From ac3441a972e8576eb1c4e5ef0b58ec23b83ac14f Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Mon, 9 Jul 2012 00:01:19 -0700
Subject: [PATCH] changes to make CSR.issue() successfully issue certs

---
 server-ca/CA.sh                 | 12 +++++++++++-
 server-ca/CSR.py                | 12 +++++++++++-
 server-ca/demoCA/index.txt.attr |  2 +-
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/server-ca/CA.sh b/server-ca/CA.sh
index 7ad6b8c52..488c917af 100755
--- a/server-ca/CA.sh
+++ b/server-ca/CA.sh
@@ -1,5 +1,10 @@
 #!/bin/sh
-#
+
+# A fully automated robo-CA does have to have credentials stored somewhere
+# that it can use to issue certs on its own initiative!  Though ideally
+# the actual signing key would be in an HSM, not a text file.
+export PASSWORD=dang
+
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
 #      things easier between now and when Eric is convinced to fix it :-)
@@ -158,6 +163,11 @@ case $1 in
     cat newcert.pem
     echo "Signed certificate is in newcert.pem"
     ;;
+-chocolate)
+    /bin/echo -e "y\ny\ny\n" | $CA -passin env:PASSWORD -policy policy_anything -out "$3" -infiles "$2"
+    RET=$?
+    exit $RET
+    ;;
 -signCA)
     $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
     RET=$?
diff --git a/server-ca/CSR.py b/server-ca/CSR.py
index 3d4225a74..3b54705ec 100644
--- a/server-ca/CSR.py
+++ b/server-ca/CSR.py
@@ -115,4 +115,14 @@ def issue(csr):
     # TODO: a real CA should severely restrict the content of the cert, not
     # just grant what's asked for.  (For example, the CA shouldn't trust
     # all the data in the subject field if it hasn't been validated.)
-    return "-----BEGIN CERTIFICATE-----\nThanks for the shrubbery!\n-----END CERTIFICATE-----"
+    # Therefore, we should construct a new CSR from scratch using the
+    # parsed-out data from the input CSR, and then pass that to OpenSSL.
+    cert = None
+    with tempfile.NamedTemporaryFile() as csr_tmp:
+        csr_tmp.write(csr)
+        csr_tmp.flush()
+        with tempfile.NamedTemporaryFile() as cert_tmp:
+            ret = subprocess.Popen(["./CA.sh", "-chocolate", csr_tmp.name, cert_tmp.name],shell=False,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE).wait()
+            if ret == 0:
+                cert = cert_tmp.read()
+    return cert
diff --git a/server-ca/demoCA/index.txt.attr b/server-ca/demoCA/index.txt.attr
index 8f7e63a34..3a7e39e6e 100644
--- a/server-ca/demoCA/index.txt.attr
+++ b/server-ca/demoCA/index.txt.attr
@@ -1 +1 @@
-unique_subject = yes
+unique_subject = no