3 # Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at:
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
24 log='@LOGDIR@/ovs-pki.log'
28 # OS-specific compatibility routines
33 stat -r "$1" | awk '{print $10}'
60 # This option-parsing mechanism borrowed from a Autoconf-generated
61 # configure script under the following license:
63 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
64 # 2002, 2003, 2004, 2005, 2006, 2009 Free Software Foundation, Inc.
65 # This configure script is free software; the Free Software Foundation
66 # gives unlimited permission to copy, distribute and modify it.
68 # If the previous option needs an argument, assign it.
69 if test -n "$prev"; then
75 *=*) optarg=`expr "X$option" : '[^=]*=\(.*\)'` ;;
79 case $dashdash$option in
84 ovs-pki, for managing a simple OpenFlow public key infrastructure
85 usage: $0 [OPTION...] COMMAND [ARG...]
87 The valid stand-alone commands and their arguments are:
88 init Initialize the PKI
89 req NAME Create new private key and certificate request
90 named NAME-privkey.pem and NAME-req.pem, resp.
91 sign NAME [TYPE] Sign switch certificate request NAME-req.pem,
92 producing certificate NAME-cert.pem
93 req+sign NAME [TYPE] Combine the above two steps, producing all three files.
94 verify NAME [TYPE] Checks that NAME-cert.pem is a valid TYPE certificate
95 fingerprint FILE Prints the fingerprint for FILE
96 self-sign NAME Sign NAME-req.pem with NAME-privkey.pem,
97 producing self-signed certificate NAME-cert.pem
98 Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
100 Options for 'init', 'req', and 'req+sign' only:
101 -k, --key=rsa|dsa Type of keys to use (default: rsa)
102 -B, --bits=NBITS Number of bits in keys (default: 2048). For DSA keys,
103 this has an effect only on 'init'.
104 -D, --dsaparam=FILE File with DSA parameters (DSA only)
105 (default: dsaparam.pem within PKI directory)
106 Options for use with the 'sign' command:
107 -b, --batch Skip fingerprint verification
108 Options that apply to any command:
109 -d, --dir=DIR Directory where the PKI is located
111 -f, --force Continue even if file or directory already exists
112 -l, --log=FILE Log openssl output to FILE (default: ovs-log.log)
113 -h, --help Print this usage message.
114 -V, --version Display version information.
119 echo "ovs-pki (Open vSwitch) @VERSION@"
159 echo "unrecognized option $option" >&2
163 if test -z "$command"; then
165 elif test -z "${arg1+set}"; then
167 elif test -z "${arg2+set}"; then
170 echo "$option: only two arguments may be specified" >&2
177 if test -n "$prev"; then
178 option=--`echo $prev | sed 's/_/-/g'`
179 { echo "$as_me: error: missing argument to $option" >&2
180 { (exit 1); exit 1; }; }
182 if test -z "$command"; then
183 echo "$0: missing command name; use --help for help" >&2
186 if test "$keytype" != rsa && test "$keytype" != dsa; then
187 echo "$0: argument to -k or --key must be rsa or dsa" >&2
190 if test "$bits" -lt 1024; then
191 echo "$0: argument to -B or --bits must be at least 1024" >&2
194 if test -z "$dsaparam"; then
195 dsaparam=$pkidir/dsaparam.pem
202 logdir=$(dirname "$log")
203 if test ! -d "$logdir"; then
204 mkdir -p -m755 "$logdir" 2>/dev/null || true
205 if test ! -d "$logdir"; then
206 echo "$0: log directory $logdir does not exist and cannot be created" >&2
211 if test "$command" = "init"; then
212 if test -e "$pkidir" && test "$force" != "yes"; then
213 echo "$0: $pkidir already exists and --force not specified" >&2
217 if test ! -d "$pkidir"; then
223 if test $keytype = dsa && test ! -e dsaparam.pem; then
224 echo "Generating DSA parameters, please wait..." >&2
225 openssl dsaparam -out dsaparam.pem $bits 1>&3 2>&3
228 # Get the current date to add some uniqueness to this certificate
229 curr_date=`date +"%Y %b %d %T"`
232 for ca in controllerca switchca; do
233 echo "Creating $ca..." >&2
238 mkdir -p certs crl newcerts
239 mkdir -p -m 0700 private
241 test -e crlnumber || echo 01 > crlnumber
242 test -e serial || echo 01 > serial
244 # Put DSA parameters in directory.
245 if test $keytype = dsa && test ! -e dsaparam.pem; then
249 # Write CA configuration file.
250 if test ! -e ca.cnf; then
251 sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF'
254 distinguished_name = req_distinguished_name
256 [ req_distinguished_name ]
262 CN = OVS @ca@ CA Certificate (@curr_date@)
269 database = $dir/index.txt # index file.
270 new_certs_dir = $dir/newcerts # new certs dir
271 certificate = $dir/cacert.pem # The CA cert
272 serial = $dir/serial # serial no file
273 private_key = $dir/private/cakey.pem# CA private key
274 RANDFILE = $dir/private/.rand # random number file
275 default_days = 3650 # how long to certify for
276 default_crl_days= 30 # how long before next CRL
277 default_md = md5 # md to use
278 policy = policy # default policy
279 email_in_dn = no # Don't add the email into cert DN
280 name_opt = ca_default # Subject name display option
281 cert_opt = ca_default # Certificate display option
282 copy_extensions = none # Don't copy extensions from request
283 unique_subject = no # Allow certs with duplicate subjects
287 countryName = optional
288 stateOrProvinceName = optional
289 organizationName = match
290 organizationalUnitName = optional
291 commonName = supplied
292 emailAddress = optional
296 # Create certificate authority.
297 if test $keytype = dsa; then
298 newkey=dsa:dsaparam.pem
302 openssl req -config ca.cnf -nodes \
303 -newkey $newkey -keyout private/cakey.pem -out careq.pem \
305 openssl ca -config ca.cnf -create_serial -out cacert.pem \
306 -days 3650 -batch -keyfile private/cakey.pem -selfsign \
307 -infiles careq.pem 1>&3 2>&3
308 chmod 0700 private/cakey.pem
316 if test -z "$arg1" || test -n "$arg2"; then
317 echo "$0: $command must have exactly one argument; use --help for help" >&2
323 if test -z "$arg1"; then
324 echo "$0: $command must have one or two arguments; use --help for help" >&2
330 if test -e "$1" && test "$force" != "yes"; then
331 echo "$0: $1 already exists and --force not supplied" >&2
337 TMP=/tmp/ovs-pki.tmp$$
346 date=$(file_mod_date "$file")
347 if grep -e '-BEGIN CERTIFICATE-' "$file" > /dev/null; then
348 fingerprint=$(openssl x509 -noout -in "$file" -fingerprint |
349 sed 's/SHA1 Fingerprint=//' | tr -d ':')
351 fingerprint=$(sha1sum "$file" | awk '{print $1}')
353 printf "$name\\t$date\\n"
356 printf "\\t(correct fingerprint in filename)\\n"
359 printf "\\tfingerprint $fingerprint\\n"
364 verify_fingerprint() {
366 if test $batch != yes; then
367 echo "Does fingerprint match? (yes/no)"
369 if test "$answer" != yes; then
370 echo "Match failure, aborting" >&2
377 if test x = x"$1"; then
379 elif test "$1" = switch || test "$1" = controller; then
382 echo "$0: type argument must be 'switch' or 'controller'" >&2
388 number=$(echo $1 | sed 's/^\([0-9]\+\)\([[:alpha:]]\+\)/\1/')
389 unit=$(echo $1 | sed 's/^\([0-9]\+\)\([[:alpha:]]\+\)/\2/')
404 echo "$1: age not in the form Ns, Nmin, Nh, Nday (e.g. 1day)" >&2
408 echo $(($number * $factor))
412 if test ! -e "$1"; then
413 echo "$0: $1 does not exist" >&2
418 pkidir_must_exist() {
419 if test ! -e "$pkidir"; then
420 echo "$0: $pkidir does not exist (need to run 'init' or use '--dir'?)" >&2
422 elif test ! -d "$pkidir"; then
423 echo "$0: $pkidir is not a directory" >&2
429 must_not_exist "$arg1-privkey.pem"
430 must_not_exist "$arg1-req.pem"
432 # Use uuidgen or date to create unique subject DNs.
433 unique=`(uuidgen) 2>/dev/null` || unique=`date +"%Y %b %d %T"`
434 cat > "$TMP/req.cnf" <<EOF
437 distinguished_name = req_distinguished_name
439 [ req_distinguished_name ]
444 OU = Open vSwitch certifier
445 CN = $arg1 id:$unique
447 if test $keytype = rsa; then
448 (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
451 must_exist "$dsaparam"
452 (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \
455 openssl req -config "$TMP/req.cnf" -new -text \
456 -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
464 (cd "$pkidir/${type}ca" &&
465 openssl ca -config ca.cnf -batch -in /dev/stdin) \
466 < "$1" > "$2.tmp$$" 2>&3
472 if test "$files" != "$1"; then
478 if test "$command" = req; then
482 fingerprint "$arg1-req.pem"
483 elif test "$command" = sign; then
486 verify_fingerprint "$arg1-req.pem"
488 sign_request "$arg1-req.pem" "$arg2-cert.pem"
489 elif test "$command" = req+sign; then
495 sign_request "$arg1-req.pem" "$arg1-cert.pem"
496 fingerprint "$arg1-req.pem"
497 elif test "$command" = verify; then
499 must_exist "$arg1-cert.pem"
503 openssl verify -CAfile "$pkidir/${type}ca/cacert.pem" "$arg1-cert.pem"
504 elif test "$command" = fingerprint; then
508 elif test "$command" = self-sign; then
510 must_exist "$arg1-req.pem"
511 must_exist "$arg1-privkey.pem"
512 must_not_exist "$arg1-cert.pem"
514 # Create both the private key and certificate with restricted permissions.
516 openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
517 -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit $?
519 # Reset the permissions on the certificate to the user's default.
520 cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
521 rm -f "$arg1-cert.pem.tmp"
523 echo "$0: $command command unknown; use --help for help" >&2