support for distributing certificate chain file

client-webserver/client.py

@@ -27,6 +27,7 @@ else:
     key_file = "key.pem"
 
 cert_file = "cert.pem"     # we should use getopt to set all of these
+chain_file = "chain.pem"
 
 def rsa_sign(key, data):
     """
@@ -126,7 +127,11 @@ while r.challenge or r.proceed.IsInitialized():
 if r.success.IsInitialized():
     with open(cert_file, "w") as f:
         f.write(r.success.certificate)
+    if r.success.chain:
+        with open(chain_file, "w") as f:
+            f.write(r.success.chain)
     print "Server issued certificate; certificate written to " + cert_file
+    if r.success.chain: print "Cert chain written to " + chain_file
 elif r.failure.IsInitialized():
     print "Server reported failure."
     sys.exit(1)

server-ca/chocolate.py

@@ -11,6 +11,7 @@ from google.protobuf.message import DecodeError
 from CONFIG import chocolate_server_name, min_keysize, difficulty, polldelay
 from CONFIG import max_names, max_csr_size, maximum_session_age
 from CONFIG import maximum_challenge_age, hashcash_expiry, extra_name_blacklist
+from CONFIG import cert_chain_file
 
 try:
     chocolate_server_name = open("SERVERNAME").read().rstrip()
@@ -129,6 +130,12 @@ class session(object):
         """Initialize response to return issued cert to client."""
         if self.cert():
             r.success.certificate = self.cert()
+            if cert_chain_file:
+                try:
+                    r.success.chain = open(cert_chain_file).read()
+                except IOError:
+                    # Whoops!
+                    pass
         else:
             self.die(r, r.BadRequest, uri="https://ca.example.com/failures/internalerror")
         return

server-ca/chocolate_protocol.proto

@@ -68,7 +68,7 @@ message chocolatemessage {
 
 	message Success {
 	     required string certificate = 1;
-             optional string chain 2;
+             optional string chain = 2;
 	}