changes to make CSR.issue() successfully issue certs

server-ca/CA.sh

@@ -1,5 +1,10 @@
 #!/bin/sh
-#
+
+# A fully automated robo-CA does have to have credentials stored somewhere
+# that it can use to issue certs on its own initiative!  Though ideally
+# the actual signing key would be in an HSM, not a text file.
+export PASSWORD=dang
+
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
 #      things easier between now and when Eric is convinced to fix it :-)
@@ -158,6 +163,11 @@ case $1 in
     cat newcert.pem
     echo "Signed certificate is in newcert.pem"
     ;;
+-chocolate)
+    /bin/echo -e "y\ny\ny\n" | $CA -passin env:PASSWORD -policy policy_anything -out "$3" -infiles "$2"
+    RET=$?
+    exit $RET
+    ;;
 -signCA)
     $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
     RET=$?

server-ca/CSR.py

@@ -115,4 +115,14 @@ def issue(csr):
     # TODO: a real CA should severely restrict the content of the cert, not
     # just grant what's asked for.  (For example, the CA shouldn't trust
     # all the data in the subject field if it hasn't been validated.)
-    return "-----BEGIN CERTIFICATE-----\nThanks for the shrubbery!\n-----END CERTIFICATE-----"
+    # Therefore, we should construct a new CSR from scratch using the
+    # parsed-out data from the input CSR, and then pass that to OpenSSL.
+    cert = None
+    with tempfile.NamedTemporaryFile() as csr_tmp:
+        csr_tmp.write(csr)
+        csr_tmp.flush()
+        with tempfile.NamedTemporaryFile() as cert_tmp:
+            ret = subprocess.Popen(["./CA.sh", "-chocolate", csr_tmp.name, cert_tmp.name],shell=False,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE).wait()
+            if ret == 0:
+                cert = cert_tmp.read()
+    return cert

server-ca/demoCA/index.txt.attr

@@ -1 +1 @@
-unique_subject = yes
+unique_subject = no