From c196bef0ab6186a67275a04aeacb4c94bcc92f88 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Mon, 2 Jul 2012 12:03:28 -0700
Subject: [PATCH] infrastructure for actually issuing cert

---
 client-webserver/REDIS        |  1 +
 client-webserver/chocolate.py | 23 +++++++++++++++++++++--
 client-webserver/daemon.py    |  2 ++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/client-webserver/REDIS b/client-webserver/REDIS
index 9699276c0..0c14c23bb 100644
--- a/client-webserver/REDIS
+++ b/client-webserver/REDIS
@@ -19,6 +19,7 @@ hash:  sessionid, "created" → int
        sessionid, "csr" → str
        sessionid, "state" → str
        sessionid, "challenges → int
+       sessionid, "cert" → str
 
 list: session:names → str
 
diff --git a/client-webserver/chocolate.py b/client-webserver/chocolate.py
index 2de38c453..9a20ff119 100755
--- a/client-webserver/chocolate.py
+++ b/client-webserver/chocolate.py
@@ -101,6 +101,10 @@ class session(object):
         """Has there already been a signing request made in this session?"""
         return sessions.hget(self.id, "state") is not None
 
+    def cert(self):
+        """Return the issued certificate."""
+        return sessions.hget(self.id, "cert")
+
     def add_request(self, csr, names):
         sessions.hset(self.id, "csr", csr)
         for name in names: sessions.lpush(self.id + ":names", name)
@@ -113,6 +117,14 @@ class session(object):
         for i in xrange(n):
             yield r.hgetall("session:%d" % i)
 
+    def send_cert(self, m, r):
+        """Initialize response to return issued cert to client."""
+        if self.cert():
+            r.success.certificate = self.cert()
+        else:
+            self.die(r, r.BadRequest, uri="https://ca.example.com/failures/internalerror")
+        return
+
     def handlesession(self, m, r):
         if r.failure.IsInitialized(): return
         if m.session == "":
@@ -135,6 +147,11 @@ class session(object):
                 # Don't need to, or can't, kill nonexistent/already dead session
                 r.failure.cause = r.StaleRequest
             elif self.age() > MaximumSessionAge:
+                # TODO: Sessions in state "done" should probably not be killed by timeout
+                # because they have already resulted in issuance of a cert and no further
+                # issuance can occur.  At least, their timeout should probably be extended
+                # to 48 hours or something.  Currently, a session can die by timeout in
+                # any state.
                 self.die(r, r.StaleRequest)
             else:
                 self.handleexistingsession(m, r)
@@ -214,8 +231,10 @@ class session(object):
         if state == "testchallenge":
             self.send_challenges(m, r)
             return
-        # If we're in done, tell the client to come back later.
-        pass
+        # If we're in done, tell the client about the successfully issued cert.
+        if state == "done":
+            self.send_cert(m, r)
+            return
         # Unknown session status.
         self.die(r, r.BadRequest, uri="https://ca.example.com/failures/internalerror")
         return
diff --git a/client-webserver/daemon.py b/client-webserver/daemon.py
index 9c80fa094..286a1fa44 100644
--- a/client-webserver/daemon.py
+++ b/client-webserver/daemon.py
@@ -65,6 +65,8 @@ def testchallenge(session):
     # conditions are
 
 def issue(session):
+    # TODO: actually issue the cert
+    r.hset(session, "cert", "----ISSUED CERT GOES HERE----")
     if False:   # once issuing cert succeeded
         r.hset(session, "state", "done")
         r.lpush("pending-done", session)