acmecert

   1 #!/usr/bin/python3
   2
   3 import sys, os, getopt, binascii, json, pprint, signal, time
   4 import urllib.request
   5 import Crypto.PublicKey.RSA, Crypto.Random, Crypto.Hash.SHA256, Crypto.Signature.PKCS1_v1_5
   6
   7 service = "https://acme-v02.api.letsencrypt.org/directory"
   8 _directory = None
   9 def directory():
  10     global _directory
  11     if _directory is None:
  12         with req(service) as resp:
  13             _directory = json.loads(resp.read().decode("utf-8"))
  14     return _directory
  15
  16 def base64url(dat):
  17     return binascii.b2a_base64(dat).decode("us-ascii").translate({43: 45, 47: 95, 61: None}).strip()
  18
  19 def ebignum(num):
  20     h = "%x" % num
  21     if len(h) % 2 == 1: h = "0" + h
  22     return base64url(binascii.a2b_hex(h))
  23
  24 def getnonce():
  25     with urllib.request.urlopen(directory()["newNonce"]) as resp:
  26         resp.read()
  27         return resp.headers["Replay-Nonce"]
  28
  29 def req(url, data=None, ctype=None, headers={}, method=None, **kws):
  30     if data is not None and not isinstance(data, bytes):
  31         data = json.dumps(data).encode("utf-8")
  32         ctype = "application/jose+json"
  33     req = urllib.request.Request(url, data=data, method=method)
  34     for hnam, hval in headers.items():
  35         req.add_header(hnam, hval)
  36     if ctype is not None:
  37         req.add_header("Content-Type", ctype)
  38     return urllib.request.urlopen(req)
  39
  40 def jreq(url, data, auth):
  41     authdata = {"alg": "RS256", "url": url, "nonce": getnonce()}
  42     authdata.update(auth.authdata())
  43     authdata = base64url(json.dumps(authdata).encode("us-ascii"))
  44     if data is None:
  45         data = ""
  46     else:
  47         data = base64url(json.dumps(data).encode("us-ascii"))
  48     seal = base64url(auth.sign(("%s.%s" % (authdata, data)).encode("us-ascii")))
  49     enc = {"protected": authdata, "payload": data, "signature": seal}
  50     with req(url, data=enc) as resp:
  51         return json.loads(resp.read().decode("utf-8")), resp.headers
  52
  53 class signreq(object):
  54     def domains(self):
  55         # No PCKS10 parser for Python?
  56         import subprocess, re
  57         with subprocess.Popen(["openssl", "req", "-noout", "-text"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl:
  58             openssl.stdin.write(self.data.encode("us-ascii"))
  59             openssl.stdin.close()
  60             resp = openssl.stdout.read().decode("utf8")
  61             if openssl.wait() != 0:
  62                 raise Exception("openssl error")
  63         m = re.search(r"X509v3 Subject Alternative Name:[^\n]*\n\s*((\w+:\S+,\s*)*\w+:\S+)\s*\n", resp)
  64         if m is None:
  65             return []
  66         ret = []
  67         for nm in m.group(1).split(","):
  68             nm = nm.strip()
  69             typ, nm = nm.split(":", 1)
  70             if typ == "DNS":
  71                 ret.append(nm)
  72         return ret
  73
  74     def der(self):
  75         import subprocess
  76         with subprocess.Popen(["openssl", "req", "-outform", "der"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl:
  77             openssl.stdin.write(self.data.encode("us-ascii"))
  78             openssl.stdin.close()
  79             resp = openssl.stdout.read()
  80             if openssl.wait() != 0:
  81                 raise Exception("openssl error")
  82         return resp
  83
  84     @classmethod
  85     def read(cls, fp):
  86         self = cls()
  87         self.data = fp.read()
  88         return self
  89
  90 class jwkauth(object):
  91     def __init__(self, key):
  92         self.key = key
  93
  94     def authdata(self):
  95         return {"jwk": {"kty": "RSA", "e": ebignum(self.key.e), "n": ebignum(self.key.n)}}
  96
  97     def sign(self, data):
  98         dig = Crypto.Hash.SHA256.new()
  99         dig.update(data)
 100         return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig)
 101
 102 class account(object):
 103     def __init__(self, uri, key):
 104         self.uri = uri
 105         self.key = key
 106
 107     def authdata(self):
 108         return {"kid": self.uri}
 109
 110     def sign(self, data):
 111         dig = Crypto.Hash.SHA256.new()
 112         dig.update(data)
 113         return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig)
 114
 115     def getinfo(self):
 116         data, headers = jreq(self.uri, None, self)
 117         return data
 118
 119     def validate(self):
 120         data = self.getinfo()
 121         if data.get("status", "") != "valid":
 122             raise Exception("account is not valid: %s" % (data.get("status", "\"\"")))
 123
 124     def write(self, out):
 125         out.write("%s\n" % (self.uri,))
 126         out.write("%s\n" % (self.key.exportKey().decode("us-ascii"),))
 127
 128     @classmethod
 129     def read(cls, fp):
 130         uri = fp.readline()
 131         if uri == "":
 132             raise Exception("missing account URI")
 133         uri = uri.strip()
 134         key = Crypto.PublicKey.RSA.importKey(fp.read())
 135         return cls(uri, key)
 136
 137 class htconfig(object):
 138     def __init__(self):
 139         self.roots = {}
 140
 141     @classmethod
 142     def read(cls, fp):
 143         self = cls()
 144         for ln in fp:
 145             words = ln.split()
 146             if len(words) < 1 or ln[0] == '#':
 147                 continue
 148             if words[0] == "root":
 149                 self.roots[words[1]] = words[2]
 150             else:
 151                 sys.stderr.write("acmecert: warning: unknown htconfig directive: %s\n" % (words[0]))
 152         return self
 153
 154 def register(keysize=4096):
 155     key = Crypto.PublicKey.RSA.generate(keysize, Crypto.Random.new().read)
 156     # jwk = {"kty": "RSA", "e": ebignum(key.e), "n": ebignum(key.n)}
 157     # cjwk = json.dumps(jwk, separators=(',', ':'), sort_keys=True)
 158     data, headers = jreq(directory()["newAccount"], {"termsOfServiceAgreed": True}, jwkauth(key))
 159     return account(headers["Location"], key)
 160
 161 def mkorder(acct, csr):
 162     data, headers = jreq(directory()["newOrder"], {"identifiers": [{"type": "dns", "value": dn} for dn in csr.domains()]}, acct)
 163     data["acmecert.location"] = headers["Location"]
 164     return data
 165
 166 def httptoken(acct, ch):
 167     jwk = {"kty": "RSA", "e": ebignum(acct.key.e), "n": ebignum(acct.key.n)}
 168     dig = Crypto.Hash.SHA256.new()
 169     dig.update(json.dumps(jwk, separators=(',', ':'), sort_keys=True).encode("us-ascii"))
 170     khash = base64url(dig.digest())
 171     return ch["token"], ("%s.%s" % (ch["token"], khash))
 172
 173 def authorder(acct, htconf, orderid):
 174     order, headers = jreq(orderid, None, acct)
 175     valid = False
 176     tries = 0
 177     while not valid:
 178         valid = True
 179         tries += 1
 180         if tries > 5:
 181             raise Exception("challenges refuse to become valid even after 5 retries")
 182         for authuri in order["authorizations"]:
 183             auth, headers = jreq(authuri, None, acct)
 184             if auth["status"] == "valid":
 185                 continue
 186             elif auth["status"] == "pending":
 187                 pass
 188             else:
 189                 raise Exception("unknown authorization status: %s" % (auth["status"],))
 190             valid = False
 191             if auth["identifier"]["type"] != "dns":
 192                 raise Exception("unknown authorization type: %s" % (auth["identifier"]["type"],))
 193             dn = auth["identifier"]["value"]
 194             if dn not in htconf.roots:
 195                 raise Exception("no configured ht-root for domain name %s" % (dn,))
 196             for ch in auth["challenges"]:
 197                 if ch["type"] == "http-01":
 198                     break
 199             else:
 200                 raise Exception("no http-01 challenge for %s" % (dn,))
 201             root = htconf.roots[dn]
 202             tokid, tokval = httptoken(acct, ch)
 203             tokpath = os.path.join(root, tokid);
 204             fp = open(tokpath, "w")
 205             try:
 206                 with fp:
 207                     fp.write(tokval)
 208                 with req("http://%s/.well-known/acme-challenge/%s" % (dn, tokid)) as resp:
 209                     if resp.read().decode("utf-8") != tokval:
 210                         raise Exception("challenge from %s does not match written value" % (dn,))
 211                 for n in range(30):
 212                     resp, headers = jreq(ch["url"], {}, acct)
 213                     if resp["status"] == "processing":
 214                         time.sleep(2)
 215                     elif resp["status"] == "valid":
 216                         break
 217                     else:
 218                         raise Exception("unexpected challenge status for %s when validating: %s" % (dn, resp["status"]))
 219                 else:
 220                     raise Exception("challenge processing timed out for %s" % (dn,))
 221             finally:
 222                 os.unlink(tokpath)
 223
 224 def finalize(acct, csr, orderid):
 225     order, headers = jreq(orderid, None, acct)
 226     if order["status"] == "valid":
 227         pass
 228     elif order["status"] == "ready":
 229         jreq(order["finalize"], {"csr": base64url(csr.der())}, acct)
 230         for n in range(30):
 231             resp, headers = jreq(orderid, None, acct)
 232             if resp["status"] == "processing":
 233                 time.sleep(2)
 234             elif resp["status"] == "valid":
 235                 order = resp
 236                 break
 237             else:
 238                 raise Exception("unexpected order status when finalizing: %s" % resp["status"])
 239         else:
 240             raise Exception("order finalization timed out")
 241     else:
 242         raise Exception("unexpected order state when finalizing: %s" % (order["status"],))
 243     with req(order["certificate"]) as resp:
 244         return resp.read().decode("us-ascii")
 245
 246 def usage(out):
 247     out.write("usage: acmecert [-h] [-D SERVICE]\n")
 248
 249 def main(argv):
 250     global service
 251     opts, args = getopt.getopt(argv[1:], "hD:")
 252     for o, a in opts:
 253         if o == "-h":
 254             usage(sys.stdout)
 255             sys.exit(0)
 256         elif o == "-D":
 257             service = a
 258     if len(args) < 1:
 259         usage(sys.stderr)
 260         sys.exit(1)
 261     if args[0] == "reg":
 262         register().write(sys.stdout)
 263     elif args[0] == "validate-acct":
 264         with open(args[1], "r") as fp:
 265             account.read(fp).validate()
 266     elif args[0] == "acctinfo":
 267         with open(args[1], "r") as fp:
 268             pprint.pprint(account.read(fp).getinfo())
 269     elif args[0] == "order":
 270         with open(args[1], "r") as fp:
 271             acct = account.read(fp)
 272         with open(args[2], "r") as fp:
 273             csr = signreq.read(fp)
 274         order = mkorder(acct, csr)
 275         with open(args[3], "w") as fp:
 276             fp.write("%s\n" % (order["acmecert.location"]))
 277     elif args[0] == "http-auth":
 278         with open(args[1], "r") as fp:
 279             acct = account.read(fp)
 280         with open(args[2], "r") as fp:
 281             htconf = htconfig.read(fp)
 282         with open(args[3], "r") as fp:
 283             orderid = fp.readline().strip()
 284         authorder(acct, htconf, orderid)
 285     elif args[0] == "get":
 286         with open(args[1], "r") as fp:
 287             acct = account.read(fp)
 288         with open(args[2], "r") as fp:
 289             csr = signreq.read(fp)
 290         with open(args[3], "r") as fp:
 291             orderid = fp.readline().strip()
 292         sys.stdout.write(finalize(acct, csr, orderid))
 293     elif args[0] == "http-order":
 294         with open(args[1], "r") as fp:
 295             acct = account.read(fp)
 296         with open(args[2], "r") as fp:
 297             csr = signreq.read(fp)
 298         with open(args[3], "r") as fp:
 299             htconf = htconfig.read(fp)
 300         orderid = mkorder(acct, csr)["acmecert.location"]
 301         authorder(acct, htconf, orderid)
 302         sys.stdout.write(finalize(acct, csr, orderid))
 303     elif args[0] == "directory":
 304         pprint.pprint(directory())
 305     else:
 306         sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],))
 307         usage(sys.stderr)
 308         sys.exit(1)
 309
 310 if __name__ == "__main__":
 311     try:
 312         main(sys.argv)
 313     except KeyboardInterrupt:
 314         signal.signal(signal.SIGINT, signal.SIG_DFL)
 315         os.kill(os.getpid(), signal.SIGINT)