#! /bin/sh
-# Copyright (c) 2008, 2009 Nicira Networks, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
exit 1
fi
if test "$keytype" != rsa && test "$keytype" != dsa; then
- echo "$0: argument to -k or --key must be rsa or dsa"
+ echo "$0: argument to -k or --key must be rsa or dsa" >&2
exit 1
fi
if test "$bits" -lt 1024; then
- echo "$0: argument to -B or --bits must be at least 1024"
+ echo "$0: argument to -B or --bits must be at least 1024" >&2
exit 1
fi
if test -z "$dsaparam"; then
fi
case $log in
/*) ;;
- *) $log="$PWD/$log" ;;
+ *) log="$PWD/$log" ;;
esac
+logdir=$(dirname "$log")
+if test ! -d "$logdir"; then
+ mkdir -p -m755 "$logdir" 2>/dev/null || true
+ if test ! -d "$logdir"; then
+ echo "$0: log directory $logdir does not exist and cannot be created" >&2
+ exit 1
+ fi
+fi
+
if test "$command" = "init"; then
if test -e "$pkidir" && test "$force" != "yes"; then
echo "$0: $pkidir already exists and --force not specified" >&2
openssl dsaparam -out dsaparam.pem $bits 1>&3 2>&3
fi
+ # Get the current date to add some uniqueness to this certificate
+ curr_date=`date +"%Y %b %d %T"`
+
# Create the CAs.
for ca in controllerca switchca; do
echo "Creating $ca..." >&2
cp ../dsaparam.pem .
fi
- # Write CA configuration file.
+ # Write CA configuration file.
if test ! -e ca.cnf; then
- sed "s/@ca@/$ca/g" > ca.cnf <<'EOF'
+ sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF'
[ req ]
prompt = no
distinguished_name = req_distinguished_name
L = Palo Alto
O = Open vSwitch
OU = @ca@
-CN = Open vSwitch @ca@ CA Certificate
+CN = OVS @ca@ CA Certificate (@curr_date@)
[ ca ]
default_ca = the_ca
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
+unique_subject = no # Allow certs with duplicate subjects
# For the CA policy
[ policy ]
-newkey $newkey -keyout private/cakey.pem -out careq.pem \
1>&3 2>&3
openssl ca -config ca.cnf -create_serial -out cacert.pem \
- -days 1095 -batch -keyfile private/cakey.pem -selfsign \
+ -days 2191 -batch -keyfile private/cakey.pem -selfsign \
-infiles careq.pem 1>&3 2>&3
chmod 0700 private/cakey.pem
????*)
;;
*)
- echo "Prefix $arg1 is too short (less than 4 hex digits)"
+ echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
exit 0
;;
esac
fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//')
case $fingerprint in
"${1}*")
- echo "No certificate requests matching $1"
+ echo "No certificate requests matching $1" >&2
exit 1
;;
*" "*)
- echo "$1 matches more than one certificate request:"
+ echo "$1 matches more than one certificate request:" >&2
echo $fingerprint | sed 's/ /\
-/g'
+/g' >&2
exit 1
;;
*)
}
fingerprint() {
- local file=$1
- local name=${1-$2}
- local date=$(date -r $file)
- local fingerprint
- if grep -q -e '-BEGIN CERTIFICATE-' "$file"; then
+ file=$1
+ name=${1-$2}
+ date=$(date -r $file)
+ if grep -e '-BEGIN CERTIFICATE-' "$file" > /dev/null; then
fingerprint=$(openssl x509 -noout -in "$file" -fingerprint |
sed 's/SHA1 Fingerprint=//' | tr -d ':')
else
CN = Open vSwitch certificate for $arg1
EOF
if test $keytype = rsa; then
- newkey=rsa:$bits
+ (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
+ || exit $?
else
must_exist "$dsaparam"
- newkey=dsa:$dsaparam
+ (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \
+ 1>&3 2>&3 || exit $?
fi
- openssl req -config "$TMP/req.cnf" -text -nodes \
- -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
+ openssl req -config "$TMP/req.cnf" -new -text \
+ -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
}
sign_request() {
}
glob() {
- local files=$(echo $1)
+ files=$(echo $1)
if test "$files" != "$1"; then
echo "$files"
fi
must_exist "$arg1-privkey.pem"
must_not_exist "$arg1-cert.pem"
- openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
- -signkey "$arg1-privkey.pem" -req -text 2>&3
+ # Create both the private key and certificate with restricted permissions.
+ (umask 077 && \
+ openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+ -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $?
+
+ # Reset the permissions on the certificate to the user's default.
+ cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
+ rm -f "$arg1-cert.pem.tmp"
elif test "$command" = ls; then
check_type "$arg2"
git://git.onelab.eu / sliver-openvswitch.git / blobdiff