40 +00:00			`exit $RET;`