X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=utilities%2Fovs-pki.in;h=019ffcfadf922a766a751299f13fc58923aaf616;hb=479df1769d51351d031482acaaf0c713726c05d1;hp=cbdb43d0a2fe75f7df4cee9cf83d813cd3abd5ef;hpb=ccc9fc5a70e2af642721fa9356d7fbcb9a697d06;p=openvswitch

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index cbdb43d0..019ffcfa 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# Copyright (c) 2008, 2009, 2010 Nicira Networks, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -93,9 +93,14 @@ Options that apply to any command:
   -f, --force          Continue even if file or directory already exists
   -l, --log=FILE       Log openssl output to FILE (default: ovs-log.log)
   -h, --help           Print this usage message.
+  -V, --version        Display version information.
 EOF
             exit 0
             ;;
+        -V|--version)
+            echo "ovs-pki (Open vSwitch) @VERSION@"
+            exit 0
+            ;;
         --di*=*)
             pkidir=$optarg
             ;;
@@ -173,7 +178,7 @@ if test -z "$dsaparam"; then
 fi
 case $log in
     /*) ;;
-    *) $log="$PWD/$log" ;;
+    *) log=`pwd`/$log ;;
 esac
 
 logdir=$(dirname "$log")
@@ -208,7 +213,7 @@ if test "$command" = "init"; then
     # Create the CAs.
     for ca in controllerca switchca; do
         echo "Creating $ca..." >&2
-        oldpwd=$PWD
+        oldpwd=`pwd`
         mkdir -p $ca
         cd $ca
 
@@ -361,7 +366,7 @@ fingerprint() {
     file=$1
     name=${1-$2}
     date=$(date -r $file)
-    if grep -q -e '-BEGIN CERTIFICATE-' "$file"; then
+    if grep -e '-BEGIN CERTIFICATE-' "$file" > /dev/null; then
         fingerprint=$(openssl x509 -noout -in "$file" -fingerprint |
                       sed 's/SHA1 Fingerprint=//' | tr -d ':')
     else
@@ -460,13 +465,15 @@ OU = Open vSwitch certifier
 CN = Open vSwitch certificate for $arg1
 EOF
     if test $keytype = rsa; then
-        newkey=rsa:$bits
+        (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
+            || exit $?
     else
         must_exist "$dsaparam"
-        newkey=dsa:$dsaparam
+        (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \
+            1>&3 2>&3 || exit $?
     fi
-    openssl req -config "$TMP/req.cnf" -text -nodes \
-        -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
+    openssl req -config "$TMP/req.cnf" -new -text \
+        -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
 }
 
 sign_request() {
@@ -524,8 +531,14 @@ elif test "$command" = self-sign; then
     must_exist "$arg1-privkey.pem"
     must_not_exist "$arg1-cert.pem"
 
-    openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
-        -signkey "$arg1-privkey.pem" -req -text 2>&3
+    # Create both the private key and certificate with restricted permissions.
+    (umask 077 && \
+     openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+        -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $?
+
+    # Reset the permissions on the certificate to the user's default.
+    cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
+    rm -f "$arg1-cert.pem.tmp"
 elif test "$command" = ls; then
     check_type "$arg2"