10 log='@LOGDIR@/ovs-pki.log'
14 # This option-parsing mechanism borrowed from a Autoconf-generated
15 # configure script under the following license:
17 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
18 # 2002, 2003, 2004, 2005, 2006, 2009 Free Software Foundation, Inc.
19 # This configure script is free software; the Free Software Foundation
20 # gives unlimited permission to copy, distribute and modify it.
22 # If the previous option needs an argument, assign it.
23 if test -n "$prev"; then
29 *=*) optarg=`expr "X$option" : '[^=]*=\(.*\)'` ;;
33 case $dashdash$option in
38 ovs-pki, for managing a simple OpenFlow public key infrastructure
39 usage: $0 [OPTION...] COMMAND [ARG...]
41 The valid stand-alone commands and their arguments are:
42 init Initialize the PKI
43 req NAME Create new private key and certificate request
44 named NAME-privkey.pem and NAME-req.pem, resp.
45 sign NAME [TYPE] Sign switch certificate request NAME-req.pem,
46 producing certificate NAME-cert.pem
47 req+sign NAME [TYPE] Combine the above two steps, producing all three files.
48 verify NAME [TYPE] Checks that NAME-cert.pem is a valid TYPE certificate
49 fingerprint FILE Prints the fingerprint for FILE
50 self-sign NAME Sign NAME-req.pem with NAME-privkey.pem,
51 producing self-signed certificate NAME-cert.pem
53 The following additional commands manage an online PKI:
54 ls [PREFIX] [TYPE] Lists incoming requests of the given TYPE, optionally
55 limited to those whose fingerprint begins with PREFIX
56 flush [TYPE] Rejects all incoming requests of the given TYPE
57 reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint begins
58 with PREFIX and has the given TYPE
59 approve PREFIX [TYPE] Approves the incoming request whose fingerprint begins
60 with PREFIX and has the given TYPE
61 expire [AGE] Rejects all incoming requests older than AGE, in
62 one of the forms Ns, Nmin, Nh, Nday (default: 1day)
63 prompt [TYPE] Interactively prompts to accept or reject each incoming
64 request of the given TYPE
66 Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
68 Options for 'init', 'req', and 'req+sign' only:
69 -k, --key=rsa|dsa Type of keys to use (default: rsa)
70 -B, --bits=NBITS Number of bits in keys (default: 2048). For DSA keys,
71 this has an effect only on 'init'.
72 -D, --dsaparam=FILE File with DSA parameters (DSA only)
73 (default: dsaparam.pem within PKI directory)
74 Options for use with the 'sign' and 'approve' commands:
75 -b, --batch Skip fingerprint verification
76 Options that apply to any command:
77 -d, --dir=DIR Directory where the PKI is located
79 -f, --force Continue even if file or directory already exists
80 -l, --log=FILE Log openssl output to FILE (default: ovs-log.log)
81 -h, --help Print this usage message.
122 echo "unrecognized option $option" >&2
126 if test -z "$command"; then
128 elif test -z "${arg1+set}"; then
130 elif test -z "${arg2+set}"; then
133 echo "$option: only two arguments may be specified" >&2
140 if test -n "$prev"; then
141 option=--`echo $prev | sed 's/_/-/g'`
142 { echo "$as_me: error: missing argument to $option" >&2
143 { (exit 1); exit 1; }; }
145 if test -z "$command"; then
146 echo "$0: missing command name; use --help for help" >&2
149 if test "$keytype" != rsa && test "$keytype" != dsa; then
150 echo "$0: argument to -k or --key must be rsa or dsa"
153 if test "$bits" -lt 1024; then
154 echo "$0: argument to -B or --bits must be at least 1024"
157 if test -z "$dsaparam"; then
158 dsaparam=$pkidir/dsaparam.pem
162 *) $log="$PWD/$log" ;;
165 if test "$command" = "init"; then
166 if test -e "$pkidir" && test "$force" != "yes"; then
167 echo "$0: $pkidir already exists and --force not specified" >&2
171 if test ! -d "$pkidir"; then
177 if test $keytype = dsa && test ! -e dsaparam.pem; then
178 echo "Generating DSA parameters, please wait..." >&2
179 openssl dsaparam -out dsaparam.pem $bits 1>&3 2>&3
183 for ca in controllerca switchca; do
184 echo "Creating $ca..." >&2
189 mkdir -p certs crl newcerts
190 mkdir -p -m 0700 private
191 mkdir -p -m 0733 incoming
193 test -e crlnumber || echo 01 > crlnumber
194 test -e serial || echo 01 > serial
196 # Put DSA parameters in directory.
197 if test $keytype = dsa && test ! -e dsaparam.pem; then
201 # Write CA configuration file.
202 if test ! -e ca.cnf; then
203 sed "s/@ca@/$ca/g" > ca.cnf <<'EOF'
206 distinguished_name = req_distinguished_name
208 [ req_distinguished_name ]
214 CN = Open vSwitch @ca@ CA Certificate
221 database = $dir/index.txt # index file.
222 new_certs_dir = $dir/newcerts # new certs dir
223 certificate = $dir/cacert.pem # The CA cert
224 serial = $dir/serial # serial no file
225 private_key = $dir/private/cakey.pem# CA private key
226 RANDFILE = $dir/private/.rand # random number file
227 default_days = 365 # how long to certify for
228 default_crl_days= 30 # how long before next CRL
229 default_md = md5 # md to use
230 policy = policy # default policy
231 email_in_dn = no # Don't add the email into cert DN
232 name_opt = ca_default # Subject name display option
233 cert_opt = ca_default # Certificate display option
234 copy_extensions = none # Don't copy extensions from request
238 countryName = optional
239 stateOrProvinceName = optional
240 organizationName = match
241 organizationalUnitName = optional
242 commonName = supplied
243 emailAddress = optional
247 # Create certificate authority.
248 if test $keytype = dsa; then
249 newkey=dsa:dsaparam.pem
253 openssl req -config ca.cnf -nodes \
254 -newkey $newkey -keyout private/cakey.pem -out careq.pem \
256 openssl ca -config ca.cnf -create_serial -out cacert.pem \
257 -days 1095 -batch -keyfile private/cakey.pem -selfsign \
258 -infiles careq.pem 1>&3 2>&3
259 chmod 0700 private/cakey.pem
267 if test -z "$arg1" || test -n "$arg2"; then
268 echo "$0: $command must have exactly one argument; use --help for help" >&2
274 if test -n "$arg2"; then
275 echo "$0: $command must have zero or one arguments; use --help for help" >&2
281 if test -z "$arg1"; then
282 echo "$0: $command must have one or two arguments; use --help for help" >&2
288 if test -e "$1" && test "$force" != "yes"; then
289 echo "$0: $1 already exists and --force not supplied" >&2
295 test -n "$type" || exit 123 # Forgot to call check_type?
301 echo "Prefix $arg1 is too short (less than 4 hex digits)"
306 fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//')
309 echo "No certificate requests matching $1"
313 echo "$1 matches more than one certificate request:"
314 echo $fingerprint | sed 's/ /\
322 req="$pkidir/${type}ca/incoming/$fingerprint-req.pem"
323 cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem"
327 TMP=/tmp/ovs-pki.tmp$$
336 local date=$(date -r $file)
338 if grep -q -e '-BEGIN CERTIFICATE-' "$file"; then
339 fingerprint=$(openssl x509 -noout -in "$file" -fingerprint |
340 sed 's/SHA1 Fingerprint=//' | tr -d ':')
342 fingerprint=$(sha1sum "$file" | awk '{print $1}')
344 printf "$name\\t$date\\n"
347 printf "\\t(correct fingerprint in filename)\\n"
350 printf "\\tfingerprint $fingerprint\\n"
355 verify_fingerprint() {
357 if test $batch != yes; then
358 echo "Does fingerprint match? (yes/no)"
360 if test "$answer" != yes; then
361 echo "Match failure, aborting" >&2
368 if test x = x"$1"; then
370 elif test "$1" = switch || test "$1" = controller; then
373 echo "$0: type argument must be 'switch' or 'controller'" >&2
379 number=$(echo $1 | sed 's/^\([0-9]\+\)\([[:alpha:]]\+\)/\1/')
380 unit=$(echo $1 | sed 's/^\([0-9]\+\)\([[:alpha:]]\+\)/\2/')
395 echo "$1: age not in the form Ns, Nmin, Nh, Nday (e.g. 1day)" >&2
399 echo $(($number * $factor))
403 if test ! -e "$1"; then
404 echo "$0: $1 does not exist" >&2
409 pkidir_must_exist() {
410 if test ! -e "$pkidir"; then
411 echo "$0: $pkidir does not exist (need to run 'init' or use '--dir'?)" >&2
413 elif test ! -d "$pkidir"; then
414 echo "$0: $pkidir is not a directory" >&2
420 must_not_exist "$arg1-privkey.pem"
421 must_not_exist "$arg1-req.pem"
423 cat > "$TMP/req.cnf" <<EOF
426 distinguished_name = req_distinguished_name
428 [ req_distinguished_name ]
433 OU = Open vSwitch certifier
434 CN = Open vSwitch certificate for $arg1
436 if test $keytype = rsa; then
439 must_exist "$dsaparam"
442 openssl req -config "$TMP/req.cnf" -text -nodes \
443 -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
451 (cd "$pkidir/${type}ca" &&
452 openssl ca -config ca.cnf -batch -in /dev/stdin) \
453 < "$1" > "$2.tmp$$" 2>&3
458 local files=$(echo $1)
459 if test "$files" != "$1"; then
465 if test "$command" = req; then
469 fingerprint "$arg1-req.pem"
470 elif test "$command" = sign; then
473 verify_fingerprint "$arg1-req.pem"
475 sign_request "$arg1-req.pem" "$arg2-cert.pem"
476 elif test "$command" = req+sign; then
482 sign_request "$arg1-req.pem" "$arg1-cert.pem"
483 fingerprint "$arg1-req.pem"
484 elif test "$command" = verify; then
486 must_exist "$arg1-cert.pem"
490 openssl verify -CAfile "$pkidir/${type}ca/cacert.pem" "$arg1-cert.pem"
491 elif test "$command" = fingerprint; then
495 elif test "$command" = self-sign; then
497 must_exist "$arg1-req.pem"
498 must_exist "$arg1-privkey.pem"
499 must_not_exist "$arg1-cert.pem"
501 openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
502 -signkey "$arg1-privkey.pem" -req -text 2>&3
503 elif test "$command" = ls; then
506 cd "$pkidir/${type}ca/incoming"
507 for file in $(glob "$arg1*-req.pem"); do
510 elif test "$command" = flush; then
513 rm -f "$pkidir/${type}ca/incoming/"*
514 elif test "$command" = reject; then
517 resolve_prefix "$arg1"
520 elif test "$command" = approve; then
523 resolve_prefix "$arg1"
526 cp "$req" "$TMP/$req"
527 verify_fingerprint "$TMP/$req"
528 sign_request "$TMP/$req"
529 rm -f "$req" "$TMP/$req"
530 elif test "$command" = prompt; then
535 cd "$pkidir/${type}ca/incoming"
536 for req in $(glob "*-req.pem"); do
537 cp "$req" "$TMP/$req"
539 cert=$(echo "$pkidir/${type}ca/certs/$req" |
540 sed 's/-req.pem/-cert.pem/')
541 if test -f $cert; then
542 echo "Request $req already approved--dropping duplicate request"
543 rm -f "$req" "$TMP/$req"
549 fingerprint "$TMP/$req" "$req"
550 printf "Disposition for this request (skip/approve/reject)? "
554 echo "Approving $req"
555 sign_request "$TMP/$req" "$cert"
556 rm -f "$req" "$TMP/$req"
559 echo "Rejecting $req"
560 rm -f "$req" "$TMP/$req"
567 elif test "$command" = expire; then
569 cutoff=$(($(date +%s) - $(parse_age ${arg1-1day})))
570 for type in switch controller; do
571 cd "$pkidir/${type}ca/incoming" || exit 1
572 for file in $(glob "*"); do
573 time=$(date -r "$file" +%s)
574 if test "$time" -lt "$cutoff"; then
580 echo "$0: $command command unknown; use --help for help" >&2