提交 be739b0c 编写于 作者: R Rich Salz

Drop CA.sh for CA.pl

Remove CA.sh script and use CA.pl for testing, etc.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
上级 5adac91e
......@@ -39,6 +39,9 @@
done while fixing the error code for the key-too-small case.
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
*) CA.sh has been removmed; use CA.pl instead.
[Rich Salz]
*) Removed old DES API.
[Rich Salz]
......
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
infile=$1
outfile=$2
bound=$3
flag=0
exec <$infile;
while read line; do
if [ $flag -eq 1 ]; then
echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ] ; then
echo $line >>$outfile
break
else
echo $line >>$outfile
fi
fi
echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
echo $line >$outfile
flag=1
fi
done
}
usage() {
echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
CADAYS="-days 1095" # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
RET=0
while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
usage
exit 0
;;
-newcert)
# create a certificate
$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
RET=$?
echo "Certificate is in newcert.pem, private key is in newkey.pem"
;;
-newreq)
# create a certificate request
$REQ -new -keyout newkey.pem -out newreq.pem $DAYS
RET=$?
echo "Request is in newreq.pem, private key is in newkey.pem"
;;
-newreq-nodes)
# create a certificate request
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
RET=$?
echo "Request (and private key) is in newreq.pem"
;;
-newca)
# if explicitly asked for or it doesn't exist then setup the directory
# structure that Eric likes to manage things
NEW="1"
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
# create the directory hierarchy
mkdir -p ${CATOP}
mkdir -p ${CATOP}/certs
mkdir -p ${CATOP}/crl
mkdir -p ${CATOP}/newcerts
mkdir -p ${CATOP}/private
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
echo "CA certificate filename (or enter to create)"
read FILE
# ask user for existing CA certificate
if [ "$FILE" ]; then
cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
RET=$?
if [ ! -f "${CATOP}/serial" ]; then
$X509 -in ${CATOP}/$CACERT -noout -next_serial \
-out ${CATOP}/serial
fi
else
echo "Making CA certificate ..."
$REQ -new -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
-keyfile ${CATOP}/private/$CAKEY -selfsign \
-extensions v3_ca \
-infiles ${CATOP}/$CAREQ
RET=$?
fi
fi
;;
-xsign)
$CA -policy policy_anything -infiles newreq.pem
RET=$?
;;
-pkcs12)
if [ -z "$2" ] ; then
CNAME="My Certificate"
else
CNAME="$2"
fi
$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
-out newcert.p12 -export -name "$CNAME"
RET=$?
exit $RET
;;
-sign|-signreq)
$CA -policy policy_anything -out newcert.pem -infiles newreq.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-signCA)
$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
RET=$?
echo "Signed CA certificate is in newcert.pem"
;;
-signcert)
echo "Cert passphrase will be requested twice - bug?"
$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-verify)
shift
if [ -z "$1" ]; then
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
RET=$?
else
for j
do
$VERIFY -CAfile $CATOP/$CACERT $j
if [ $? != 0 ]; then
RET=$?
fi
done
fi
exit $RET
;;
*)
echo "Unknown arg $i" >&2
usage
exit 1
;;
esac
shift
done
exit $RET
......@@ -31,7 +31,7 @@ LIBSSL=-L.. -lssl
PROGRAM= openssl
SCRIPTS=CA.sh CA.pl tsget
SCRIPTS=CA.pl tsget
EXE= $(PROGRAM)$(EXE_EXT)
......
......@@ -641,8 +641,8 @@ the database has to be kept in memory.
The B<ca> command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
(perl script or GUI) can handle things properly. The scripts B<CA.sh> and
B<CA.pl> help a little but not very much.
(perl script or GUI) can handle things properly. The script
B<CA.pl> helps a little but not very much.
Any fields in a request that are not present in a policy are silently
deleted. This does not happen if the B<-preserveDN> option is used. To
......
......@@ -352,7 +352,7 @@ test_ca: ../apps/openssl$(EXE_EXT) testca CAss.cnf Uss.cnf
echo SKIP $@ -- requires RSA; \
else \
echo $(START) $@; \
sh ./testca; \
sh ./testca $(PERL); \
fi
test_tsa: ../apps/openssl$(EXE_EXT) testtsa CAtsa.cnf ../util/shlib_wrap.sh
......
#!/bin/sh
SH="/bin/sh"
PERL="$1"
if test "$OSTYPE" = msdosdjgpp; then
PATH="../apps\;$PATH"
else
PATH="../apps:$PATH"
fi
export SH PATH
export PATH
SSLEAY_CONFIG="-config CAss.cnf"
export SSLEAY_CONFIG
......@@ -15,7 +16,7 @@ OPENSSL="`pwd`/../util/opensslwrap.sh"
export OPENSSL
/bin/rm -fr demoCA
OPENSSL_CONFIG=/dev/null $SH ../apps/CA.sh -newca <<EOF
OPENSSL_CONFIG=/dev/null $PERL ../apps/CA.pl -newca <<EOF
EOF
if [ $? != 0 ]; then
......@@ -24,7 +25,7 @@ fi
SSLEAY_CONFIG="-config Uss.cnf"
export SSLEAY_CONFIG
$SH ../apps/CA.sh -newreq
$PERL ../apps/CA.pl -newreq
if [ $? != 0 ]; then
exit 1;
fi
......@@ -32,7 +33,7 @@ fi
SSLEAY_CONFIG="-config ../apps/openssl.cnf"
export SSLEAY_CONFIG
$SH ../apps/CA.sh -sign <<EOF
$PERL ../apps/CA.pl -sign <<EOF
y
y
EOF
......@@ -41,7 +42,7 @@ if [ $? != 0 ]; then
fi
$SH ../apps/CA.sh -verify newcert.pem
$PERL ../apps/CA.pl -verify newcert.pem
if [ $? != 0 ]; then
exit 1;
fi
......
......@@ -14,7 +14,7 @@ export SH PATH
OPENSSL_CONF="../CAtsa.cnf"
export OPENSSL_CONF
# Because that's what ../apps/CA.sh really looks at
# Because that's what ../apps/CA.pl really looks at
SSLEAY_CONFIG="-config $OPENSSL_CONF"
export SSLEAY_CONFIG
......
......@@ -13,7 +13,7 @@ $ exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
$
$ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
$ OPENSSL_CONF = "[-]CAtsa.cnf"
$ ! Because that's what ../apps/CA.sh really looks at
$ ! Because that's what ../apps/CA.pl really looks at
$ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
$
$ error:
......
......@@ -417,13 +417,13 @@ sub get_tests
);
$copies .= copy_scripts(1, 'util', @utils);
my @apps = ( 'CA.sh',
my @apps = ( 'CA.pl',
'openssl.cnf',
'server2.pem',
);
$copies .= copy_scripts(1, 'apps', @apps);
$scripts = "test_scripts: \$(TEST_D)/CA.sh \$(TEST_D)/opensslwrap.sh \$(TEST_D)/openssl.cnf \$(TEST_D)/shlib_wrap.sh ocsp smime\n";
$scripts = "test_scripts: \$(TEST_D)/CA.pl \$(TEST_D)/opensslwrap.sh \$(TEST_D)/openssl.cnf \$(TEST_D)/shlib_wrap.sh ocsp smime\n";
$scripts .= "\nocsp:\n\tcp -R test/ocsp-tests \$(TEST_D)\n";
$scripts .= "\smime:\n\tcp -R test/smime-certs \$(TEST_D)\n";
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册