From 26533fa2f838ec4842e576ed42e04e5018f8f69a Mon Sep 17 00:00:00 2001
From: Josh Karlin <jkarlin@bbn.com>
Date: Thu, 10 Jun 2010 14:28:32 +0000
Subject: [PATCH] making mods for intermediate CAs for authorities

---
 sfa/server/sfa-server.py |  2 +-
 sfa/trust/hierarchy.py   |  1 +
 sfa/util/server.py       | 11 ++++++-----
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/sfa/server/sfa-server.py b/sfa/server/sfa-server.py
index 06393ce4..d565c131 100755
--- a/sfa/server/sfa-server.py
+++ b/sfa/server/sfa-server.py
@@ -62,7 +62,7 @@ def daemon():
     os.dup2(crashlog, 2)
 
 def init_server_key(server_key_file, server_cert_file, config, hierarchy):
-
+    
     subject = config.SFA_INTERFACE_HRN
     # check if the server's private key exists. If it doesnt,
     # get the right one from the authorities directory. If it cant be
diff --git a/sfa/trust/hierarchy.py b/sfa/trust/hierarchy.py
index e277ec51..6ab509e1 100644
--- a/sfa/trust/hierarchy.py
+++ b/sfa/trust/hierarchy.py
@@ -251,6 +251,7 @@ class Hierarchy:
             parent_auth_info = self.get_auth_info(parent_hrn)
             gid.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
             gid.set_parent(parent_auth_info.get_gid_object())
+            gid.set_intermediate_ca(True)
 
         gid.set_pubkey(pkey)
         gid.encode()
diff --git a/sfa/util/server.py b/sfa/util/server.py
index e6d3f3be..00854a9d 100644
--- a/sfa/util/server.py
+++ b/sfa/util/server.py
@@ -36,11 +36,10 @@ def verify_callback(conn, x509, err, depth, preverify):
     if preverify:
        #print "  preverified"
        return 1
-
     # we're only passing single certificates, not chains
-    if depth > 0:
-       #print "  depth > 0 in verify_callback"
-       return 0
+#    if depth > 0:
+#       #print "  depth > 0 in verify_callback"
+#       return 1
 
     # the certificate verification done by openssl checks a number of things
     # that we aren't interested in, so we look out for those error messages
@@ -149,9 +148,11 @@ class SecureXMLRPCServer(BaseHTTPServer.HTTPServer,SimpleXMLRPCServer.SimpleXMLR
            SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None)
         SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
         ctx = SSL.Context(SSL.SSLv23_METHOD)
-        ctx.use_privatekey_file(key_file)
+        ctx.use_privatekey_file(key_file)        
         ctx.use_certificate_file(cert_file)
+        #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
         ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
+        ctx.set_verify_depth(5)
         ctx.set_app_data(self)
         self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
                                                         self.socket_type))
-- 
2.47.0