From 8478ab12feffbd7611a3e3f0786132f603fc4433 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Wed, 22 Oct 2008 13:27:03 -0700
Subject: [PATCH] Add support for bootstrapping the CA certificate to the
 Debian packaging.

---
 debian/openflow-switch.default | 14 ++++++++++++++
 debian/openflow-switch.init    | 20 ++++++++++++++++----
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/debian/openflow-switch.default b/debian/openflow-switch.default
index 6088581a8..7e40c26c6 100644
--- a/debian/openflow-switch.default
+++ b/debian/openflow-switch.default
@@ -78,6 +78,20 @@ SWITCH_IP=dhcp
 # Required if SSL enabled.
 #CACERT=/etc/openflow-switch/cacert.pem
 
+# CACERT_MODE: Two modes are available:
+#
+# * secure: The controller CA certificate named in CACERT above must exist.
+#   (You must copy it manually from the PKI server or another trusted source.)
+#
+# * bootstrap: If the controller CA certificate named in CACERT above does
+#   not exist, the switch will obtain it from the controller the first time
+#   it connects and save a copy to the file named in CACERT.  This is insecure,
+#   in the same way that initial connections with ssh are insecure, but
+#   it is convenient.
+# 
+# Set CACERT_MODE to 'secure' or 'bootstrap' for these respective cases.
+#CACERT=secure
+
 # MGMT_VCONNS: List of vconns (space-separated) on which secchan
 # should listen for management connections from dpctl, etc.
 # openflow-switchmon by default connects to
diff --git a/debian/openflow-switch.init b/debian/openflow-switch.init
index b4e39afcd..c3d22d7d4 100755
--- a/debian/openflow-switch.init
+++ b/debian/openflow-switch.init
@@ -115,15 +115,21 @@ check_op() {
 }
 
 configure_ssl() {
-    if test ! -e "$PRIVKEY" || test ! -e "$CERT" || test ! -e "$CACERT"; then
+    if (test "$CACERT_MODE" != secure && test "$CACERT_MODE" != bootstrap) \
+       || test ! -e "$PRIVKEY" || test ! -e "$CERT" \
+       || (test ! -e "$CACERT" && test "$CACERT_MODE" != bootstrap); then
+        if test "$CACERT_MODE" != secure && test "$CACERT_MODE" != bootstrap
+        then
+            echo "CACERT_MODE is not set to 'secure' or 'bootstrap'"
+        fi
         if test ! -e "$PRIVKEY"; then
             echo "$PRIVKEY: private key missing" >&2
         fi
         if test ! -e "$CERT"; then
             echo "$CERT: certificate for private key missing" >&2
         fi
-        if test ! -e "$CACERT"; then
-            echo "$CACERT: CA certificate missing" >&2
+        if test ! -e "$CACERT" && test "$CACERT_MODE" != bootstrap; then
+            echo "$CACERT: CA certificate missing (and CA certificate bootstrapping not enabled)" >&2
         fi
         echo "Run ofp-switch-setup or edit /etc/default/openflow-switch to configure" >&2
         if test "$MODE" = discovery; then
@@ -131,7 +137,13 @@ configure_ssl() {
         fi
         exit 1
     fi
-    SSL_OPTS="--private-key=$PRIVKEY --certificate=$CERT --ca-cert=$CACERT"
+
+    SSL_OPTS="--private-key=$PRIVKEY --certificate=$CERT"
+    if test ! -e "$CACERT" && test "$CACERT_MODE" = bootstrap; then
+        SSL_OPTS="$SSL_OPTS --bootstrap-ca-cert=$CACERT"
+    else
+        SSL_OPTS="$SSL_OPTS --ca-cert=$CACERT"
+    fi
 }
 
 case "$1" in
-- 
2.43.0