| 1 | #!/usr/bin/python3 |
| 2 | |
| 3 | import sys, os, getopt, binascii, json, pprint, signal, time, threading |
| 4 | import urllib.request |
| 5 | import Crypto.PublicKey.RSA, Crypto.Random, Crypto.Hash.SHA256, Crypto.Signature.PKCS1_v1_5 |
| 6 | |
| 7 | class msgerror(Exception): |
| 8 | def report(self, out): |
| 9 | out.write("acmecert: undefined error\n") |
| 10 | |
| 11 | service = "https://acme-v02.api.letsencrypt.org/directory" |
| 12 | _directory = None |
| 13 | def directory(): |
| 14 | global _directory |
| 15 | if _directory is None: |
| 16 | with req(service) as resp: |
| 17 | _directory = json.loads(resp.read().decode("utf-8")) |
| 18 | return _directory |
| 19 | |
| 20 | def base64url(dat): |
| 21 | return binascii.b2a_base64(dat).decode("us-ascii").translate({43: 45, 47: 95, 61: None}).strip() |
| 22 | |
| 23 | def ebignum(num): |
| 24 | h = "%x" % num |
| 25 | if len(h) % 2 == 1: h = "0" + h |
| 26 | return base64url(binascii.a2b_hex(h)) |
| 27 | |
| 28 | def getnonce(): |
| 29 | with urllib.request.urlopen(directory()["newNonce"]) as resp: |
| 30 | resp.read() |
| 31 | return resp.headers["Replay-Nonce"] |
| 32 | |
| 33 | def req(url, data=None, ctype=None, headers={}, method=None, **kws): |
| 34 | if data is not None and not isinstance(data, bytes): |
| 35 | data = json.dumps(data).encode("utf-8") |
| 36 | ctype = "application/jose+json" |
| 37 | req = urllib.request.Request(url, data=data, method=method) |
| 38 | for hnam, hval in headers.items(): |
| 39 | req.add_header(hnam, hval) |
| 40 | if ctype is not None: |
| 41 | req.add_header("Content-Type", ctype) |
| 42 | return urllib.request.urlopen(req) |
| 43 | |
| 44 | def jreq(url, data, auth): |
| 45 | authdata = {"alg": "RS256", "url": url, "nonce": getnonce()} |
| 46 | authdata.update(auth.authdata()) |
| 47 | authdata = base64url(json.dumps(authdata).encode("us-ascii")) |
| 48 | if data is None: |
| 49 | data = "" |
| 50 | else: |
| 51 | data = base64url(json.dumps(data).encode("us-ascii")) |
| 52 | seal = base64url(auth.sign(("%s.%s" % (authdata, data)).encode("us-ascii"))) |
| 53 | enc = {"protected": authdata, "payload": data, "signature": seal} |
| 54 | with req(url, data=enc) as resp: |
| 55 | return json.loads(resp.read().decode("utf-8")), resp.headers |
| 56 | |
| 57 | class certificate(object): |
| 58 | @property |
| 59 | def enddate(self): |
| 60 | # No X509 parser for Python? |
| 61 | import subprocess, re, calendar |
| 62 | with subprocess.Popen(["openssl", "x509", "-noout", "-enddate"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl: |
| 63 | openssl.stdin.write(self.data.encode("us-ascii")) |
| 64 | openssl.stdin.close() |
| 65 | resp = openssl.stdout.read().decode("utf-8") |
| 66 | if openssl.wait() != 0: |
| 67 | raise Exception("openssl error") |
| 68 | m = re.search(r"notAfter=(.*)$", resp) |
| 69 | if m is None: raise Exception("unexpected openssl reply: %r" % (resp,)) |
| 70 | return calendar.timegm(time.strptime(m.group(1), "%b %d %H:%M:%S %Y GMT")) |
| 71 | |
| 72 | def expiring(self, timespec): |
| 73 | if timespec.endswith("y"): |
| 74 | timespec = int(timespec[:-1]) * 365 * 86400 |
| 75 | elif timespec.endswith("m"): |
| 76 | timespec = int(timespec[:-1]) * 30 * 86400 |
| 77 | elif timespec.endswith("w"): |
| 78 | timespec = int(timespec[:-1]) * 7 * 86400 |
| 79 | elif timespec.endswith("d"): |
| 80 | timespec = int(timespec[:-1]) * 86400 |
| 81 | elif timespec.endswith("h"): |
| 82 | timespec = int(timespec[:-1]) * 3600 |
| 83 | else: |
| 84 | timespec = int(timespec) |
| 85 | return (self.enddate - time.time()) < timespec |
| 86 | |
| 87 | @classmethod |
| 88 | def read(cls, fp): |
| 89 | self = cls() |
| 90 | self.data = fp.read() |
| 91 | return self |
| 92 | |
| 93 | class signreq(object): |
| 94 | def domains(self): |
| 95 | # No PCKS10 parser for Python? |
| 96 | import subprocess, re |
| 97 | with subprocess.Popen(["openssl", "req", "-noout", "-text"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl: |
| 98 | openssl.stdin.write(self.data.encode("us-ascii")) |
| 99 | openssl.stdin.close() |
| 100 | resp = openssl.stdout.read().decode("utf-8") |
| 101 | if openssl.wait() != 0: |
| 102 | raise Exception("openssl error") |
| 103 | m = re.search(r"X509v3 Subject Alternative Name:[^\n]*\n\s*((\w+:\S+,\s*)*\w+:\S+)\s*\n", resp) |
| 104 | if m is None: |
| 105 | return [] |
| 106 | ret = [] |
| 107 | for nm in m.group(1).split(","): |
| 108 | nm = nm.strip() |
| 109 | typ, nm = nm.split(":", 1) |
| 110 | if typ == "DNS": |
| 111 | ret.append(nm) |
| 112 | return ret |
| 113 | |
| 114 | def der(self): |
| 115 | import subprocess |
| 116 | with subprocess.Popen(["openssl", "req", "-outform", "der"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl: |
| 117 | openssl.stdin.write(self.data.encode("us-ascii")) |
| 118 | openssl.stdin.close() |
| 119 | resp = openssl.stdout.read() |
| 120 | if openssl.wait() != 0: |
| 121 | raise Exception("openssl error") |
| 122 | return resp |
| 123 | |
| 124 | @classmethod |
| 125 | def read(cls, fp): |
| 126 | self = cls() |
| 127 | self.data = fp.read() |
| 128 | return self |
| 129 | |
| 130 | class jwkauth(object): |
| 131 | def __init__(self, key): |
| 132 | self.key = key |
| 133 | |
| 134 | def authdata(self): |
| 135 | return {"jwk": {"kty": "RSA", "e": ebignum(self.key.e), "n": ebignum(self.key.n)}} |
| 136 | |
| 137 | def sign(self, data): |
| 138 | dig = Crypto.Hash.SHA256.new() |
| 139 | dig.update(data) |
| 140 | return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig) |
| 141 | |
| 142 | class account(object): |
| 143 | def __init__(self, uri, key): |
| 144 | self.uri = uri |
| 145 | self.key = key |
| 146 | |
| 147 | def authdata(self): |
| 148 | return {"kid": self.uri} |
| 149 | |
| 150 | def sign(self, data): |
| 151 | dig = Crypto.Hash.SHA256.new() |
| 152 | dig.update(data) |
| 153 | return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig) |
| 154 | |
| 155 | def getinfo(self): |
| 156 | data, headers = jreq(self.uri, None, self) |
| 157 | return data |
| 158 | |
| 159 | def validate(self): |
| 160 | data = self.getinfo() |
| 161 | if data.get("status", "") != "valid": |
| 162 | raise Exception("account is not valid: %s" % (data.get("status", "\"\""))) |
| 163 | |
| 164 | def write(self, out): |
| 165 | out.write("%s\n" % (self.uri,)) |
| 166 | out.write("%s\n" % (self.key.exportKey().decode("us-ascii"),)) |
| 167 | |
| 168 | @classmethod |
| 169 | def read(cls, fp): |
| 170 | uri = fp.readline() |
| 171 | if uri == "": |
| 172 | raise Exception("missing account URI") |
| 173 | uri = uri.strip() |
| 174 | key = Crypto.PublicKey.RSA.importKey(fp.read()) |
| 175 | return cls(uri, key) |
| 176 | |
| 177 | class htconfig(object): |
| 178 | def __init__(self): |
| 179 | self.roots = {} |
| 180 | |
| 181 | @classmethod |
| 182 | def read(cls, fp): |
| 183 | self = cls() |
| 184 | for ln in fp: |
| 185 | words = ln.split() |
| 186 | if len(words) < 1 or ln[0] == '#': |
| 187 | continue |
| 188 | if words[0] == "root": |
| 189 | self.roots[words[1]] = words[2] |
| 190 | else: |
| 191 | sys.stderr.write("acmecert: warning: unknown htconfig directive: %s\n" % (words[0])) |
| 192 | return self |
| 193 | |
| 194 | def register(keysize=4096): |
| 195 | key = Crypto.PublicKey.RSA.generate(keysize, Crypto.Random.new().read) |
| 196 | data, headers = jreq(directory()["newAccount"], {"termsOfServiceAgreed": True}, jwkauth(key)) |
| 197 | return account(headers["Location"], key) |
| 198 | |
| 199 | def mkorder(acct, csr): |
| 200 | data, headers = jreq(directory()["newOrder"], {"identifiers": [{"type": "dns", "value": dn} for dn in csr.domains()]}, acct) |
| 201 | data["acmecert.location"] = headers["Location"] |
| 202 | return data |
| 203 | |
| 204 | def httptoken(acct, ch): |
| 205 | jwk = {"kty": "RSA", "e": ebignum(acct.key.e), "n": ebignum(acct.key.n)} |
| 206 | dig = Crypto.Hash.SHA256.new() |
| 207 | dig.update(json.dumps(jwk, separators=(',', ':'), sort_keys=True).encode("us-ascii")) |
| 208 | khash = base64url(dig.digest()) |
| 209 | return ch["token"], ("%s.%s" % (ch["token"], khash)) |
| 210 | |
| 211 | def authorder(acct, htconf, orderid): |
| 212 | order, headers = jreq(orderid, None, acct) |
| 213 | valid = False |
| 214 | tries = 0 |
| 215 | while not valid: |
| 216 | valid = True |
| 217 | tries += 1 |
| 218 | if tries > 5: |
| 219 | raise Exception("challenges refuse to become valid even after 5 retries") |
| 220 | for authuri in order["authorizations"]: |
| 221 | auth, headers = jreq(authuri, None, acct) |
| 222 | if auth["status"] == "valid": |
| 223 | continue |
| 224 | elif auth["status"] == "pending": |
| 225 | pass |
| 226 | else: |
| 227 | raise Exception("unknown authorization status: %s" % (auth["status"],)) |
| 228 | valid = False |
| 229 | if auth["identifier"]["type"] != "dns": |
| 230 | raise Exception("unknown authorization type: %s" % (auth["identifier"]["type"],)) |
| 231 | dn = auth["identifier"]["value"] |
| 232 | if dn not in htconf.roots: |
| 233 | raise Exception("no configured ht-root for domain name %s" % (dn,)) |
| 234 | for ch in auth["challenges"]: |
| 235 | if ch["type"] == "http-01": |
| 236 | break |
| 237 | else: |
| 238 | raise Exception("no http-01 challenge for %s" % (dn,)) |
| 239 | root = htconf.roots[dn] |
| 240 | tokid, tokval = httptoken(acct, ch) |
| 241 | tokpath = os.path.join(root, tokid); |
| 242 | fp = open(tokpath, "w") |
| 243 | try: |
| 244 | with fp: |
| 245 | fp.write(tokval) |
| 246 | with req("http://%s/.well-known/acme-challenge/%s" % (dn, tokid)) as resp: |
| 247 | if resp.read().decode("utf-8") != tokval: |
| 248 | raise Exception("challenge from %s does not match written value" % (dn,)) |
| 249 | for n in range(30): |
| 250 | resp, headers = jreq(ch["url"], {}, acct) |
| 251 | if resp["status"] == "processing": |
| 252 | time.sleep(2) |
| 253 | elif resp["status"] == "pending": |
| 254 | # I don't think this should happen, but it |
| 255 | # does. LE bug? Anyway, just retry. |
| 256 | if n < 5: |
| 257 | time.sleep(2) |
| 258 | else: |
| 259 | break |
| 260 | elif resp["status"] == "valid": |
| 261 | break |
| 262 | else: |
| 263 | raise Exception("unexpected challenge status for %s when validating: %s" % (dn, resp["status"])) |
| 264 | else: |
| 265 | raise Exception("challenge processing timed out for %s" % (dn,)) |
| 266 | finally: |
| 267 | os.unlink(tokpath) |
| 268 | |
| 269 | def finalize(acct, csr, orderid): |
| 270 | order, headers = jreq(orderid, None, acct) |
| 271 | if order["status"] == "valid": |
| 272 | pass |
| 273 | elif order["status"] == "ready": |
| 274 | jreq(order["finalize"], {"csr": base64url(csr.der())}, acct) |
| 275 | for n in range(30): |
| 276 | resp, headers = jreq(orderid, None, acct) |
| 277 | if resp["status"] == "processing": |
| 278 | time.sleep(2) |
| 279 | elif resp["status"] == "valid": |
| 280 | order = resp |
| 281 | break |
| 282 | else: |
| 283 | raise Exception("unexpected order status when finalizing: %s" % resp["status"]) |
| 284 | else: |
| 285 | raise Exception("order finalization timed out") |
| 286 | else: |
| 287 | raise Exception("unexpected order state when finalizing: %s" % (order["status"],)) |
| 288 | with req(order["certificate"]) as resp: |
| 289 | return resp.read().decode("us-ascii") |
| 290 | |
| 291 | class maybeopen(object): |
| 292 | def __init__(self, name, mode): |
| 293 | if name == "-": |
| 294 | self.opened = False |
| 295 | if mode == "r": |
| 296 | self.fp = sys.stdin |
| 297 | elif mode == "w": |
| 298 | self.fp = sys.stdout |
| 299 | else: |
| 300 | raise ValueError(mode) |
| 301 | else: |
| 302 | self.opened = True |
| 303 | self.fp = open(name, mode) |
| 304 | |
| 305 | def __enter__(self): |
| 306 | return self.fp |
| 307 | |
| 308 | def __exit__(self, *excinfo): |
| 309 | if self.opened: |
| 310 | self.fp.close() |
| 311 | return False |
| 312 | |
| 313 | invdata = threading.local() |
| 314 | commands = {} |
| 315 | |
| 316 | class usageerr(msgerror): |
| 317 | def __init__(self): |
| 318 | self.cmd = invdata.cmd |
| 319 | |
| 320 | def report(self, out): |
| 321 | out.write("%s\n" % (self.cmd.__doc__,)) |
| 322 | |
| 323 | def cmd_reg(args): |
| 324 | "usage: acmecert reg [OUTPUT-FILE]" |
| 325 | acct = register() |
| 326 | os.umask(0o077) |
| 327 | with maybeopen(args[1] if len(args) > 1 else "-", "w") as fp: |
| 328 | acct.write(fp) |
| 329 | commands["reg"] = cmd_reg |
| 330 | |
| 331 | def cmd_validate_acct(args): |
| 332 | "usage: acmecert validate-acct ACCOUNT-FILE" |
| 333 | if len(args) < 2: raise usageerr() |
| 334 | with maybeopen(args[1], "r") as fp: |
| 335 | account.read(fp).validate() |
| 336 | commands["validate-acct"] = cmd_validate_acct |
| 337 | |
| 338 | def cmd_acct_info(args): |
| 339 | "usage: acmecert acct-info ACCOUNT-FILE" |
| 340 | if len(args) < 2: raise usageerr() |
| 341 | with maybeopen(args[1], "r") as fp: |
| 342 | pprint.pprint(account.read(fp).getinfo()) |
| 343 | commands["acct-info"] = cmd_acct_info |
| 344 | |
| 345 | def cmd_order(args): |
| 346 | "usage: acmecert order ACCOUNT-FILE CSR [OUTPUT-FILE]" |
| 347 | if len(args) < 3: raise usageerr() |
| 348 | with maybeopen(args[1], "r") as fp: |
| 349 | acct = account.read(fp) |
| 350 | with maybeopen(args[2], "r") as fp: |
| 351 | csr = signreq.read(fp) |
| 352 | order = mkorder(acct, csr) |
| 353 | with maybeopen(args[3] if len(args) > 3 else "-", "w") as fp: |
| 354 | fp.write("%s\n" % (order["acmecert.location"])) |
| 355 | commands["order"] = cmd_order |
| 356 | |
| 357 | def cmd_http_auth(args): |
| 358 | "usage: acmecert http-auth ACCOUNT-FILE HTTP-CONFIG {ORDER-ID|ORDER-FILE}" |
| 359 | if len(args) < 4: raise usageerr() |
| 360 | with maybeopen(args[1], "r") as fp: |
| 361 | acct = account.read(fp) |
| 362 | with maybeopen(args[2], "r") as fp: |
| 363 | htconf = htconfig.read(fp) |
| 364 | if "://" in args[3]: |
| 365 | orderid = args[3] |
| 366 | else: |
| 367 | with maybeopen(args[3], "r") as fp: |
| 368 | orderid = fp.readline().strip() |
| 369 | authorder(acct, htconf, orderid) |
| 370 | commands["http-auth"] = cmd_http_auth |
| 371 | |
| 372 | def cmd_get(args): |
| 373 | "usage: acmecert get ACCOUNT-FILE CSR {ORDER-ID|ORDER-FILE}" |
| 374 | if len(args) < 4: raise usageerr() |
| 375 | with maybeopen(args[1], "r") as fp: |
| 376 | acct = account.read(fp) |
| 377 | with maybeopen(args[2], "r") as fp: |
| 378 | csr = signreq.read(fp) |
| 379 | if "://" in args[3]: |
| 380 | orderid = args[3] |
| 381 | else: |
| 382 | with maybeopen(args[3], "r") as fp: |
| 383 | orderid = fp.readline().strip() |
| 384 | sys.stdout.write(finalize(acct, csr, orderid)) |
| 385 | commands["get"] = cmd_get |
| 386 | |
| 387 | def cmd_http_order(args): |
| 388 | "usage: acmecert http-order ACCOUNT-FILE CSR HTTP-CONFIG [OUTPUT-FILE]" |
| 389 | if len(args) < 4: raise usageerr() |
| 390 | with maybeopen(args[1], "r") as fp: |
| 391 | acct = account.read(fp) |
| 392 | with maybeopen(args[2], "r") as fp: |
| 393 | csr = signreq.read(fp) |
| 394 | with maybeopen(args[3], "r") as fp: |
| 395 | htconf = htconfig.read(fp) |
| 396 | orderid = mkorder(acct, csr)["acmecert.location"] |
| 397 | authorder(acct, htconf, orderid) |
| 398 | with maybeopen(args[4] if len(args) > 4 else "-", "w") as fp: |
| 399 | fp.write(finalize(acct, csr, orderid)) |
| 400 | commands["http-order"] = cmd_http_order |
| 401 | |
| 402 | def cmd_check_cert(args): |
| 403 | "usage: acmecert check-cert CERT-FILE TIME-SPEC" |
| 404 | if len(args) < 3: raise usageerr() |
| 405 | with maybeopen(args[1], "r") as fp: |
| 406 | crt = certificate.read(fp) |
| 407 | sys.exit(1 if crt.expiring(args[2]) else 0) |
| 408 | commands["check-cert"] = cmd_check_cert |
| 409 | |
| 410 | def cmd_directory(args): |
| 411 | "usage: acmecert directory" |
| 412 | pprint.pprint(directory()) |
| 413 | commands["directory"] = cmd_directory |
| 414 | |
| 415 | def usage(out): |
| 416 | out.write("usage: acmecert [-D SERVICE] COMMAND [ARGS...]\n") |
| 417 | out.write(" acmecert -h [COMMAND]\n") |
| 418 | buf = " COMMAND is any of: " |
| 419 | f = True |
| 420 | for cmd in commands: |
| 421 | if len(buf) + len(cmd) > 70: |
| 422 | out.write("%s\n" % (buf,)) |
| 423 | buf = " " |
| 424 | f = True |
| 425 | if not f: |
| 426 | buf += ", " |
| 427 | buf += cmd |
| 428 | f = False |
| 429 | if not f: |
| 430 | out.write("%s\n" % (buf,)) |
| 431 | |
| 432 | def main(argv): |
| 433 | global service |
| 434 | opts, args = getopt.getopt(argv[1:], "hD:") |
| 435 | for o, a in opts: |
| 436 | if o == "-h": |
| 437 | if len(args) > 0: |
| 438 | cmd = commands.get(args[0]) |
| 439 | if cmd is None: |
| 440 | sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],)) |
| 441 | sys.exit(1) |
| 442 | sys.stdout.write("%s\n" % (cmd.__doc__,)) |
| 443 | else: |
| 444 | usage(sys.stdout) |
| 445 | sys.exit(0) |
| 446 | elif o == "-D": |
| 447 | service = a |
| 448 | if len(args) < 1: |
| 449 | usage(sys.stderr) |
| 450 | sys.exit(1) |
| 451 | cmd = commands.get(args[0]) |
| 452 | if cmd is None: |
| 453 | sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],)) |
| 454 | usage(sys.stderr) |
| 455 | sys.exit(1) |
| 456 | try: |
| 457 | try: |
| 458 | invdata.cmd = cmd |
| 459 | cmd(args) |
| 460 | finally: |
| 461 | invdata.cmd = None |
| 462 | except msgerror as exc: |
| 463 | exc.report(sys.stderr) |
| 464 | sys.exit(1) |
| 465 | |
| 466 | if __name__ == "__main__": |
| 467 | try: |
| 468 | main(sys.argv) |
| 469 | except KeyboardInterrupt: |
| 470 | signal.signal(signal.SIGINT, signal.SIG_DFL) |
| 471 | os.kill(os.getpid(), signal.SIGINT) |