Make "make variables" config attributes for overridable flags
With the support of "make variables" comes the possibility for the
user to override them. However, we need to make a difference between
defaults that we use (and that should be overridable by the user) and
flags that are crucial for building OpenSSL (should not be
overridable).
Typically, overridable flags are those setting optimization levels,
warnings levels, that kind of thing, while non-overridable flags are,
for example, macros that indicate aspects of how the config target
should be treated, such as L_ENDIAN and B_ENDIAN.
We do that differentiation by allowing upper case attributes in the
config targets, named exactly like the "make variables" we support,
and reserving the lower case attributes for non-overridable project
flags.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-07 03:35:30 +08:00
|
|
|
#!{- $config{HASHBANGPERL} -}
|
2020-04-23 20:55:52 +08:00
|
|
|
# Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
2016-04-20 10:10:43 +08:00
|
|
|
#
|
2018-12-06 20:00:26 +08:00
|
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-04-20 10:10:43 +08:00
|
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
|
|
# in the file LICENSE in the source distribution or at
|
|
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
|
1999-01-01 08:54:48 +08:00
|
|
|
#
|
2015-05-01 09:44:40 +08:00
|
|
|
# Wrapper around the ca to make it easier to use
|
2016-01-26 04:19:59 +08:00
|
|
|
#
|
|
|
|
# {- join("\n# ", @autowarntext) -}
|
1999-01-01 08:54:48 +08:00
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
my $verbose = 1;
|
2020-03-17 03:53:00 +08:00
|
|
|
my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
|
1999-01-01 08:54:48 +08:00
|
|
|
|
2020-03-17 03:53:00 +08:00
|
|
|
my $openssl = $ENV{'OPENSSL'} // "openssl";
|
|
|
|
$ENV{'OPENSSL'} = $openssl;
|
|
|
|
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} // "";
|
|
|
|
|
|
|
|
# Command invocations.
|
2015-10-28 03:11:48 +08:00
|
|
|
my $REQ = "$openssl req $OPENSSL_CONFIG";
|
|
|
|
my $CA = "$openssl ca $OPENSSL_CONFIG";
|
2015-05-01 09:44:40 +08:00
|
|
|
my $VERIFY = "$openssl verify";
|
|
|
|
my $X509 = "$openssl x509";
|
|
|
|
my $PKCS12 = "$openssl pkcs12";
|
1999-01-01 08:54:48 +08:00
|
|
|
|
2020-03-17 03:53:00 +08:00
|
|
|
# Default values for various configuration settings.
|
2015-05-01 09:44:40 +08:00
|
|
|
my $CATOP = "./demoCA";
|
|
|
|
my $CAKEY = "cakey.pem";
|
|
|
|
my $CAREQ = "careq.pem";
|
|
|
|
my $CACERT = "cacert.pem";
|
|
|
|
my $CACRL = "crl.pem";
|
2020-03-17 03:53:00 +08:00
|
|
|
my $DAYS = "-days 365";
|
|
|
|
my $CADAYS = "-days 1095"; # 3 years
|
2015-05-01 09:44:40 +08:00
|
|
|
my $NEWKEY = "newkey.pem";
|
|
|
|
my $NEWREQ = "newreq.pem";
|
|
|
|
my $NEWCERT = "newcert.pem";
|
|
|
|
my $NEWP12 = "newcert.p12";
|
2020-03-17 03:53:00 +08:00
|
|
|
|
|
|
|
# Commandline parsing
|
|
|
|
my %EXTRA;
|
2016-05-23 21:47:43 +08:00
|
|
|
my $WHAT = shift @ARGV || "";
|
2020-03-17 03:53:00 +08:00
|
|
|
@ARGV = parse_extra(@ARGV);
|
|
|
|
my $RET = 0;
|
|
|
|
|
|
|
|
# Split out "-extra-CMD value", and return new |@ARGV|. Fill in
|
|
|
|
# |EXTRA{CMD}| with list of values.
|
|
|
|
sub parse_extra
|
|
|
|
{
|
|
|
|
foreach ( @OPENSSL_CMDS ) {
|
|
|
|
$EXTRA{$_} = '';
|
|
|
|
}
|
|
|
|
|
|
|
|
my @result;
|
|
|
|
while ( scalar(@_) > 0 ) {
|
|
|
|
my $arg = shift;
|
|
|
|
if ( $arg !~ m/-extra-([a-z0-9]+)/ ) {
|
|
|
|
push @result, $arg;
|
|
|
|
next;
|
|
|
|
}
|
|
|
|
$arg =~ s/-extra-//;
|
|
|
|
die("Unknown \"-${arg}-extra\" option, exiting")
|
|
|
|
unless scalar grep { $arg eq $_ } @OPENSSL_CMDS;
|
|
|
|
$EXTRA{$arg} .= " " . shift;
|
|
|
|
}
|
|
|
|
return @result;
|
2016-10-28 15:01:02 +08:00
|
|
|
}
|
|
|
|
|
2020-03-17 03:53:00 +08:00
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
# See if reason for a CRL entry is valid; exit if not.
|
|
|
|
sub crl_reason_ok
|
|
|
|
{
|
|
|
|
my $r = shift;
|
1999-01-01 08:54:48 +08:00
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
if ($r eq 'unspecified' || $r eq 'keyCompromise'
|
|
|
|
|| $r eq 'CACompromise' || $r eq 'affiliationChanged'
|
|
|
|
|| $r eq 'superseded' || $r eq 'cessationOfOperation'
|
|
|
|
|| $r eq 'certificateHold' || $r eq 'removeFromCRL') {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
print STDERR "Invalid CRL reason; must be one of:\n";
|
|
|
|
print STDERR " unspecified, keyCompromise, CACompromise,\n";
|
|
|
|
print STDERR " affiliationChanged, superseded, cessationOfOperation\n";
|
|
|
|
print STDERR " certificateHold, removeFromCRL";
|
|
|
|
exit 1;
|
1999-01-01 08:54:48 +08:00
|
|
|
}
|
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
# Copy a PEM-format file; return like exit status (zero means ok)
|
|
|
|
sub copy_pemfile
|
|
|
|
{
|
|
|
|
my ($infile, $outfile, $bound) = @_;
|
|
|
|
my $found = 0;
|
1999-01-01 08:54:48 +08:00
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
open IN, $infile || die "Cannot open $infile, $!";
|
|
|
|
open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
|
|
|
|
while (<IN>) {
|
|
|
|
$found = 1 if /^-----BEGIN.*$bound/;
|
|
|
|
print OUT $_ if $found;
|
|
|
|
$found = 2, last if /^-----END.*$bound/;
|
|
|
|
}
|
|
|
|
close IN;
|
|
|
|
close OUT;
|
|
|
|
return $found == 2 ? 0 : 1;
|
2014-09-05 04:59:44 +08:00
|
|
|
}
|
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
# Wrapper around system; useful for debugging. Returns just the exit status
|
|
|
|
sub run
|
|
|
|
{
|
|
|
|
my $cmd = shift;
|
|
|
|
print "====\n$cmd\n" if $verbose;
|
|
|
|
my $status = system($cmd);
|
|
|
|
print "==> $status\n====\n" if $verbose;
|
|
|
|
return $status >> 8;
|
1999-01-01 08:54:48 +08:00
|
|
|
}
|
2015-05-01 09:44:40 +08:00
|
|
|
|
|
|
|
|
|
|
|
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
|
2020-03-17 03:53:00 +08:00
|
|
|
print STDERR <<EOF;
|
|
|
|
Usage:
|
|
|
|
CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
|
|
|
|
CA.pl -pkcs12 [-extra-pkcs12 parameter] [certname]
|
|
|
|
CA.pl -verify [-extra-verify parameter] certfile ...
|
|
|
|
CA.pl -revoke [-extra-ca parameter] certfile [reason]
|
|
|
|
EOF
|
2015-05-01 09:44:40 +08:00
|
|
|
exit 0;
|
|
|
|
}
|
2020-03-17 03:53:00 +08:00
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
if ($WHAT eq '-newcert' ) {
|
|
|
|
# create a certificate
|
2020-03-17 03:53:00 +08:00
|
|
|
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"
|
|
|
|
. " $EXTRA{req}");
|
2015-05-01 09:44:40 +08:00
|
|
|
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
2017-01-14 03:06:03 +08:00
|
|
|
} elsif ($WHAT eq '-precert' ) {
|
2016-03-11 03:15:13 +08:00
|
|
|
# create a pre-certificate
|
2020-03-17 03:53:00 +08:00
|
|
|
$RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS"
|
|
|
|
. " $EXTRA{req}");
|
2016-03-11 03:15:13 +08:00
|
|
|
print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
2017-10-08 02:59:18 +08:00
|
|
|
} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
|
2015-05-01 09:44:40 +08:00
|
|
|
# create a certificate request
|
2017-10-06 23:06:12 +08:00
|
|
|
$RET = run("$REQ -new $1 -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
|
2015-05-01 09:44:40 +08:00
|
|
|
print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
|
|
|
|
} elsif ($WHAT eq '-newca' ) {
|
|
|
|
# create the directory hierarchy
|
2020-03-17 03:53:00 +08:00
|
|
|
my @dirs = ( "${CATOP}", "${CATOP}/certs", "${CATOP}/crl",
|
|
|
|
"${CATOP}/newcerts", "${CATOP}/private" );
|
|
|
|
die "${CATOP}/index.txt exists.\nRemove old sub-tree to proceed,"
|
|
|
|
if -f "${CATOP}/index.txt";
|
|
|
|
die "${CATOP}/serial exists.\nRemove old sub-tree to proceed,"
|
|
|
|
if -f "${CATOP}/serial";
|
|
|
|
foreach my $d ( @dirs ) {
|
|
|
|
if ( -d $d ) {
|
|
|
|
warn "Directory $d exists" if -d $d;
|
|
|
|
} else {
|
|
|
|
mkdir $d or die "Can't mkdir $d, $!";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
open OUT, ">${CATOP}/index.txt";
|
|
|
|
close OUT;
|
|
|
|
open OUT, ">${CATOP}/crlnumber";
|
|
|
|
print OUT "01\n";
|
|
|
|
close OUT;
|
|
|
|
# ask user for existing CA certificate
|
|
|
|
print "CA certificate filename (or enter to create)\n";
|
2020-03-17 03:53:00 +08:00
|
|
|
my $FILE;
|
2016-02-13 15:53:13 +08:00
|
|
|
$FILE = "" unless defined($FILE = <STDIN>);
|
|
|
|
$FILE =~ s{\R$}{};
|
|
|
|
if ($FILE ne "") {
|
2015-05-01 09:44:40 +08:00
|
|
|
copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
|
|
|
|
copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
|
|
|
|
} else {
|
|
|
|
print "Making CA certificate ...\n";
|
2020-03-17 03:53:00 +08:00
|
|
|
$RET = run("$REQ -new -keyout ${CATOP}/private/$CAKEY"
|
2016-10-28 15:01:02 +08:00
|
|
|
. " -out ${CATOP}/$CAREQ $EXTRA{req}");
|
2015-05-01 09:44:40 +08:00
|
|
|
$RET = run("$CA -create_serial"
|
|
|
|
. " -out ${CATOP}/$CACERT $CADAYS -batch"
|
|
|
|
. " -keyfile ${CATOP}/private/$CAKEY -selfsign"
|
2020-03-17 03:53:00 +08:00
|
|
|
. " -extensions v3_ca"
|
|
|
|
. " -infiles ${CATOP}/$CAREQ $EXTRA{ca}") if $RET == 0;
|
2015-05-01 09:44:40 +08:00
|
|
|
print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
|
|
|
|
}
|
|
|
|
} elsif ($WHAT eq '-pkcs12' ) {
|
2017-12-03 20:23:21 +08:00
|
|
|
my $cname = $ARGV[0];
|
2015-05-01 09:44:40 +08:00
|
|
|
$cname = "My Certificate" unless defined $cname;
|
|
|
|
$RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
|
2020-03-17 03:53:00 +08:00
|
|
|
. " -certfile ${CATOP}/$CACERT -out $NEWP12"
|
2016-10-28 15:01:02 +08:00
|
|
|
. " -export -name \"$cname\" $EXTRA{pkcs12}");
|
2015-05-01 09:44:40 +08:00
|
|
|
print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
|
|
|
|
} elsif ($WHAT eq '-xsign' ) {
|
2020-03-17 03:53:00 +08:00
|
|
|
$RET = run("$CA -policy policy_anything -infiles $NEWREQ $EXTRA{ca}");
|
2015-05-01 09:44:40 +08:00
|
|
|
} elsif ($WHAT eq '-sign' ) {
|
2020-03-17 03:53:00 +08:00
|
|
|
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
|
|
|
. " -infiles $NEWREQ $EXTRA{ca}");
|
2015-05-01 09:44:40 +08:00
|
|
|
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
|
|
|
} elsif ($WHAT eq '-signCA' ) {
|
|
|
|
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
2020-03-17 03:53:00 +08:00
|
|
|
. " -extensions v3_ca -infiles $NEWREQ $EXTRA{ca}");
|
2015-05-01 09:44:40 +08:00
|
|
|
print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
|
|
|
|
} elsif ($WHAT eq '-signcert' ) {
|
|
|
|
$RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
|
2016-10-28 15:01:02 +08:00
|
|
|
. " -out tmp.pem $EXTRA{x509}");
|
2015-05-01 09:44:40 +08:00
|
|
|
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
2020-03-17 03:53:00 +08:00
|
|
|
. "-infiles tmp.pem $EXTRA{ca}") if $RET == 0;
|
2015-05-01 09:44:40 +08:00
|
|
|
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
|
|
|
} elsif ($WHAT eq '-verify' ) {
|
2015-05-01 19:11:17 +08:00
|
|
|
my @files = @ARGV ? @ARGV : ( $NEWCERT );
|
2020-03-17 03:53:00 +08:00
|
|
|
foreach my $file (@files) {
|
|
|
|
my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file $EXTRA{verify}");
|
2015-05-01 09:44:40 +08:00
|
|
|
$RET = $status if $status != 0;
|
|
|
|
}
|
|
|
|
} elsif ($WHAT eq '-crl' ) {
|
2016-10-28 15:01:02 +08:00
|
|
|
$RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL $EXTRA{ca}");
|
2015-05-01 09:44:40 +08:00
|
|
|
print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
|
|
|
|
} elsif ($WHAT eq '-revoke' ) {
|
2017-12-03 20:23:21 +08:00
|
|
|
my $cname = $ARGV[0];
|
2015-05-01 09:44:40 +08:00
|
|
|
if (!defined $cname) {
|
|
|
|
print "Certificate filename is required; reason optional.\n";
|
|
|
|
exit 1;
|
|
|
|
}
|
2017-12-03 20:23:21 +08:00
|
|
|
my $reason = $ARGV[1];
|
2015-05-01 09:44:40 +08:00
|
|
|
$reason = " -crl_reason $reason"
|
|
|
|
if defined $reason && crl_reason_ok($reason);
|
2016-10-28 15:01:02 +08:00
|
|
|
$RET = run("$CA -revoke \"$cname\"" . $reason . $EXTRA{ca});
|
2015-05-01 09:44:40 +08:00
|
|
|
} else {
|
|
|
|
print STDERR "Unknown arg \"$WHAT\"\n";
|
|
|
|
print STDERR "Use -help for help.\n";
|
|
|
|
exit 1;
|
1999-01-01 08:54:48 +08:00
|
|
|
}
|
|
|
|
|
2015-05-01 09:44:40 +08:00
|
|
|
exit $RET;
|