From 2ba0eae5d6f5c41a3472d9ff1a4642652bdc575f Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Fri, 20 Jul 2012 18:37:47 -0700
Subject: [PATCH] support for distributing certificate chain file

---
 client-webserver/client.py         | 5 +++++
 server-ca/chocolate.py             | 7 +++++++
 server-ca/chocolate_protocol.proto | 2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/client-webserver/client.py b/client-webserver/client.py
index 44a77da75..a483785ca 100755
--- a/client-webserver/client.py
+++ b/client-webserver/client.py
@@ -27,6 +27,7 @@ else:
     key_file = "key.pem"
 
 cert_file = "cert.pem"     # we should use getopt to set all of these
+chain_file = "chain.pem"
 
 def rsa_sign(key, data):
     """
@@ -126,7 +127,11 @@ while r.challenge or r.proceed.IsInitialized():
 if r.success.IsInitialized():
     with open(cert_file, "w") as f:
         f.write(r.success.certificate)
+    if r.success.chain:
+        with open(chain_file, "w") as f:
+            f.write(r.success.chain)
     print "Server issued certificate; certificate written to " + cert_file
+    if r.success.chain: print "Cert chain written to " + chain_file
 elif r.failure.IsInitialized():
     print "Server reported failure."
     sys.exit(1)
diff --git a/server-ca/chocolate.py b/server-ca/chocolate.py
index 7aa736279..913493fc4 100755
--- a/server-ca/chocolate.py
+++ b/server-ca/chocolate.py
@@ -11,6 +11,7 @@ from google.protobuf.message import DecodeError
 from CONFIG import chocolate_server_name, min_keysize, difficulty, polldelay
 from CONFIG import max_names, max_csr_size, maximum_session_age
 from CONFIG import maximum_challenge_age, hashcash_expiry, extra_name_blacklist
+from CONFIG import cert_chain_file
 
 try:
     chocolate_server_name = open("SERVERNAME").read().rstrip()
@@ -129,6 +130,12 @@ class session(object):
         """Initialize response to return issued cert to client."""
         if self.cert():
             r.success.certificate = self.cert()
+            if cert_chain_file:
+                try:
+                    r.success.chain = open(cert_chain_file).read()
+                except IOError:
+                    # Whoops!
+                    pass
         else:
             self.die(r, r.BadRequest, uri="https://ca.example.com/failures/internalerror")
         return
diff --git a/server-ca/chocolate_protocol.proto b/server-ca/chocolate_protocol.proto
index 8c122745c..7cb8c67ec 100644
--- a/server-ca/chocolate_protocol.proto
+++ b/server-ca/chocolate_protocol.proto
@@ -68,7 +68,7 @@ message chocolatemessage {
 
 	message Success {
 	     required string certificate = 1;
-             optional string chain 2;
+             optional string chain = 2;
 	}