13 files changed, 224 insertions, 3 deletions

diff --git a/nova/CA/.gitignore b/nova/CA/.gitignore
new file mode 100644
index 000000000..fae0922bf
--- /dev/null
+++ b/nova/CA/.gitignore
@@ -0,0 +1,11 @@
+index.txt
+index.txt.old
+index.txt.attr
+index.txt.attr.old
+cacert.pem
+serial
+serial.old
+openssl.cnf
+private/*
+newcerts/*
+
diff --git a/nova/CA/geninter.sh b/nova/CA/geninter.sh
new file mode 100755
index 000000000..4b7f5a55c
--- /dev/null
+++ b/nova/CA/geninter.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# $1 is the id of the project and $2 is the subject of the cert
+NAME=$1
+SUBJ=$2
+mkdir -p projects/$NAME
+cd projects/$NAME
+cp ../../openssl.cnf.tmpl openssl.cnf
+sed -i -e s/%USERNAME%/$NAME/g openssl.cnf
+mkdir -p certs crl newcerts private
+openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf -batch -nodes
+echo "10" > serial
+touch index.txt
+# NOTE(vish): Disabling intermediate ca's because we don't actually need them.
+#             It makes more sense to have each project have its own root ca.
+# openssl genrsa -out private/cakey.pem 1024 -config ./openssl.cnf -batch -nodes
+# openssl req -new -sha256 -key private/cakey.pem -out ../../reqs/inter$NAME.csr -batch -subj "$SUBJ"
+openssl ca -gencrl -config ./openssl.cnf -out crl.pem
+if [ "`id -u`" != "`grep nova /etc/passwd | cut -d':' -f3`" ]; then
+    sudo chown -R nova:nogroup .
+fi
+# cd ../../
+# openssl ca -extensions v3_ca -days 365 -out INTER/$NAME/cacert.pem -in reqs/inter$NAME.csr -config openssl.cnf -batch
diff --git a/nova/CA/genrootca.sh b/nova/CA/genrootca.sh
new file mode 100755
index 000000000..091cf17fc
--- /dev/null
+++ b/nova/CA/genrootca.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+if [ -f "cacert.pem" ];
+then
+    echo "Not installing, it's already done."
+else
+    cp "$(dirname $0)/openssl.cnf.tmpl" openssl.cnf
+    sed -i -e s/%USERNAME%/ROOT/g openssl.cnf
+    mkdir -p certs crl newcerts private
+    openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf -batch -nodes
+    touch index.txt
+    echo "10" > serial
+    openssl ca -gencrl -config ./openssl.cnf -out crl.pem
+fi
diff --git a/nova/CA/genvpn.sh b/nova/CA/genvpn.sh
new file mode 100755
index 000000000..7e7db185d
--- /dev/null
+++ b/nova/CA/genvpn.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# This gets zipped and run on the cloudpipe-managed OpenVPN server
+NAME=$1
+SUBJ=$2
+
+mkdir -p projects/$NAME
+cd projects/$NAME
+
+# generate a server priv key
+openssl genrsa -out server.key 2048
+
+# generate a server CSR
+openssl req -new -key server.key -out server.csr -batch -subj "$SUBJ"
+
+novauid=`getent passwd nova | awk -F: '{print $3}'`
+if [ ! -z "${novauid}" ] && [ "`id -u`" != "${novauid}" ]; then
+    sudo chown -R nova:nogroup .
+fi
diff --git a/nova/CA/newcerts/.placeholder b/nova/CA/newcerts/.placeholder
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/nova/CA/newcerts/.placeholder
diff --git a/nova/CA/openssl.cnf.tmpl b/nova/CA/openssl.cnf.tmpl
new file mode 100644
index 000000000..dd81f1c2b
--- /dev/null
+++ b/nova/CA/openssl.cnf.tmpl
@@ -0,0 +1,90 @@
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+#
+# OpenSSL configuration file.
+#
+
+# Establish working directory.
+
+dir			= .
+
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+serial			= $dir/serial
+database		= $dir/index.txt
+new_certs_dir		= $dir/newcerts
+certificate		= $dir/cacert.pem
+private_key		= $dir/private/cakey.pem
+unique_subject		= no
+default_crl_days	= 365
+default_days		= 365
+default_md		= md5
+preserve		= no
+email_in_dn		= no
+nameopt			= default_ca
+certopt			= default_ca
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+
+[ req ]
+default_bits		= 1024			# Size of keys
+default_keyfile		= key.pem		# name of generated keys
+default_md		= md5			# message digest algorithm
+string_mask		= nombstr		# permitted characters
+distinguished_name	= req_distinguished_name
+
+[ req_distinguished_name ]
+# Variable name		  Prompt string
+#----------------------	  ----------------------------------
+0.organizationName	= Organization Name (company)
+organizationalUnitName	= Organizational Unit Name (department, division)
+emailAddress		= Email Address
+emailAddress_max	= 40
+localityName		= Locality Name (city, district)
+stateOrProvinceName	= State or Province Name (full name)
+countryName		= Country Name (2 letter code)
+countryName_min		= 2
+countryName_max		= 2
+commonName		= Common Name (hostname, IP, or your name)
+commonName_max		= 64
+
+# Default values for the above, for consistency and less typing.
+# Variable name			  Value
+#------------------------------	  ------------------------------
+0.organizationName_default	= NOVA %USERNAME%
+localityName_default		= Mountain View
+stateOrProvinceName_default	= California
+countryName_default		= US
+
+[ v3_ca ]
+basicConstraints	= CA:TRUE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer:always
+
+[ v3_req ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
diff --git a/nova/CA/private/.placeholder b/nova/CA/private/.placeholder
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/nova/CA/private/.placeholder
diff --git a/nova/CA/projects/.gitignore b/nova/CA/projects/.gitignore
new file mode 100644
index 000000000..72e8ffc0d
--- /dev/null
+++ b/nova/CA/projects/.gitignore
@@ -0,0 +1 @@
+*
diff --git a/nova/CA/projects/.placeholder b/nova/CA/projects/.placeholder
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/nova/CA/projects/.placeholder
diff --git a/nova/CA/reqs/.gitignore b/nova/CA/reqs/.gitignore
new file mode 100644
index 000000000..72e8ffc0d
--- /dev/null
+++ b/nova/CA/reqs/.gitignore
@@ -0,0 +1 @@
+*
diff --git a/nova/CA/reqs/.placeholder b/nova/CA/reqs/.placeholder
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/nova/CA/reqs/.placeholder
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index 425784e8a..5d6d9537a 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -103,10 +103,17 @@ class CloudController(object):
         # Gen root CA, if we don't have one
         root_ca_path = os.path.join(FLAGS.ca_path, FLAGS.ca_file)
         if not os.path.exists(root_ca_path):
+            genrootca_sh_path = os.path.join(os.path.dirname(__file__),
+                                             os.path.pardir,
+                                             os.path.pardir,
+                                             'CA',
+                                             'genrootca.sh')
+
             start = os.getcwd()
+            os.makedirs(FLAGS.ca_path)
             os.chdir(FLAGS.ca_path)
             # TODO(vish): Do this with M2Crypto instead
-            utils.runthis(_("Generating root CA: %s"), "sh", "genrootca.sh")
+            utils.runthis(_("Generating root CA: %s"), "sh", genrootca_sh_path)
             os.chdir(start)
 
     def _get_mpi_data(self, context, project_id):
diff --git a/nova/crypto.py b/nova/crypto.py
index b112e5b92..2b122e560 100644
--- a/nova/crypto.py
+++ b/nova/crypto.py
@@ -215,9 +215,12 @@ def generate_x509_cert(user_id, project_id, bits=1024):
 
 def _ensure_project_folder(project_id):
     if not os.path.exists(ca_path(project_id)):
+        geninter_sh_path = os.path.join(os.path.dirname(__file__),
+                                        'CA',
+                                        'geninter.sh')
         start = os.getcwd()
         os.chdir(ca_folder())
-        utils.execute('sh', 'geninter.sh', project_id,
+        utils.execute('sh', geninter_sh_path, project_id,
                       _project_cert_subject(project_id))
         os.chdir(start)
 
@@ -227,13 +230,16 @@ def generate_vpn_files(project_id):
     csr_fn = os.path.join(project_folder, "server.csr")
     crt_fn = os.path.join(project_folder, "server.crt")
 
+    genvpn_sh_path = os.path.join(os.path.dirname(__file__),
+                                  'CA',
+                                  'geninter.sh')
     if os.path.exists(crt_fn):
         return
     _ensure_project_folder(project_id)
     start = os.getcwd()
     os.chdir(ca_folder())
     # TODO(vish): the shell scripts could all be done in python
-    utils.execute('sh', 'genvpn.sh',
+    utils.execute('sh', genvpn_sh_path,
                   project_id, _vpn_cert_subject(project_id))
     with open(csr_fn, "r") as csrfile:
         csr_text = csrfile.read()