Revision a520723f29aac6598ff0d69e34f5e9b88213e511 authored by Matt Caswell on 14 October 2016, 12:07:00 UTC, committed by Matt Caswell on 28 October 2016, 08:43:41 UTC
The previous commit inspired a review of all the length checks for the extension adding code. This adds more robust checks and adds checks where some were missing previously. The real solution for this is to use WPACKET which is currently in master - but that cannot be applied to release branches. Reviewed-by: Rich Salz <rsalz@openssl.org>
1 parent 83a1d4b
testss.com
$! TESTSS.COM
$
$ __arch = "VAX"
$ if f$getsyi("cpu") .ge. 128 then -
__arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
$ if __arch .eqs. "" then __arch = "UNK"
$!
$ if (p1 .eqs. "64") then __arch = __arch+ "_64"
$!
$ exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
$
$ digest="-md5"
$ reqcmd = "mcr ''exe_dir'openssl req"
$ x509cmd = "mcr ''exe_dir'openssl x509 ''digest'"
$ verifycmd = "mcr ''exe_dir'openssl verify"
$ dummycnf = "sys$disk:[-.apps]openssl-vms.cnf"
$
$ CAkey="""keyCA.ss"""
$ CAcert="""certCA.ss"""
$ CAreq="""reqCA.ss"""
$ CAconf="""CAss.cnf"""
$ CAreq2="""req2CA.ss""" ! temp
$
$ Uconf="""Uss.cnf"""
$ Ukey="""keyU.ss"""
$ Ureq="""reqU.ss"""
$ Ucert="""certU.ss"""
$
$ write sys$output ""
$ write sys$output "make a certificate request using 'req'"
$
$ set noon
$ define/user sys$output nla0:
$ mcr 'exe_dir'openssl no-rsa
$ save_severity=$SEVERITY
$ set on
$ if save_severity
$ then
$ req_new="-newkey dsa:[-.apps]dsa512.pem"
$ else
$ req_new="-new"
$ endif
$
$ 'reqcmd' -config 'CAconf' -out 'CAreq' -keyout 'CAkey' 'req_new' ! -out err.ss
$ if $severity .ne. 1
$ then
$ write sys$output "error using 'req' to generate a certificate request"
$ exit 3
$ endif
$ write sys$output ""
$ write sys$output "convert the certificate request into a self signed certificate using 'x509'"
$ define /user sys$output err.ss
$ 'x509cmd' "-CAcreateserial" -in 'CAreq' -days 30 -req -out 'CAcert' -signkey 'CAkey'
$ if $severity .ne. 1
$ then
$ write sys$output "error using 'x509' to self sign a certificate request"
$ exit 3
$ endif
$
$ write sys$output ""
$ write sys$output "convert a certificate into a certificate request using 'x509'"
$ define /user sys$output err.ss
$ 'x509cmd' -in 'CAcert' -x509toreq -signkey 'CAkey' -out 'CAreq2'
$ if $severity .ne. 1
$ then
$ write sys$output "error using 'x509' convert a certificate to a certificate request"
$ exit 3
$ endif
$
$ 'reqcmd' -config 'dummycnf' -verify -in 'CAreq' -noout
$ if $severity .ne. 1
$ then
$ write sys$output "first generated request is invalid"
$ exit 3
$ endif
$
$ 'reqcmd' -config 'dummycnf' -verify -in 'CAreq2' -noout
$ if $severity .ne. 1
$ then
$ write sys$output "second generated request is invalid"
$ exit 3
$ endif
$
$ 'verifycmd' "-CAfile" 'CAcert' 'CAcert'
$ if $severity .ne. 1
$ then
$ write sys$output "first generated cert is invalid"
$ exit 3
$ endif
$
$ write sys$output ""
$ write sys$output "make another certificate request using 'req'"
$ define /user sys$output err.ss
$ 'reqcmd' -config 'Uconf' -out 'Ureq' -keyout 'Ukey' 'req_new'
$ if $severity .ne. 1
$ then
$ write sys$output "error using 'req' to generate a certificate request"
$ exit 3
$ endif
$
$ write sys$output ""
$ write sys$output "sign certificate request with the just created CA via 'x509'"
$ define /user sys$output err.ss
$ 'x509cmd' "-CAcreateserial" -in 'Ureq' -days 30 -req -out 'Ucert' "-CA" 'CAcert' "-CAkey" 'CAkey'
$ if $severity .ne. 1
$ then
$ write sys$output "error using 'x509' to sign a certificate request"
$ exit 3
$ endif
$
$ 'verifycmd' "-CAfile" 'CAcert' 'Ucert'
$ write sys$output ""
$ write sys$output "Certificate details"
$ 'x509cmd' -subject -issuer -startdate -enddate -noout -in 'Ucert'
$
$ write sys$output ""
$ write sys$output "The generated CA certificate is ",CAcert
$ write sys$output "The generated CA private key is ",CAkey
$
$ write sys$output "The generated user certificate is ",Ucert
$ write sys$output "The generated user private key is ",Ukey
$
$ if f$search("err.ss;*") .nes. "" then delete err.ss;*
Computing file changes ...
