X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=utilities%2Fovs-pki.in;h=019ffcfadf922a766a751299f13fc58923aaf616;hb=e2b9ac44c82590c2a9a27bff79ae43899277f703;hp=15ac17b924aa952875a478a285197bd5b4959eeb;hpb=064af42167bf4fc9aaea2702d80ce08074b889c0;p=openvswitch

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 15ac17b9..019ffcfa 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,5 +1,19 @@
 #! /bin/sh
 
+# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 set -e
 
 pkidir='@PKIDIR@'
@@ -79,9 +93,14 @@ Options that apply to any command:
   -f, --force          Continue even if file or directory already exists
   -l, --log=FILE       Log openssl output to FILE (default: ovs-log.log)
   -h, --help           Print this usage message.
+  -V, --version        Display version information.
 EOF
             exit 0
             ;;
+        -V|--version)
+            echo "ovs-pki (Open vSwitch) @VERSION@"
+            exit 0
+            ;;
         --di*=*)
             pkidir=$optarg
             ;;
@@ -147,11 +166,11 @@ if test -z "$command"; then
     exit 1
 fi
 if test "$keytype" != rsa && test "$keytype" != dsa; then
-    echo "$0: argument to -k or --key must be rsa or dsa"
+    echo "$0: argument to -k or --key must be rsa or dsa" >&2
     exit 1
 fi
 if test "$bits" -lt 1024; then
-    echo "$0: argument to -B or --bits must be at least 1024"
+    echo "$0: argument to -B or --bits must be at least 1024" >&2
     exit 1
 fi
 if test -z "$dsaparam"; then
@@ -159,9 +178,18 @@ if test -z "$dsaparam"; then
 fi
 case $log in
     /*) ;;
-    *) $log="$PWD/$log" ;;
+    *) log=`pwd`/$log ;;
 esac
 
+logdir=$(dirname "$log")
+if test ! -d "$logdir"; then
+    mkdir -p -m755 "$logdir" 2>/dev/null || true
+    if test ! -d "$logdir"; then
+        echo "$0: log directory $logdir does not exist and cannot be created" >&2
+        exit 1
+    fi
+fi
+
 if test "$command" = "init"; then
     if test -e "$pkidir" && test "$force" != "yes"; then
         echo "$0: $pkidir already exists and --force not specified" >&2
@@ -179,10 +207,13 @@ if test "$command" = "init"; then
         openssl dsaparam -out dsaparam.pem $bits 1>&3 2>&3
     fi
 
+    # Get the current date to add some uniqueness to this certificate
+    curr_date=`date +"%Y %b %d %T"`
+
     # Create the CAs.
     for ca in controllerca switchca; do
         echo "Creating $ca..." >&2
-        oldpwd=$PWD
+        oldpwd=`pwd`
         mkdir -p $ca
         cd $ca
 
@@ -198,9 +229,9 @@ if test "$command" = "init"; then
             cp ../dsaparam.pem .
         fi
 
-    # Write CA configuration file.
+        # Write CA configuration file.
         if test ! -e ca.cnf; then
-            sed "s/@ca@/$ca/g" > ca.cnf <<'EOF'
+            sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF'
 [ req ]
 prompt = no
 distinguished_name = req_distinguished_name
@@ -211,7 +242,7 @@ ST = CA
 L = Palo Alto
 O = Open vSwitch
 OU = @ca@
-CN = Open vSwitch @ca@ CA Certificate
+CN = OVS @ca@ CA Certificate (@curr_date@)
 
 [ ca ]
 default_ca = the_ca
@@ -232,6 +263,7 @@ email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option
 cert_opt       = ca_default            # Certificate display option
 copy_extensions = none                 # Don't copy extensions from request
+unique_subject = no                    # Allow certs with duplicate subjects
 
 # For the CA policy
 [ policy ]
@@ -254,7 +286,7 @@ EOF
             -newkey $newkey -keyout private/cakey.pem -out careq.pem \
             1>&3 2>&3
         openssl ca -config ca.cnf -create_serial -out cacert.pem \
-            -days 1095 -batch -keyfile private/cakey.pem -selfsign \
+            -days 2191 -batch -keyfile private/cakey.pem -selfsign \
             -infiles careq.pem 1>&3 2>&3
         chmod 0700 private/cakey.pem
 
@@ -298,7 +330,7 @@ resolve_prefix() {
         ????*)
             ;;
         *)
-            echo "Prefix $arg1 is too short (less than 4 hex digits)"
+            echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
             exit 0
             ;;
     esac
@@ -306,13 +338,13 @@ resolve_prefix() {
     fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//')
     case $fingerprint in
         "${1}*")
-            echo "No certificate requests matching $1"
+            echo "No certificate requests matching $1" >&2
             exit 1
             ;;
         *" "*)
-            echo "$1 matches more than one certificate request:"
+            echo "$1 matches more than one certificate request:" >&2
             echo $fingerprint | sed 's/ /\
-/g'
+/g' >&2
             exit 1
             ;;
         *)
@@ -331,11 +363,10 @@ make_tmpdir() {
 }
 
 fingerprint() {
-    local file=$1
-    local name=${1-$2}
-    local date=$(date -r $file)
-    local fingerprint
-    if grep -q -e '-BEGIN CERTIFICATE-' "$file"; then
+    file=$1
+    name=${1-$2}
+    date=$(date -r $file)
+    if grep -e '-BEGIN CERTIFICATE-' "$file" > /dev/null; then
         fingerprint=$(openssl x509 -noout -in "$file" -fingerprint |
                       sed 's/SHA1 Fingerprint=//' | tr -d ':')
     else
@@ -434,13 +465,15 @@ OU = Open vSwitch certifier
 CN = Open vSwitch certificate for $arg1
 EOF
     if test $keytype = rsa; then
-        newkey=rsa:$bits
+        (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
+            || exit $?
     else
         must_exist "$dsaparam"
-        newkey=dsa:$dsaparam
+        (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \
+            1>&3 2>&3 || exit $?
     fi
-    openssl req -config "$TMP/req.cnf" -text -nodes \
-        -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
+    openssl req -config "$TMP/req.cnf" -new -text \
+        -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
 }
 
 sign_request() {
@@ -455,7 +488,7 @@ sign_request() {
 }
 
 glob() {
-    local files=$(echo $1)
+    files=$(echo $1)
     if test "$files" != "$1"; then
         echo "$files"
     fi
@@ -498,8 +531,14 @@ elif test "$command" = self-sign; then
     must_exist "$arg1-privkey.pem"
     must_not_exist "$arg1-cert.pem"
 
-    openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
-        -signkey "$arg1-privkey.pem" -req -text 2>&3
+    # Create both the private key and certificate with restricted permissions.
+    (umask 077 && \
+     openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+        -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $?
+
+    # Reset the permissions on the certificate to the user's default.
+    cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
+    rm -f "$arg1-cert.pem.tmp"
 elif test "$command" = ls; then
     check_type "$arg2"