ovs-pki: Remove "online PKI" features and ovs-pki-cgi.

Debian bug #683665, Red Hat bug #845350, and CVE-2012-3449 all claim that
ovs-pki's "incoming" directory is a security vulnerability.  I do not think
that this is the case, but I do not know of any users for this feature, so
on balance I prefer to remove it and the ovs-pki-cgi program associated
with it, just to be sure.

CVE-2012-3449.
Bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665
Bug-report: https://bugzilla.redhat.com/show_bug.cgi?id=84535
Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ben Pfaff <blp@nicira.com>

4 files changed, 6 insertions, 286 deletions

diff --git a/utilities/automake.mk b/utilities/automake.mk
index 7bb2c6d61..fdd26b825 100644
--- a/utilities/automake.mk
+++ b/utilities/automake.mk
@@ -13,7 +13,6 @@ bin_SCRIPTS += \
 	utilities/ovs-test \
 	utilities/ovs-vlan-test
 endif
-noinst_SCRIPTS += utilities/ovs-pki-cgi
 scripts_SCRIPTS += \
 	utilities/ovs-check-dead-ifs \
 	utilities/ovs-ctl \
@@ -27,7 +26,6 @@ EXTRA_DIST += \
 	utilities/ovs-lib.in \
 	utilities/ovs-parse-leaks.in \
 	utilities/ovs-pcap.in \
-	utilities/ovs-pki-cgi.in \
 	utilities/ovs-pki.in \
 	utilities/ovs-save \
 	utilities/ovs-tcpundump.in \
@@ -65,7 +63,6 @@ DISTCLEANFILES += \
 	utilities/ovs-pcap \
 	utilities/ovs-pcap.1 \
 	utilities/ovs-pki \
-	utilities/ovs-pki-cgi \
 	utilities/ovs-pki.8 \
 	utilities/ovs-tcpundump \
 	utilities/ovs-tcpundump.1 \
diff --git a/utilities/ovs-pki-cgi.in b/utilities/ovs-pki-cgi.in
deleted file mode 100755
index 3ef900ef5..000000000
--- a/utilities/ovs-pki-cgi.in
+++ /dev/null
@@ -1,55 +0,0 @@
-#! @PERL@
-
-# Copyright (c) 2008, 2009 Nicira, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-use CGI;
-use Digest::SHA1;
-use Fcntl;
-
-$CGI::POST_MAX = 65536;    # Limit POSTs to 64 kB.
-
-use strict;
-use warnings;
-
-my $pkidir = '@PKIDIR@';
-my $q = new CGI;
-
-die unless $q->request_method() eq 'POST';
-
-my $type = $q->param('type');
-die unless defined $type;
-die unless $type eq 'switch' or $type eq 'controller';
-
-my $req = $q->param('req');
-die unless defined $req;
-die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m;
-die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m;
-
-my $digest = Digest::SHA1::sha1_hex($req);
-my $incoming = "$pkidir/${type}ca/incoming";
-my $dst = "$incoming/$digest-req.pem";
-
-sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600)
-  or die "sysopen $dst.tmp: $!";
-print REQUEST $req;
-close(REQUEST) or die "close $dst.tmp: $!";
-
-rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!";
-
-print $q->header('text/html', '204 No response');
-
-# Local Variables:
-# mode: perl
-# End:
diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in
index e40fdeea4..f602ac82b 100644
--- a/utilities/ovs-pki.8.in
+++ b/utilities/ovs-pki.8.in
@@ -9,9 +9,11 @@
 ovs\-pki \- OpenFlow public key infrastructure management utility
 
 .SH SYNOPSIS
+Each command takes the form:
+.sp
 \fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
 .sp
-Stand\-alone commands with their arguments:
+The implemented commands and their arguments are:
 .br
 \fBovs\-pki\fR \fBinit\fR
 .br
@@ -27,20 +29,6 @@ Stand\-alone commands with their arguments:
 .br
 \fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR
 .sp
-The following additional commands manage an online PKI:
-.br
-\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
-.sp
 Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
 (default) or \fBcontroller\fR.
 .sp
@@ -195,85 +183,6 @@ been produced with \fBovs\-pki req\fR.
 
 Some controllers accept such self-signed certificates.
 
-.SH "ONLINE COMMANDS"
-
-An OpenFlow PKI can be administered online, in conjunction with
-.BR ovs\-pki\-cgi (8)
-and a web server such as Apache:
-
-.IP \(bu
-The web server exports the contents of the PKI via HTTP.  All files in
-a PKI hierarchy files may be made public, except for the files
-\fBpki/controllerca/private/cakey.pem\fR and
-\fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
-
-.IP \(bu
-\fBovs\-pki\-cgi\fR allows newly generated certificate requests for
-controllers and switches to be uploaded into the
-\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
-directories, respectively.  Uploaded certificate requests are stored
-in those directories under names of the form
-\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1
-hash of the file.
-
-.IP \(bu
-These \fBovs\-pki\fR commands allow incoming certificate requests to
-be approved or rejected, in a form are suitable for use by humans or
-other software.
-
-.PP
-The following \fBovs\-pki\fR commands support online administration:
-
-.TP
-\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
-Lists all of the incoming certificate requests of the given \fITYPE\fR
-(either \fBswitch\fR, the default, or \fBcontroller\fR).  If
-\fIPREFIX\fR, which must be at least 4 characters long, is specified,
-it causes the list to be limited to files whose names begin with
-\fIPREFIX\fR.  This is useful, for example, to avoid typing in an
-entire fingerprint when checking that a specific certificate request
-has been received.
-
-.TP
-\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
-Deletes all certificate requests of the given \fITYPE\fR.
-
-.TP
-\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
-Rejects the certificate request whose name begins with \fIPREFIX\fR,
-which must be at least 4 characters long, of the given type (either
-\fBswitch\fR, the default, or \fBcontroller\fR).  \fIPREFIX\fR must
-match exactly one certificate request; its purpose is to allow the
-user to type fewer characters, not to match multiple certificate
-requests.
-
-.TP
-\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
-Approves the certificate request whose name begins with \fIPREFIX\fR,
-which must be at least 4 characters long, of the given \fITYPE\fR
-(either \fBswitch\fR, the default, or \fBcontroller\fR).  \fIPREFIX\fR
-must match exactly one certificate request; its purpose is to allow
-the user to type fewer characters, not to match multiple certificate
-requests.
-
-The command will output a fingerprint to stdout and request that you
-verify that it is correct.  (The \fB\-b\fR or \fB\-\^\-batch\fR option
-suppresses the verification step.)
-
-.TP
-\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
-Prompts the user for each incoming certificate request of the given
-\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
-Based on the certificate request's fingerprint, the user is given the
-option of approving, rejecting, or skipping the certificate request.
-
-.TP
-\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
-
-Rejects all the incoming certificate requests, of either type, that is
-older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
-\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR.  The default is \fB1day\fR.
-
 .SH OPTIONS
 .IP "\fB\-k\fR \fItype\fR"
 .IQ "\fB\-\^\-key=\fItype\fR"
@@ -306,7 +215,7 @@ The default is \fBdsaparam.pem\fR under the PKI hierarchy.
 .IP "\fB\-b\fR"
 .IQ "\fB\-\^\-batch\fR"
 Suppresses the interactive verification of fingerprints that the
-\fBsign\fR and \fBapprove\fR commands by default require.
+\fBsign\fR command by default requires.
 
 .IP "\fB\-d\fR \fIdir\fR"
 .IQ "\fB\-\^\-dir=\fR\fIdir\fR"
@@ -330,5 +239,4 @@ Prints a help usage message and exits.
 
 .SH "SEE ALSO"
 
-.BR ovs\-controller (8),
-.BR ovs\-pki\-cgi (8)
+.BR ovs\-controller (8).
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 2dc40603e..2a67d5387 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -95,20 +95,6 @@ The valid stand-alone commands and their arguments are:
   fingerprint FILE     Prints the fingerprint for FILE
   self-sign NAME       Sign NAME-req.pem with NAME-privkey.pem,
                        producing self-signed certificate NAME-cert.pem
-
-The following additional commands manage an online PKI:
-  ls [PREFIX] [TYPE]   Lists incoming requests of the given TYPE, optionally 
-                       limited to those whose fingerprint begins with PREFIX
-  flush [TYPE]         Rejects all incoming requests of the given TYPE
-  reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint begins
-                       with PREFIX and has the given TYPE
-  approve PREFIX [TYPE] Approves the incoming request whose fingerprint begins
-                       with PREFIX and has the given TYPE
-  expire [AGE]         Rejects all incoming requests older than AGE, in
-                       one of the forms Ns, Nmin, Nh, Nday (default: 1day)
-  prompt [TYPE]        Interactively prompts to accept or reject each incoming
-                       request of the given TYPE
-
 Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
 
 Options for 'init', 'req', and 'req+sign' only:
@@ -117,7 +103,7 @@ Options for 'init', 'req', and 'req+sign' only:
                          this has an effect only on 'init'.
   -D, --dsaparam=FILE  File with DSA parameters (DSA only)
                          (default: dsaparam.pem within PKI directory)
-Options for use with the 'sign' and 'approve' commands:
+Options for use with the 'sign' command:
   -b, --batch          Skip fingerprint verification
 Options that apply to any command:
   -d, --dir=DIR        Directory where the PKI is located
@@ -251,7 +237,6 @@ if test "$command" = "init"; then
 
         mkdir -p certs crl newcerts
         mkdir -p -m 0700 private
-        mkdir -p -m 0733 incoming
         touch index.txt
         test -e crlnumber || echo 01 > crlnumber
         test -e serial || echo 01 > serial
@@ -334,13 +319,6 @@ one_arg() {
     fi
 }
 
-zero_or_one_args() {
-    if test -n "$arg2"; then
-        echo "$0: $command must have zero or one arguments; use --help for help" >&2
-        exit 1
-    fi
-}
-
 one_or_two_args() {
     if test -z "$arg1"; then
         echo "$0: $command must have one or two arguments; use --help for help" >&2
@@ -355,38 +333,6 @@ must_not_exist() {
     fi
 }
 
-resolve_prefix() {
-    test -n "$type" || exit 123 # Forgot to call check_type?
-
-    case $1 in
-        ????*)
-            ;;
-        *)
-            echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
-            exit 0
-            ;;
-    esac
-    
-    fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//')
-    case $fingerprint in
-        "${1}*")
-            echo "No certificate requests matching $1" >&2
-            exit 1
-            ;;
-        *" "*)
-            echo "$1 matches more than one certificate request:" >&2
-            echo $fingerprint | sed 's/ /\
-/g' >&2
-            exit 1
-            ;;
-        *)
-            # Nothing to do.
-            ;;
-    esac
-    req="$pkidir/${type}ca/incoming/$fingerprint-req.pem"
-    cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem"
-}
-
 make_tmpdir() {
     TMP=/tmp/ovs-pki.tmp$$
     rm -rf $TMP
@@ -571,82 +517,6 @@ elif test "$command" = self-sign; then
     # Reset the permissions on the certificate to the user's default.
     cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
     rm -f "$arg1-cert.pem.tmp"
-elif test "$command" = ls; then
-    check_type "$arg2"
-
-    cd "$pkidir/${type}ca/incoming"
-    for file in $(glob "$arg1*-req.pem"); do
-        fingerprint $file
-    done
-elif test "$command" = flush; then
-    check_type "$arg1"
-
-    rm -f "$pkidir/${type}ca/incoming/"*
-elif test "$command" = reject; then
-    one_or_two_args
-    check_type "$arg2"
-    resolve_prefix "$arg1"
-
-    rm -f "$req"
-elif test "$command" = approve; then
-    one_or_two_args
-    check_type "$arg2"
-    resolve_prefix "$arg1"
-
-    make_tmpdir
-    cp "$req" "$TMP/$req"
-    verify_fingerprint "$TMP/$req"
-    sign_request "$TMP/$req"
-    rm -f "$req" "$TMP/$req"
-elif test "$command" = prompt; then
-    zero_or_one_args
-    check_type "$arg1"
-
-    make_tmpdir
-    cd "$pkidir/${type}ca/incoming"
-    for req in $(glob "*-req.pem"); do
-        cp "$req" "$TMP/$req"
-
-        cert=$(echo "$pkidir/${type}ca/certs/$req" |
-               sed 's/-req.pem/-cert.pem/')
-        if test -f $cert; then
-            echo "Request $req already approved--dropping duplicate request"
-            rm -f "$req" "$TMP/$req"
-            continue
-        fi
-
-        echo
-        echo
-        fingerprint "$TMP/$req" "$req"
-        printf "Disposition for this request (skip/approve/reject)? "
-        read answer
-        case $answer in
-            approve)
-                echo "Approving $req"
-                sign_request "$TMP/$req" "$cert"
-                rm -f "$req" "$TMP/$req"
-                ;;
-            r*)
-                echo "Rejecting $req"
-                rm -f "$req" "$TMP/$req"
-                ;;
-            *)
-                echo "Skipping $req"
-                ;;
-        esac
-    done
-elif test "$command" = expire; then
-    zero_or_one_args
-    cutoff=$(($(date +%s) - $(parse_age ${arg1-1day})))
-    for type in switch controller; do
-        cd "$pkidir/${type}ca/incoming" || exit 1
-        for file in $(glob "*"); do
-            time=$(file_mod_epoch "$file")
-            if test "$time" -lt "$cutoff"; then
-                rm -f "$file"
-            fi
-        done
-    done
 else
     echo "$0: $command command unknown; use --help for help" >&2
     exit 1