diff options
author | marko asplund <marko.asplund@gmail.com> | 2016-10-28 10:01:02 +0300 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-11-14 13:08:23 -0500 |
commit | 022696cab014ffb94c8ef0bfc79c8955b9970eb6 (patch) | |
tree | 6756919e57c8f650600f348cf47e21ad40bd02bf /apps/CA.pl.in | |
parent | af5474126546b558b0e6f8be4bec4b70977e24b7 (diff) |
Allow CA.pl script user to pass extra arguments to openssl command
Useful e.g. to fully script CA commands
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1797)
Diffstat (limited to 'apps/CA.pl.in')
-rw-r--r-- | apps/CA.pl.in | 52 |
1 files changed, 35 insertions, 17 deletions
diff --git a/apps/CA.pl.in b/apps/CA.pl.in index 3187e473d2..11566dfc21 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -46,8 +46,25 @@ my $NEWCERT = "newcert.pem"; my $NEWP12 = "newcert.p12"; my $RET = 0; my $WHAT = shift @ARGV || ""; +my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify"); +my %EXTRA = extra_args(\@ARGV, "-extra-"); my $FILE; +sub extra_args { + my ($args_ref, $arg_prefix) = @_; + my %eargs = map { + if ($_ < $#$args_ref) { + my ($arg, $value) = splice(@$args_ref, $_, 2); + $arg =~ s/$arg_prefix//; + ($arg, $value); + } else { + (); + } + } reverse grep($$args_ref[$_] =~ /$arg_prefix/, 0..$#$args_ref); + my %empty = map { ($_, "") } @OPENSSL_CMDS; + return (%empty, %eargs); +} + # See if reason for a CRL entry is valid; exit if not. sub crl_reason_ok { @@ -96,22 +113,23 @@ sub run if ( $WHAT =~ /^(-\?|-h|-help)$/ ) { - print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; - print STDERR " CA -pkcs12 [certname]\n"; - print STDERR " CA -crl|-revoke cert-filename [reason]\n"; + print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n"; + print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n"; + print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n"; + print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n"; exit 0; } if ($WHAT eq '-newcert' ) { # create a certificate - $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"); + $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}"); print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0; } elsif ($WHAT eq '-newreq' ) { # create a certificate request - $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS"); + $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}"); print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0; } elsif ($WHAT eq '-newreq-nodes' ) { # create a certificate request - $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS"); + $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}"); print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0; } elsif ($WHAT eq '-newca' ) { # create the directory hierarchy @@ -136,11 +154,11 @@ if ($WHAT eq '-newcert' ) { print "Making CA certificate ...\n"; $RET = run("$REQ -new -keyout" . " ${CATOP}/private/$CAKEY" - . " -out ${CATOP}/$CAREQ"); + . " -out ${CATOP}/$CAREQ $EXTRA{req}"); $RET = run("$CA -create_serial" . " -out ${CATOP}/$CACERT $CADAYS -batch" . " -keyfile ${CATOP}/private/$CAKEY -selfsign" - . " -extensions v3_ca" + . " -extensions v3_ca $EXTRA{ca}" . " -infiles ${CATOP}/$CAREQ") if $RET == 0; print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0; } @@ -150,32 +168,32 @@ if ($WHAT eq '-newcert' ) { $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY" . " -certfile ${CATOP}/$CACERT" . " -out $NEWP12" - . " -export -name \"$cname\""); + . " -export -name \"$cname\" $EXTRA{pkcs12}"); print "PKCS #12 file is in $NEWP12\n" if $RET == 0; } elsif ($WHAT eq '-xsign' ) { - $RET = run("$CA -policy policy_anything -infiles $NEWREQ"); + $RET = run("$CA -policy policy_anything $EXTRA{ca} -infiles $NEWREQ"); } elsif ($WHAT eq '-sign' ) { - $RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ"); + $RET = run("$CA -policy policy_anything -out $NEWCERT $EXTRA{ca} -infiles $NEWREQ"); print "Signed certificate is in $NEWCERT\n" if $RET == 0; } elsif ($WHAT eq '-signCA' ) { $RET = run("$CA -policy policy_anything -out $NEWCERT" - . " -extensions v3_ca -infiles $NEWREQ"); + . " -extensions v3_ca $EXTRA{ca} -infiles $NEWREQ"); print "Signed CA certificate is in $NEWCERT\n" if $RET == 0; } elsif ($WHAT eq '-signcert' ) { $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ" - . " -out tmp.pem"); + . " -out tmp.pem $EXTRA{x509}"); $RET = run("$CA -policy policy_anything -out $NEWCERT" - . " -infiles tmp.pem") if $RET == 0; + . "$EXTRA{ca} -infiles tmp.pem") if $RET == 0; print "Signed certificate is in $NEWCERT\n" if $RET == 0; } elsif ($WHAT eq '-verify' ) { my @files = @ARGV ? @ARGV : ( $NEWCERT ); my $file; foreach $file (@files) { - my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file"); + my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}"); $RET = $status if $status != 0; } } elsif ($WHAT eq '-crl' ) { - $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL"); + $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL $EXTRA{ca}"); print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0; } elsif ($WHAT eq '-revoke' ) { my $cname = $ARGV[1]; @@ -186,7 +204,7 @@ if ($WHAT eq '-newcert' ) { my $reason = $ARGV[2]; $reason = " -crl_reason $reason" if defined $reason && crl_reason_ok($reason); - $RET = run("$CA -revoke \"$cname\"" . $reason); + $RET = run("$CA -revoke \"$cname\"" . $reason . $EXTRA{ca}); } else { print STDERR "Unknown arg \"$WHAT\"\n"; print STDERR "Use -help for help.\n"; |