[utils.git] / acmecert

#!/usr/bin/python3

import sys, os, getopt, binascii, json, pprint, signal, time
import urllib.request
import Crypto.PublicKey.RSA, Crypto.Random, Crypto.Hash.SHA256, Crypto.Signature.PKCS1_v1_5

service = "https://acme-v02.api.letsencrypt.org/directory"
_directory = None
def directory():
    global _directory
    if _directory is None:
        with req(service) as resp:
            _directory = json.loads(resp.read().decode("utf-8"))
    return _directory

def base64url(dat):
    return binascii.b2a_base64(dat).decode("us-ascii").translate({43: 45, 47: 95, 61: None}).strip()

def ebignum(num):
    h = "%x" % num
    if len(h) % 2 == 1: h = "0" + h
    return base64url(binascii.a2b_hex(h))

def getnonce():
    with urllib.request.urlopen(directory()["newNonce"]) as resp:
        resp.read()
        return resp.headers["Replay-Nonce"]

def req(url, data=None, ctype=None, headers={}, method=None, **kws):
    if data is not None and not isinstance(data, bytes):
        data = json.dumps(data).encode("utf-8")
        ctype = "application/jose+json"
    req = urllib.request.Request(url, data=data, method=method)
    for hnam, hval in headers.items():
        req.add_header(hnam, hval)
    if ctype is not None:
        req.add_header("Content-Type", ctype)
    return urllib.request.urlopen(req)

def jreq(url, data, auth):
    authdata = {"alg": "RS256", "url": url, "nonce": getnonce()}
    authdata.update(auth.authdata())
    authdata = base64url(json.dumps(authdata).encode("us-ascii"))
    if data is None:
        data = ""
    else:
        data = base64url(json.dumps(data).encode("us-ascii"))
    seal = base64url(auth.sign(("%s.%s" % (authdata, data)).encode("us-ascii")))
    enc = {"protected": authdata, "payload": data, "signature": seal}
    with req(url, data=enc) as resp:
        return json.loads(resp.read().decode("utf-8")), resp.headers

class signreq(object):
    def domains(self):
        # No PCKS10 parser for Python?
        import subprocess, re
        with subprocess.Popen(["openssl", "req", "-noout", "-text"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl:
            openssl.stdin.write(self.data.encode("us-ascii"))
            openssl.stdin.close()
            resp = openssl.stdout.read().decode("utf8")
            if openssl.wait() != 0:
                raise Exception("openssl error")
        m = re.search(r"X509v3 Subject Alternative Name:[^\n]*\n\s*((\w+:\S+,\s*)*\w+:\S+)\s*\n", resp)
        if m is None:
            return []
        ret = []
        for nm in m.group(1).split(","):
            nm = nm.strip()
            typ, nm = nm.split(":", 1)
            if typ == "DNS":
                ret.append(nm)
        return ret

    def der(self):
        import subprocess
        with subprocess.Popen(["openssl", "req", "-outform", "der"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl:
            openssl.stdin.write(self.data.encode("us-ascii"))
            openssl.stdin.close()
            resp = openssl.stdout.read()
            if openssl.wait() != 0:
                raise Exception("openssl error")
        return resp

    @classmethod
    def read(cls, fp):
        self = cls()
        self.data = fp.read()
        return self

class jwkauth(object):
    def __init__(self, key):
        self.key = key

    def authdata(self):
        return {"jwk": {"kty": "RSA", "e": ebignum(self.key.e), "n": ebignum(self.key.n)}}

    def sign(self, data):
        dig = Crypto.Hash.SHA256.new()
        dig.update(data)
        return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig)

class account(object):
    def __init__(self, uri, key):
        self.uri = uri
        self.key = key

    def authdata(self):
        return {"kid": self.uri}

    def sign(self, data):
        dig = Crypto.Hash.SHA256.new()
        dig.update(data)
        return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig)

    def getinfo(self):
        data, headers = jreq(self.uri, None, self)
        return data

    def validate(self):
        data = self.getinfo()
        if data.get("status", "") != "valid":
            raise Exception("account is not valid: %s" % (data.get("status", "\"\"")))

    def write(self, out):
        out.write("%s\n" % (self.uri,))
        out.write("%s\n" % (self.key.exportKey().decode("us-ascii"),))

    @classmethod
    def read(cls, fp):
        uri = fp.readline()
        if uri == "":
            raise Exception("missing account URI")
        uri = uri.strip()
        key = Crypto.PublicKey.RSA.importKey(fp.read())
        return cls(uri, key)

class htconfig(object):
    def __init__(self):
        self.roots = {}

    @classmethod
    def read(cls, fp):
        self = cls()
        for ln in fp:
            words = ln.split()
            if len(words) < 1 or ln[0] == '#':
                continue
            if words[0] == "root":
                self.roots[words[1]] = words[2]
            else:
                sys.stderr.write("acmecert: warning: unknown htconfig directive: %s\n" % (words[0]))
        return self

def register(keysize=4096):
    key = Crypto.PublicKey.RSA.generate(keysize, Crypto.Random.new().read)
    # jwk = {"kty": "RSA", "e": ebignum(key.e), "n": ebignum(key.n)}
    # cjwk = json.dumps(jwk, separators=(',', ':'), sort_keys=True)
    data, headers = jreq(directory()["newAccount"], {"termsOfServiceAgreed": True}, jwkauth(key))
    return account(headers["Location"], key)
    
def mkorder(acct, csr):
    data, headers = jreq(directory()["newOrder"], {"identifiers": [{"type": "dns", "value": dn} for dn in csr.domains()]}, acct)
    data["acmecert.location"] = headers["Location"]
    return data

def httptoken(acct, ch):
    jwk = {"kty": "RSA", "e": ebignum(acct.key.e), "n": ebignum(acct.key.n)}
    dig = Crypto.Hash.SHA256.new()
    dig.update(json.dumps(jwk, separators=(',', ':'), sort_keys=True).encode("us-ascii"))
    khash = base64url(dig.digest())
    return ch["token"], ("%s.%s" % (ch["token"], khash))

def authorder(acct, htconf, orderid):
    order, headers = jreq(orderid, None, acct)
    valid = False
    tries = 0
    while not valid:
        valid = True
        tries += 1
        if tries > 5:
            raise Exception("challenges refuse to become valid even after 5 retries")
        for authuri in order["authorizations"]:
            auth, headers = jreq(authuri, None, acct)
            if auth["status"] == "valid":
                continue
            elif auth["status"] == "pending":
                pass
            else:
                raise Exception("unknown authorization status: %s" % (auth["status"],))
            valid = False
            if auth["identifier"]["type"] != "dns":
                raise Exception("unknown authorization type: %s" % (auth["identifier"]["type"],))
            dn = auth["identifier"]["value"]
            if dn not in htconf.roots:
                raise Exception("no configured ht-root for domain name %s" % (dn,))
            for ch in auth["challenges"]:
                if ch["type"] == "http-01":
                    break
            else:
                raise Exception("no http-01 challenge for %s" % (dn,))
            root = htconf.roots[dn]
            tokid, tokval = httptoken(acct, ch)
            tokpath = os.path.join(root, tokid);
            fp = open(tokpath, "w")
            try:
                with fp:
                    fp.write(tokval)
                with req("http://%s/.well-known/acme-challenge/%s" % (dn, tokid)) as resp:
                    if resp.read().decode("utf-8") != tokval:
                        raise Exception("challenge from %s does not match written value" % (dn,))
                for n in range(30):
                    resp, headers = jreq(ch["url"], {}, acct)
                    if resp["status"] == "processing":
                        time.sleep(2)
                    elif resp["status"] == "valid":
                        break
                    else:
                        raise Exception("unexpected challenge status for %s when validating: %s" % (dn, resp["status"]))
                else:
                    raise Exception("challenge processing timed out for %s" % (dn,))
            finally:
                os.unlink(tokpath)

def finalize(acct, csr, orderid):
    order, headers = jreq(orderid, None, acct)
    if order["status"] == "valid":
        pass
    elif order["status"] == "ready":
        jreq(order["finalize"], {"csr": base64url(csr.der())}, acct)
        for n in range(30):
            resp, headers = jreq(orderid, None, acct)
            if resp["status"] == "processing":
                time.sleep(2)
            elif resp["status"] == "valid":
                order = resp
                break
            else:
                raise Exception("unexpected order status when finalizing: %s" % resp["status"])
        else:
            raise Exception("order finalization timed out")
    else:
        raise Exception("unexpected order state when finalizing: %s" % (order["status"],))
    with req(order["certificate"]) as resp:
        return resp.read().decode("us-ascii")

def usage(out):
    out.write("usage: acmecert [-h] [-D SERVICE]\n")

def main(argv):
    global service
    opts, args = getopt.getopt(argv[1:], "hD:")
    for o, a in opts:
        if o == "-h":
            usage(sys.stdout)
            sys.exit(0)
        elif o == "-D":
            service = a
    if len(args) < 1:
        usage(sys.stderr)
        sys.exit(1)
    if args[0] == "reg":
        register().write(sys.stdout)
    elif args[0] == "validate-acct":
        with open(args[1], "r") as fp:
            account.read(fp).validate()
    elif args[0] == "acctinfo":
        with open(args[1], "r") as fp:
            pprint.pprint(account.read(fp).getinfo())
    elif args[0] == "order":
        with open(args[1], "r") as fp:
            acct = account.read(fp)
        with open(args[2], "r") as fp:
            csr = signreq.read(fp)
        order = mkorder(acct, csr)
        with open(args[3], "w") as fp:
            fp.write("%s\n" % (order["acmecert.location"]))
    elif args[0] == "http-auth":
        with open(args[1], "r") as fp:
            acct = account.read(fp)
        with open(args[2], "r") as fp:
            htconf = htconfig.read(fp)
        with open(args[3], "r") as fp:
            orderid = fp.readline().strip()
        authorder(acct, htconf, orderid)
    elif args[0] == "get":
        with open(args[1], "r") as fp:
            acct = account.read(fp)
        with open(args[2], "r") as fp:
            csr = signreq.read(fp)
        with open(args[3], "r") as fp:
            orderid = fp.readline().strip()
        sys.stdout.write(finalize(acct, csr, orderid))
    elif args[0] == "http-order":
        with open(args[1], "r") as fp:
            acct = account.read(fp)
        with open(args[2], "r") as fp:
            csr = signreq.read(fp)
        with open(args[3], "r") as fp:
            htconf = htconfig.read(fp)
        orderid = mkorder(acct, csr)["acmecert.location"]
        authorder(acct, htconf, orderid)
        sys.stdout.write(finalize(acct, csr, orderid))
    elif args[0] == "directory":
        pprint.pprint(directory())
    else:
        sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],))
        usage(sys.stderr)
        sys.exit(1)

if __name__ == "__main__":
    try:
        main(sys.argv)
    except KeyboardInterrupt:
        signal.signal(signal.SIGINT, signal.SIG_DFL)
        os.kill(os.getpid(), signal.SIGINT)
Commit	Line	Data
61d08fc2 FT	1	#!/usr/bin/python3
	2
	3	import sys, os, getopt, binascii, json, pprint, signal, time
	4	import urllib.request
	5	import Crypto.PublicKey.RSA, Crypto.Random, Crypto.Hash.SHA256, Crypto.Signature.PKCS1_v1_5
	6
	7	service = "https://acme-v02.api.letsencrypt.org/directory"
	8	_directory = None
	9	def directory():
	10	global _directory
	11	if _directory is None:
	12	with req(service) as resp:
	13	_directory = json.loads(resp.read().decode("utf-8"))
	14	return _directory
	15
	16	def base64url(dat):
	17	return binascii.b2a_base64(dat).decode("us-ascii").translate({43: 45, 47: 95, 61: None}).strip()
	18
	19	def ebignum(num):
	20	h = "%x" % num
	21	if len(h) % 2 == 1: h = "0" + h
	22	return base64url(binascii.a2b_hex(h))
	23
	24	def getnonce():
	25	with urllib.request.urlopen(directory()["newNonce"]) as resp:
	26	resp.read()
	27	return resp.headers["Replay-Nonce"]
	28
	29	def req(url, data=None, ctype=None, headers={}, method=None, **kws):
	30	if data is not None and not isinstance(data, bytes):
	31	data = json.dumps(data).encode("utf-8")
	32	ctype = "application/jose+json"
	33	req = urllib.request.Request(url, data=data, method=method)
	34	for hnam, hval in headers.items():
	35	req.add_header(hnam, hval)
	36	if ctype is not None:
	37	req.add_header("Content-Type", ctype)
	38	return urllib.request.urlopen(req)
	39
	40	def jreq(url, data, auth):
	41	authdata = {"alg": "RS256", "url": url, "nonce": getnonce()}
	42	authdata.update(auth.authdata())
	43	authdata = base64url(json.dumps(authdata).encode("us-ascii"))
	44	if data is None:
	45	data = ""
	46	else:
	47	data = base64url(json.dumps(data).encode("us-ascii"))
	48	seal = base64url(auth.sign(("%s.%s" % (authdata, data)).encode("us-ascii")))
	49	enc = {"protected": authdata, "payload": data, "signature": seal}
	50	with req(url, data=enc) as resp:
	51	return json.loads(resp.read().decode("utf-8")), resp.headers
	52
	53	class signreq(object):
	54	def domains(self):
	55	# No PCKS10 parser for Python?
	56	import subprocess, re
	57	with subprocess.Popen(["openssl", "req", "-noout", "-text"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl:
	58	openssl.stdin.write(self.data.encode("us-ascii"))
	59	openssl.stdin.close()
	60	resp = openssl.stdout.read().decode("utf8")
	61	if openssl.wait() != 0:
	62	raise Exception("openssl error")
	63	m = re.search(r"X509v3 Subject Alternative Name:[^\n]\n\s((\w+:\S+,\s)\w+:\S+)\s*\n", resp)
	64	if m is None:
65	return []
66	ret = []
67	for nm in m.group(1).split(","):
68	nm = nm.strip()
69	typ, nm = nm.split(":", 1)
70	if typ == "DNS":
71	ret.append(nm)
72	return ret
73
74	def der(self):
75	import subprocess
76	with subprocess.Popen(["openssl", "req", "-outform", "der"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl:
77	openssl.stdin.write(self.data.encode("us-ascii"))
78	openssl.stdin.close()
79	resp = openssl.stdout.read()
80	if openssl.wait() != 0:
81	raise Exception("openssl error")
82	return resp
83
84	@classmethod
85	def read(cls, fp):
86	self = cls()
87	self.data = fp.read()
88	return self
89
90	class jwkauth(object):
91	def __init__(self, key):
92	self.key = key
93
94	def authdata(self):
95	return {"jwk": {"kty": "RSA", "e": ebignum(self.key.e), "n": ebignum(self.key.n)}}
96
97	def sign(self, data):
98	dig = Crypto.Hash.SHA256.new()
99	dig.update(data)
100	return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig)
101
102	class account(object):
103	def __init__(self, uri, key):
104	self.uri = uri
105	self.key = key
106
107	def authdata(self):
108	return {"kid": self.uri}
109
110	def sign(self, data):
111	dig = Crypto.Hash.SHA256.new()
112	dig.update(data)
113	return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig)
114
115	def getinfo(self):
116	data, headers = jreq(self.uri, None, self)
117	return data
118
119	def validate(self):
120	data = self.getinfo()
121	if data.get("status", "") != "valid":
122	raise Exception("account is not valid: %s" % (data.get("status", "\"\"")))
123
124	def write(self, out):
125	out.write("%s\n" % (self.uri,))
126	out.write("%s\n" % (self.key.exportKey().decode("us-ascii"),))
127
128	@classmethod
129	def read(cls, fp):
130	uri = fp.readline()
131	if uri == "":
132	raise Exception("missing account URI")
133	uri = uri.strip()
134	key = Crypto.PublicKey.RSA.importKey(fp.read())
135	return cls(uri, key)
136
137	class htconfig(object):
138	def __init__(self):
139	self.roots = {}
140
141	@classmethod
142	def read(cls, fp):
143	self = cls()
144	for ln in fp:
145	words = ln.split()
146	if len(words) < 1 or ln[0] == '#':
147	continue
148	if words[0] == "root":
149	self.roots[words[1]] = words[2]
150	else:
151	sys.stderr.write("acmecert: warning: unknown htconfig directive: %s\n" % (words[0]))
152	return self
153
154	def register(keysize=4096):
155	key = Crypto.PublicKey.RSA.generate(keysize, Crypto.Random.new().read)
156	# jwk = {"kty": "RSA", "e": ebignum(key.e), "n": ebignum(key.n)}
157	# cjwk = json.dumps(jwk, separators=(',', ':'), sort_keys=True)
158	data, headers = jreq(directory()["newAccount"], {"termsOfServiceAgreed": True}, jwkauth(key))
159	return account(headers["Location"], key)
160
161	def mkorder(acct, csr):
162	data, headers = jreq(directory()["newOrder"], {"identifiers": [{"type": "dns", "value": dn} for dn in csr.domains()]}, acct)
163	data["acmecert.location"] = headers["Location"]
164	return data
165
166	def httptoken(acct, ch):
167	jwk = {"kty": "RSA", "e": ebignum(acct.key.e), "n": ebignum(acct.key.n)}
168	dig = Crypto.Hash.SHA256.new()
169	dig.update(json.dumps(jwk, separators=(',', ':'), sort_keys=True).encode("us-ascii"))
170	khash = base64url(dig.digest())
171	return ch["token"], ("%s.%s" % (ch["token"], khash))
172
173	def authorder(acct, htconf, orderid):
174	order, headers = jreq(orderid, None, acct)
175	valid = False
176	tries = 0
177	while not valid:
178	valid = True
179	tries += 1
180	if tries > 5:
181	raise Exception("challenges refuse to become valid even after 5 retries")
182	for authuri in order["authorizations"]:
183	auth, headers = jreq(authuri, None, acct)
184	if auth["status"] == "valid":
185	continue
186	elif auth["status"] == "pending":
187	pass
188	else:
189	raise Exception("unknown authorization status: %s" % (auth["status"],))
190	valid = False
191	if auth["identifier"]["type"] != "dns":
192	raise Exception("unknown authorization type: %s" % (auth["identifier"]["type"],))
193	dn = auth["identifier"]["value"]
194	if dn not in htconf.roots:
195	raise Exception("no configured ht-root for domain name %s" % (dn,))
196	for ch in auth["challenges"]:
197	if ch["type"] == "http-01":
198	break
199	else:
200	raise Exception("no http-01 challenge for %s" % (dn,))
201	root = htconf.roots[dn]
202	tokid, tokval = httptoken(acct, ch)
203	tokpath = os.path.join(root, tokid);
204	fp = open(tokpath, "w")
205	try:
206	with fp:
207	fp.write(tokval)
208	with req("http://%s/.well-known/acme-challenge/%s" % (dn, tokid)) as resp:
209	if resp.read().decode("utf-8") != tokval:
210	raise Exception("challenge from %s does not match written value" % (dn,))
211	for n in range(30):
212	resp, headers = jreq(ch["url"], {}, acct)
213	if resp["status"] == "processing":
214	time.sleep(2)
215	elif resp["status"] == "valid":
216	break
217	else:
218	raise Exception("unexpected challenge status for %s when validating: %s" % (dn, resp["status"]))
219	else:
220	raise Exception("challenge processing timed out for %s" % (dn,))
221	finally:
222	os.unlink(tokpath)
223
224	def finalize(acct, csr, orderid):
225	order, headers = jreq(orderid, None, acct)
226	if order["status"] == "valid":
227	pass
228	elif order["status"] == "ready":
229	jreq(order["finalize"], {"csr": base64url(csr.der())}, acct)
230	for n in range(30):
231	resp, headers = jreq(orderid, None, acct)
232	if resp["status"] == "processing":
233	time.sleep(2)
234	elif resp["status"] == "valid":
235	order = resp
236	break
237	else:
238	raise Exception("unexpected order status when finalizing: %s" % resp["status"])
239	else:
240	raise Exception("order finalization timed out")
241	else:
242	raise Exception("unexpected order state when finalizing: %s" % (order["status"],))
243	with req(order["certificate"]) as resp:
244	return resp.read().decode("us-ascii")
245
246	def usage(out):
247	out.write("usage: acmecert [-h] [-D SERVICE]\n")
248
249	def main(argv):
250	global service
251	opts, args = getopt.getopt(argv[1:], "hD:")
252	for o, a in opts:
253	if o == "-h":
254	usage(sys.stdout)
255	sys.exit(0)
256	elif o == "-D":
257	service = a
258	if len(args) < 1:
259	usage(sys.stderr)
260	sys.exit(1)
261	if args[0] == "reg":
262	register().write(sys.stdout)
263	elif args[0] == "validate-acct":
264	with open(args[1], "r") as fp:
265	account.read(fp).validate()
266	elif args[0] == "acctinfo":
267	with open(args[1], "r") as fp:
268	pprint.pprint(account.read(fp).getinfo())
269	elif args[0] == "order":
270	with open(args[1], "r") as fp:
271	acct = account.read(fp)
272	with open(args[2], "r") as fp:
273	csr = signreq.read(fp)
274	order = mkorder(acct, csr)
275	with open(args[3], "w") as fp:
276	fp.write("%s\n" % (order["acmecert.location"]))
277	elif args[0] == "http-auth":
278	with open(args[1], "r") as fp:
279	acct = account.read(fp)
280	with open(args[2], "r") as fp:
281	htconf = htconfig.read(fp)
282	with open(args[3], "r") as fp:
283	orderid = fp.readline().strip()
284	authorder(acct, htconf, orderid)
285	elif args[0] == "get":
286	with open(args[1], "r") as fp:
287	acct = account.read(fp)
288	with open(args[2], "r") as fp:
289	csr = signreq.read(fp)
290	with open(args[3], "r") as fp:
291	orderid = fp.readline().strip()
292	sys.stdout.write(finalize(acct, csr, orderid))
293	elif args[0] == "http-order":
294	with open(args[1], "r") as fp:
295	acct = account.read(fp)
296	with open(args[2], "r") as fp:
297	csr = signreq.read(fp)
298	with open(args[3], "r") as fp:
299	htconf = htconfig.read(fp)
300	orderid = mkorder(acct, csr)["acmecert.location"]
301	authorder(acct, htconf, orderid)
302	sys.stdout.write(finalize(acct, csr, orderid))
303	elif args[0] == "directory":
304	pprint.pprint(directory())
305	else:
306	sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],))
307	usage(sys.stderr)
308	sys.exit(1)
309
310	if __name__ == "__main__":
311	try:
312	main(sys.argv)
313	except KeyboardInterrupt:
314	signal.signal(signal.SIGINT, signal.SIG_DFL)
315	os.kill(os.getpid(), signal.SIGINT)