diff --git a/CHANGES b/CHANGES index 7c57410a73138d33e777ef7a5ba696525e00b1cb..b44f645adff3781585c2edf141e4853656906c0e 100644 --- a/CHANGES +++ b/CHANGES @@ -39,6 +39,9 @@ done while fixing the error code for the key-too-small case. [Annie Yousar ] + *) CA.sh has been removmed; use CA.pl instead. + [Rich Salz] + *) Removed old DES API. [Rich Salz] diff --git a/apps/CA.sh b/apps/CA.sh deleted file mode 100644 index 7ad6b8c52e74a11fd9ab9cf70160edfbabf62fd3..0000000000000000000000000000000000000000 --- a/apps/CA.sh +++ /dev/null @@ -1,198 +0,0 @@ -#!/bin/sh -# -# CA - wrapper around ca to make it easier to use ... basically ca requires -# some setup stuff to be done before you can use it and this makes -# things easier between now and when Eric is convinced to fix it :-) -# -# CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request -# CA -sign ... will sign the generated request and output -# -# At the end of that grab newreq.pem and newcert.pem (one has the key -# and the other the certificate) and cat them together and that is what -# you want/need ... I'll make even this a little cleaner later. -# -# -# 12-Jan-96 tjh Added more things ... including CA -signcert which -# converts a certificate to a request and then signs it. -# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG -# environment variable so this can be driven from -# a script. -# 25-Jul-96 eay Cleaned up filenames some more. -# 11-Jun-96 eay Fixed a few filename missmatches. -# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. -# 18-Apr-96 tjh Original hacking -# -# Tim Hudson -# tjh@cryptsoft.com -# - -# default openssl.cnf file has setup as per the following -# demoCA ... where everything is stored -cp_pem() { - infile=$1 - outfile=$2 - bound=$3 - flag=0 - exec <$infile; - while read line; do - if [ $flag -eq 1 ]; then - echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null - if [ $? -eq 0 ] ; then - echo $line >>$outfile - break - else - echo $line >>$outfile - fi - fi - - echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null - if [ $? -eq 0 ]; then - echo $line >$outfile - flag=1 - fi - done -} - -usage() { - echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 -} - -if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi - -if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year -CADAYS="-days 1095" # 3 years -REQ="$OPENSSL req $SSLEAY_CONFIG" -CA="$OPENSSL ca $SSLEAY_CONFIG" -VERIFY="$OPENSSL verify" -X509="$OPENSSL x509" -PKCS12="openssl pkcs12" - -if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi -CAKEY=./cakey.pem -CAREQ=./careq.pem -CACERT=./cacert.pem - -RET=0 - -while [ "$1" != "" ] ; do -case $1 in --\?|-h|-help) - usage - exit 0 - ;; --newcert) - # create a certificate - $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS - RET=$? - echo "Certificate is in newcert.pem, private key is in newkey.pem" - ;; --newreq) - # create a certificate request - $REQ -new -keyout newkey.pem -out newreq.pem $DAYS - RET=$? - echo "Request is in newreq.pem, private key is in newkey.pem" - ;; --newreq-nodes) - # create a certificate request - $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS - RET=$? - echo "Request (and private key) is in newreq.pem" - ;; --newca) - # if explicitly asked for or it doesn't exist then setup the directory - # structure that Eric likes to manage things - NEW="1" - if [ "$NEW" -o ! -f ${CATOP}/serial ]; then - # create the directory hierarchy - mkdir -p ${CATOP} - mkdir -p ${CATOP}/certs - mkdir -p ${CATOP}/crl - mkdir -p ${CATOP}/newcerts - mkdir -p ${CATOP}/private - touch ${CATOP}/index.txt - fi - if [ ! -f ${CATOP}/private/$CAKEY ]; then - echo "CA certificate filename (or enter to create)" - read FILE - - # ask user for existing CA certificate - if [ "$FILE" ]; then - cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE - cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE - RET=$? - if [ ! -f "${CATOP}/serial" ]; then - $X509 -in ${CATOP}/$CACERT -noout -next_serial \ - -out ${CATOP}/serial - fi - else - echo "Making CA certificate ..." - $REQ -new -keyout ${CATOP}/private/$CAKEY \ - -out ${CATOP}/$CAREQ - $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ - -keyfile ${CATOP}/private/$CAKEY -selfsign \ - -extensions v3_ca \ - -infiles ${CATOP}/$CAREQ - RET=$? - fi - fi - ;; --xsign) - $CA -policy policy_anything -infiles newreq.pem - RET=$? - ;; --pkcs12) - if [ -z "$2" ] ; then - CNAME="My Certificate" - else - CNAME="$2" - fi - $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ - -out newcert.p12 -export -name "$CNAME" - RET=$? - exit $RET - ;; --sign|-signreq) - $CA -policy policy_anything -out newcert.pem -infiles newreq.pem - RET=$? - cat newcert.pem - echo "Signed certificate is in newcert.pem" - ;; --signCA) - $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem - RET=$? - echo "Signed CA certificate is in newcert.pem" - ;; --signcert) - echo "Cert passphrase will be requested twice - bug?" - $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem - $CA -policy policy_anything -out newcert.pem -infiles tmp.pem - RET=$? - cat newcert.pem - echo "Signed certificate is in newcert.pem" - ;; --verify) - shift - if [ -z "$1" ]; then - $VERIFY -CAfile $CATOP/$CACERT newcert.pem - RET=$? - else - for j - do - $VERIFY -CAfile $CATOP/$CACERT $j - if [ $? != 0 ]; then - RET=$? - fi - done - fi - exit $RET - ;; -*) - echo "Unknown arg $i" >&2 - usage - exit 1 - ;; -esac -shift -done -exit $RET diff --git a/apps/Makefile b/apps/Makefile index 25e197fb46328179e70724ca5592310855be21d5..c7a6094c309e1b53543f54d0f751e77c8800b1c4 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -31,7 +31,7 @@ LIBSSL=-L.. -lssl PROGRAM= openssl -SCRIPTS=CA.sh CA.pl tsget +SCRIPTS=CA.pl tsget EXE= $(PROGRAM)$(EXE_EXT) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 42d7f83ab7277d1d7e059d37de36164112da4b6b..997fa2052de1c3aff479c2977eb5c0a62a3465e7 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -641,8 +641,8 @@ the database has to be kept in memory. The B command really needs rewriting or the required functionality exposed at either a command or interface level so a more friendly utility -(perl script or GUI) can handle things properly. The scripts B and -B help a little but not very much. +(perl script or GUI) can handle things properly. The script +B helps a little but not very much. Any fields in a request that are not present in a policy are silently deleted. This does not happen if the B<-preserveDN> option is used. To diff --git a/test/Makefile b/test/Makefile index 13b92852ca1f2910a0bca1207021b8e922240814..e3fb791e101e2f3b883011e1c5d7eb3ddc4ebefc 100644 --- a/test/Makefile +++ b/test/Makefile @@ -352,7 +352,7 @@ test_ca: ../apps/openssl$(EXE_EXT) testca CAss.cnf Uss.cnf echo SKIP $@ -- requires RSA; \ else \ echo $(START) $@; \ - sh ./testca; \ + sh ./testca $(PERL); \ fi test_tsa: ../apps/openssl$(EXE_EXT) testtsa CAtsa.cnf ../util/shlib_wrap.sh diff --git a/test/testca b/test/testca index 2cffeb717b7a277e2a8ad12e91225cd7ebe08fc4..0e2d05c5720a603d5626e2dd007662e5b503dae5 100644 --- a/test/testca +++ b/test/testca @@ -1,12 +1,13 @@ #!/bin/sh -SH="/bin/sh" +PERL="$1" + if test "$OSTYPE" = msdosdjgpp; then PATH="../apps\;$PATH" else PATH="../apps:$PATH" fi -export SH PATH +export PATH SSLEAY_CONFIG="-config CAss.cnf" export SSLEAY_CONFIG @@ -15,7 +16,7 @@ OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL /bin/rm -fr demoCA -OPENSSL_CONFIG=/dev/null $SH ../apps/CA.sh -newca <