12 # This option-parsing mechanism borrowed from a Autoconf-generated
13 # configure script under the following license:
15 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
16 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
17 # This configure script is free software; the Free Software Foundation
18 # gives unlimited permission to copy, distribute and modify it.
20 # If the previous option needs an argument, assign it.
21 if test -n "$prev"; then
27 *=*) optarg=`expr "X$option" : '[^=]*=\(.*\)'` ;;
31 case $dashdash$option in
36 ofp-pki, for managing a simple OpenFlow public key infrastructure
37 usage: $0 [OPTION...] COMMAND [ARG...]
38 where the valid commands and their arguments are:
39 new-pki Create a new PKI
40 req NAME Create new private key and certificate request
41 named NAME-privkey.pem and NAME-req.pem, resp.
42 TYPE is a certificate type: 'switch' or 'controller'
43 sign NAME TYPE Sign switch certificate request NAME-req.pem,
44 producing certificate NAME-cert.pem
45 TYPE is a certificate type: 'switch' or 'controller'
46 req+sign NAME TYPE Combine the above two steps, producing all three files.
47 verify NAME TYPE Checks that NAME-cert.pem is a valid TYPE certificate
48 TYPE is a certificate type: 'switch' or 'controller'
49 The valid OPTIONS are:
50 -d, --dir=DIR Directory where the PKI is located (default: pki)
51 -f, --force Continue even if file or directory already exists
52 -b, --batch Skip fingerprint verification
53 -l, --log=FILE Log openssl output to FILE (default: ofp-log.log)
54 -h, --help Print this usage message.
71 echo "unrecognized option $option"
75 if test -z "$command"; then
77 elif test -z "$arg1"; then
79 elif test -z "$arg2"; then
82 echo "only two arguments may be specified"
89 if test -n "$prev"; then
90 option=--`echo $prev | sed 's/_/-/g'`
91 { echo "$as_me: error: missing argument to $option" >&2
92 { (exit 1); exit 1; }; }
94 if test -z "$command"; then
95 echo "$0: missing command name; use --help for help"
100 if test "$command" = "new-pki"; then
101 if test -e "$DIR" && test "$force" != "yes"; then
102 echo "$0: $DIR already exists"
106 if test ! -d "$DIR"; then
111 if test ! -e dsaparam.pem; then
112 echo "Generating DSA parameters, please wait..."
113 openssl dsaparam -out dsaparam.pem 2048 1>&3 2>&3
116 # Create the request configuration.
117 if test ! -e req.cnf; then
121 distinguished_name = req_distinguished_name
123 [ req_distinguished_name ]
128 OU = OpenFlow certifier
129 CN = OpenFlow certificate
134 for ca in controllerca switchca; do
135 echo "Creating $ca..."
140 mkdir -p certs crl newcerts private
142 test -e crlnumber || echo 01 > crlnumber
143 test -e serial || echo 01 > serial
145 # Put DSA parameters in directory.
146 if test ! -e dsaparam.pem; then
150 # Write CA configuration file.
151 if test ! -e ca.cnf; then
155 distinguished_name = req_distinguished_name
157 [ req_distinguished_name ]
170 database = $dir/index.txt # index file.
171 new_certs_dir = $dir/newcerts # new certs dir
172 certificate = $dir/cacert.pem # The CA cert
173 serial = $dir/serial # serial no file
174 private_key = $dir/private/cakey.pem# CA private key
175 RANDFILE = $dir/private/.rand # random number file
176 default_days = 365 # how long to certify for
177 default_crl_days= 30 # how long before next CRL
178 default_md = md5 # md to use
179 policy = policy # default policy
180 email_in_dn = no # Don't add the email into cert DN
181 name_opt = ca_default # Subject name display option
182 cert_opt = ca_default # Certificate display option
183 copy_extensions = none # Don't copy extensions from request
187 countryName = optional
188 stateOrProvinceName = optional
189 organizationName = match
190 organizationalUnitName = optional
191 commonName = supplied
192 emailAddress = optional
196 # Create certificate authority.
197 openssl req -config ca.cnf -nodes \
198 -newkey dsa:dsaparam.pem -keyout private/cakey.pem -out careq.pem \
200 openssl ca -config ca.cnf -create_serial -out cacert.pem \
201 -days 1095 -batch -keyfile private/cakey.pem -selfsign \
202 -infiles careq.pem 1>&3 2>&3
210 if test -z "$arg1" || test -n "$arg2"; then
211 echo "$0: $command must have exactly one argument; use --help for help"
217 if test -z "$arg1" || test -z "$arg2"; then
218 echo "$0: $command must have exactly two arguments; use --help for help"
224 if test -e "$1" && test "$force" != "yes"; then
225 echo "$0: $1 already exists and --force not supplied"
231 printf "$1-req.pem fingerprint is "
232 sha1sum "$1-req.pem" | awk '{print $1}'
236 if test "$1" != switch && test "$1" != controller; then
237 echo "$0: type argument must be 'switch' or 'controller'"
243 if test ! -e "$1"; then
244 echo "$0: $1 does not exist"
250 if test ! -e "$DIR"; then
251 echo "$0: $DIR does not exist (need to use --dir or new-pki?)"
253 elif test ! -d "$DIR"; then
254 echo "$0: $DIR is not a directory"
260 must_not_exist "$arg1-privkey.pem"
261 must_not_exist "$arg1-req.pem"
263 openssl req -config "$DIR/req.cnf" -text -nodes \
264 -newkey "dsa:$DIR/dsaparam.pem" -keyout "$1-privkey.pem" \
265 -out "$1-req.pem" 1>&3 2>&3
269 must_exist "$1-req.pem"
270 must_not_exist "$1-cert.pem"
273 (cd "$DIR/$2ca" && openssl ca -config ca.cnf -batch -in /dev/stdin) \
274 < "$1-req.pem" > "$1-cert.pem.tmp" 2>&3
275 mv "$1-cert.pem.tmp" "$1-cert.pem"
278 if test "$command" = req; then
282 elif test "$command" = sign; then
285 if test $batch != yes; then
286 echo "Does fingerprint match? (yes/no)"
288 if test "$answer" != yes; then
289 echo "Match failure, aborting"
293 sign_request "$arg1" "$arg2"
294 elif test "$command" = req+sign; then
297 sign_request "$arg1" "$arg2"
299 elif test "$command" = verify; then
301 must_exist "$arg1-cert.pem"
304 openssl verify -CAfile "$DIR/${arg2}ca/cacert.pem" "$arg1-cert.pem"
306 echo "$0: $command command unknown; use --help for help"