Commit | Line | Data |
---|---|---|
61d08fc2 FT |
1 | #!/usr/bin/python3 |
2 | ||
3 | import sys, os, getopt, binascii, json, pprint, signal, time | |
4 | import urllib.request | |
5 | import Crypto.PublicKey.RSA, Crypto.Random, Crypto.Hash.SHA256, Crypto.Signature.PKCS1_v1_5 | |
6 | ||
7 | service = "https://acme-v02.api.letsencrypt.org/directory" | |
8 | _directory = None | |
9 | def directory(): | |
10 | global _directory | |
11 | if _directory is None: | |
12 | with req(service) as resp: | |
13 | _directory = json.loads(resp.read().decode("utf-8")) | |
14 | return _directory | |
15 | ||
16 | def base64url(dat): | |
17 | return binascii.b2a_base64(dat).decode("us-ascii").translate({43: 45, 47: 95, 61: None}).strip() | |
18 | ||
19 | def ebignum(num): | |
20 | h = "%x" % num | |
21 | if len(h) % 2 == 1: h = "0" + h | |
22 | return base64url(binascii.a2b_hex(h)) | |
23 | ||
24 | def getnonce(): | |
25 | with urllib.request.urlopen(directory()["newNonce"]) as resp: | |
26 | resp.read() | |
27 | return resp.headers["Replay-Nonce"] | |
28 | ||
29 | def req(url, data=None, ctype=None, headers={}, method=None, **kws): | |
30 | if data is not None and not isinstance(data, bytes): | |
31 | data = json.dumps(data).encode("utf-8") | |
32 | ctype = "application/jose+json" | |
33 | req = urllib.request.Request(url, data=data, method=method) | |
34 | for hnam, hval in headers.items(): | |
35 | req.add_header(hnam, hval) | |
36 | if ctype is not None: | |
37 | req.add_header("Content-Type", ctype) | |
38 | return urllib.request.urlopen(req) | |
39 | ||
40 | def jreq(url, data, auth): | |
41 | authdata = {"alg": "RS256", "url": url, "nonce": getnonce()} | |
42 | authdata.update(auth.authdata()) | |
43 | authdata = base64url(json.dumps(authdata).encode("us-ascii")) | |
44 | if data is None: | |
45 | data = "" | |
46 | else: | |
47 | data = base64url(json.dumps(data).encode("us-ascii")) | |
48 | seal = base64url(auth.sign(("%s.%s" % (authdata, data)).encode("us-ascii"))) | |
49 | enc = {"protected": authdata, "payload": data, "signature": seal} | |
50 | with req(url, data=enc) as resp: | |
51 | return json.loads(resp.read().decode("utf-8")), resp.headers | |
52 | ||
14a46eff FT |
53 | class certificate(object): |
54 | @property | |
55 | def enddate(self): | |
56 | # No X509 parser for Python? | |
57 | import subprocess, re, calendar | |
58 | with subprocess.Popen(["openssl", "x509", "-noout", "-enddate"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl: | |
59 | openssl.stdin.write(self.data.encode("us-ascii")) | |
60 | openssl.stdin.close() | |
61 | resp = openssl.stdout.read().decode("utf-8") | |
62 | if openssl.wait() != 0: | |
63 | raise Exception("openssl error") | |
64 | m = re.search(r"notAfter=(.*)$", resp) | |
65 | if m is None: raise Exception("unexpected openssl reply: %r" % (resp,)) | |
66 | return calendar.timegm(time.strptime(m.group(1), "%b %d %H:%M:%S %Y GMT")) | |
67 | ||
68 | def expiring(self, timespec): | |
69 | if timespec.endswith("y"): | |
70 | timespec = int(timespec[:-1]) * 365 * 86400 | |
71 | elif timespec.endswith("m"): | |
72 | timespec = int(timespec[:-1]) * 30 * 86400 | |
73 | elif timespec.endswith("w"): | |
74 | timespec = int(timespec[:-1]) * 7 * 86400 | |
75 | elif timespec.endswith("d"): | |
76 | timespec = int(timespec[:-1]) * 86400 | |
77 | elif timespec.endswith("h"): | |
78 | timespec = int(timespec[:-1]) * 3600 | |
79 | else: | |
80 | timespec = int(timespec) | |
81 | return (self.enddate - time.time()) < timespec | |
82 | ||
83 | @classmethod | |
84 | def read(cls, fp): | |
85 | self = cls() | |
86 | self.data = fp.read() | |
87 | return self | |
88 | ||
61d08fc2 FT |
89 | class signreq(object): |
90 | def domains(self): | |
91 | # No PCKS10 parser for Python? | |
92 | import subprocess, re | |
93 | with subprocess.Popen(["openssl", "req", "-noout", "-text"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl: | |
94 | openssl.stdin.write(self.data.encode("us-ascii")) | |
95 | openssl.stdin.close() | |
14a46eff | 96 | resp = openssl.stdout.read().decode("utf-8") |
61d08fc2 FT |
97 | if openssl.wait() != 0: |
98 | raise Exception("openssl error") | |
99 | m = re.search(r"X509v3 Subject Alternative Name:[^\n]*\n\s*((\w+:\S+,\s*)*\w+:\S+)\s*\n", resp) | |
100 | if m is None: | |
101 | return [] | |
102 | ret = [] | |
103 | for nm in m.group(1).split(","): | |
104 | nm = nm.strip() | |
105 | typ, nm = nm.split(":", 1) | |
106 | if typ == "DNS": | |
107 | ret.append(nm) | |
108 | return ret | |
109 | ||
110 | def der(self): | |
111 | import subprocess | |
112 | with subprocess.Popen(["openssl", "req", "-outform", "der"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) as openssl: | |
113 | openssl.stdin.write(self.data.encode("us-ascii")) | |
114 | openssl.stdin.close() | |
115 | resp = openssl.stdout.read() | |
116 | if openssl.wait() != 0: | |
117 | raise Exception("openssl error") | |
118 | return resp | |
119 | ||
120 | @classmethod | |
121 | def read(cls, fp): | |
122 | self = cls() | |
123 | self.data = fp.read() | |
124 | return self | |
125 | ||
126 | class jwkauth(object): | |
127 | def __init__(self, key): | |
128 | self.key = key | |
129 | ||
130 | def authdata(self): | |
131 | return {"jwk": {"kty": "RSA", "e": ebignum(self.key.e), "n": ebignum(self.key.n)}} | |
132 | ||
133 | def sign(self, data): | |
134 | dig = Crypto.Hash.SHA256.new() | |
135 | dig.update(data) | |
136 | return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig) | |
137 | ||
138 | class account(object): | |
139 | def __init__(self, uri, key): | |
140 | self.uri = uri | |
141 | self.key = key | |
142 | ||
143 | def authdata(self): | |
144 | return {"kid": self.uri} | |
145 | ||
146 | def sign(self, data): | |
147 | dig = Crypto.Hash.SHA256.new() | |
148 | dig.update(data) | |
149 | return Crypto.Signature.PKCS1_v1_5.new(self.key).sign(dig) | |
150 | ||
151 | def getinfo(self): | |
152 | data, headers = jreq(self.uri, None, self) | |
153 | return data | |
154 | ||
155 | def validate(self): | |
156 | data = self.getinfo() | |
157 | if data.get("status", "") != "valid": | |
158 | raise Exception("account is not valid: %s" % (data.get("status", "\"\""))) | |
159 | ||
160 | def write(self, out): | |
161 | out.write("%s\n" % (self.uri,)) | |
162 | out.write("%s\n" % (self.key.exportKey().decode("us-ascii"),)) | |
163 | ||
164 | @classmethod | |
165 | def read(cls, fp): | |
166 | uri = fp.readline() | |
167 | if uri == "": | |
168 | raise Exception("missing account URI") | |
169 | uri = uri.strip() | |
170 | key = Crypto.PublicKey.RSA.importKey(fp.read()) | |
171 | return cls(uri, key) | |
172 | ||
173 | class htconfig(object): | |
174 | def __init__(self): | |
175 | self.roots = {} | |
176 | ||
177 | @classmethod | |
178 | def read(cls, fp): | |
179 | self = cls() | |
180 | for ln in fp: | |
181 | words = ln.split() | |
182 | if len(words) < 1 or ln[0] == '#': | |
183 | continue | |
184 | if words[0] == "root": | |
185 | self.roots[words[1]] = words[2] | |
186 | else: | |
187 | sys.stderr.write("acmecert: warning: unknown htconfig directive: %s\n" % (words[0])) | |
188 | return self | |
189 | ||
190 | def register(keysize=4096): | |
191 | key = Crypto.PublicKey.RSA.generate(keysize, Crypto.Random.new().read) | |
192 | # jwk = {"kty": "RSA", "e": ebignum(key.e), "n": ebignum(key.n)} | |
193 | # cjwk = json.dumps(jwk, separators=(',', ':'), sort_keys=True) | |
194 | data, headers = jreq(directory()["newAccount"], {"termsOfServiceAgreed": True}, jwkauth(key)) | |
195 | return account(headers["Location"], key) | |
196 | ||
197 | def mkorder(acct, csr): | |
198 | data, headers = jreq(directory()["newOrder"], {"identifiers": [{"type": "dns", "value": dn} for dn in csr.domains()]}, acct) | |
199 | data["acmecert.location"] = headers["Location"] | |
200 | return data | |
201 | ||
202 | def httptoken(acct, ch): | |
203 | jwk = {"kty": "RSA", "e": ebignum(acct.key.e), "n": ebignum(acct.key.n)} | |
204 | dig = Crypto.Hash.SHA256.new() | |
205 | dig.update(json.dumps(jwk, separators=(',', ':'), sort_keys=True).encode("us-ascii")) | |
206 | khash = base64url(dig.digest()) | |
207 | return ch["token"], ("%s.%s" % (ch["token"], khash)) | |
208 | ||
209 | def authorder(acct, htconf, orderid): | |
210 | order, headers = jreq(orderid, None, acct) | |
211 | valid = False | |
212 | tries = 0 | |
213 | while not valid: | |
214 | valid = True | |
215 | tries += 1 | |
216 | if tries > 5: | |
217 | raise Exception("challenges refuse to become valid even after 5 retries") | |
218 | for authuri in order["authorizations"]: | |
219 | auth, headers = jreq(authuri, None, acct) | |
220 | if auth["status"] == "valid": | |
221 | continue | |
222 | elif auth["status"] == "pending": | |
223 | pass | |
224 | else: | |
225 | raise Exception("unknown authorization status: %s" % (auth["status"],)) | |
226 | valid = False | |
227 | if auth["identifier"]["type"] != "dns": | |
228 | raise Exception("unknown authorization type: %s" % (auth["identifier"]["type"],)) | |
229 | dn = auth["identifier"]["value"] | |
230 | if dn not in htconf.roots: | |
231 | raise Exception("no configured ht-root for domain name %s" % (dn,)) | |
232 | for ch in auth["challenges"]: | |
233 | if ch["type"] == "http-01": | |
234 | break | |
235 | else: | |
236 | raise Exception("no http-01 challenge for %s" % (dn,)) | |
237 | root = htconf.roots[dn] | |
238 | tokid, tokval = httptoken(acct, ch) | |
239 | tokpath = os.path.join(root, tokid); | |
240 | fp = open(tokpath, "w") | |
241 | try: | |
242 | with fp: | |
243 | fp.write(tokval) | |
244 | with req("http://%s/.well-known/acme-challenge/%s" % (dn, tokid)) as resp: | |
245 | if resp.read().decode("utf-8") != tokval: | |
246 | raise Exception("challenge from %s does not match written value" % (dn,)) | |
247 | for n in range(30): | |
248 | resp, headers = jreq(ch["url"], {}, acct) | |
249 | if resp["status"] == "processing": | |
250 | time.sleep(2) | |
251 | elif resp["status"] == "valid": | |
252 | break | |
253 | else: | |
254 | raise Exception("unexpected challenge status for %s when validating: %s" % (dn, resp["status"])) | |
255 | else: | |
256 | raise Exception("challenge processing timed out for %s" % (dn,)) | |
257 | finally: | |
258 | os.unlink(tokpath) | |
259 | ||
260 | def finalize(acct, csr, orderid): | |
261 | order, headers = jreq(orderid, None, acct) | |
262 | if order["status"] == "valid": | |
263 | pass | |
264 | elif order["status"] == "ready": | |
265 | jreq(order["finalize"], {"csr": base64url(csr.der())}, acct) | |
266 | for n in range(30): | |
267 | resp, headers = jreq(orderid, None, acct) | |
268 | if resp["status"] == "processing": | |
269 | time.sleep(2) | |
270 | elif resp["status"] == "valid": | |
271 | order = resp | |
272 | break | |
273 | else: | |
274 | raise Exception("unexpected order status when finalizing: %s" % resp["status"]) | |
275 | else: | |
276 | raise Exception("order finalization timed out") | |
277 | else: | |
278 | raise Exception("unexpected order state when finalizing: %s" % (order["status"],)) | |
279 | with req(order["certificate"]) as resp: | |
280 | return resp.read().decode("us-ascii") | |
281 | ||
cc8619b5 FT |
282 | class maybeopen(object): |
283 | def __init__(self, name, mode): | |
284 | if name == "-": | |
285 | self.opened = False | |
286 | if mode == "r": | |
287 | self.fp = sys.stdin | |
288 | elif mode == "w": | |
289 | self.fp = sys.stdout | |
290 | else: | |
291 | raise ValueError(mode) | |
292 | else: | |
293 | self.opened = True | |
294 | self.fp = open(name, mode) | |
295 | ||
296 | def __enter__(self): | |
297 | return self.fp | |
298 | ||
299 | def __exit__(self, *excinfo): | |
300 | if self.opened: | |
301 | self.fp.close() | |
302 | return False | |
303 | ||
304 | class usageerr(Exception): | |
305 | pass | |
306 | ||
307 | commands = {} | |
308 | ||
309 | def cmd_reg(args): | |
310 | "usage: acmecert reg [OUTPUT-FILE]" | |
311 | acct = register() | |
312 | with maybeopen(args[1] if len(args) > 1 else "-", "w") as fp: | |
313 | acct.write(fp) | |
314 | commands["reg"] = cmd_reg | |
315 | ||
316 | def cmd_validate_acct(args): | |
317 | "usage: acmecert validate-acct ACCOUNT-FILE" | |
318 | if len(args) < 2: raise usageerr() | |
319 | with maybeopen(args[1], "r") as fp: | |
320 | account.read(fp).valudate() | |
321 | commands["validate-acct"] = cmd_validate_acct | |
322 | ||
323 | def cmd_acct_info(args): | |
324 | "usage: acmecert acct-info ACCOUNT-FILE" | |
325 | if len(args) < 2: raise usageerr() | |
326 | with maybeopen(args[1], "r") as fp: | |
327 | pprint.pprint(account.read(fp).getinfo()) | |
328 | commands["acct-info"] = cmd_validate_acct | |
329 | ||
330 | def cmd_order(args): | |
331 | "usage: acmecert order ACCOUNT-FILE CSR [OUTPUT-FILE]" | |
332 | if len(args) < 4: raise usageerr() | |
333 | with maybeopen(args[1], "r") as fp: | |
334 | acct = account.read(fp) | |
335 | with maybeopen(args[2], "r") as fp: | |
336 | csr = signreq.read(fp) | |
337 | order = mkorder(acct, csr) | |
338 | with maybeopen(args[3] if len(args) > 3 else "-", "w") as fp: | |
339 | fp.write("%s\n" % (order["acmecert.location"])) | |
340 | commands["order"] = cmd_order | |
341 | ||
342 | def cmd_http_auth(args): | |
343 | "usage: acmecert http-auth ACCOUNT-FILE HTTP-CONFIG {ORDER-ID|ORDER-FILE}" | |
344 | if len(args) < 4: raise usageerr() | |
345 | with maybeopen(args[1], "r") as fp: | |
346 | acct = account.read(fp) | |
347 | with maybeopen(args[2], "r") as fp: | |
348 | htconf = htconfig.read(fp) | |
349 | if "://" in args[3]: | |
350 | orderid = args[3] | |
351 | else: | |
352 | with maybeopen(args[3], "r") as fp: | |
353 | orderid = fp.readline().strip() | |
354 | authorder(acct, htconf, orderid) | |
355 | commands["http-auth"] = cmd_http_auth | |
356 | ||
357 | def cmd_get(args): | |
358 | "usage: acmecert get ACCOUNT-FILE CSR {ORDER-ID|ORDER-FILE}" | |
359 | if len(args) < 4: raise usageerr() | |
360 | with maybeopen(args[1], "r") as fp: | |
361 | acct = account.read(fp) | |
362 | with maybeopen(args[2], "r") as fp: | |
363 | csr = signreq.read(fp) | |
364 | if "://" in args[3]: | |
365 | orderid = args[3] | |
366 | else: | |
367 | with maybeopen(args[3], "r") as fp: | |
368 | orderid = fp.readline().strip() | |
369 | sys.stdout.write(finalize(acct, csr, orderid)) | |
370 | commands["get"] = cmd_get | |
371 | ||
372 | def cmd_http_order(args): | |
373 | "usage: acmecert http-order ACCOUNT-FILE CSR HTTP-CONFIG [OUTPUT-FILE]" | |
374 | if len(args) < 4: raise usageerr() | |
375 | with maybeopen(args[1], "r") as fp: | |
376 | acct = account.read(fp) | |
377 | with maybeopen(args[2], "r") as fp: | |
378 | csr = signreq.read(fp) | |
379 | with maybeopen(args[3], "r") as fp: | |
380 | htconf = htconfig.read(fp) | |
381 | orderid = mkorder(acct, csr)["acmecert.location"] | |
382 | authorder(acct, htconf, orderid) | |
383 | with maybeopen(args[4] if len(args) > 4 else "-", "w") as fp: | |
384 | fp.write(finalize(acct, csr, orderid)) | |
385 | commands["http-order"] = cmd_http_order | |
386 | ||
387 | def cmd_check_cert(args): | |
388 | "usage: acmecert check-cert CERT-FILE TIME-SPEC" | |
389 | if len(args) < 3: raise usageerr() | |
390 | with maybeopen(args[1], "r") as fp: | |
391 | crt = certificate.read(fp) | |
392 | sys.exit(1 if crt.expiring(args[2]) else 0) | |
393 | commands["check-cert"] = cmd_check_cert | |
394 | ||
395 | def cmd_directory(args): | |
396 | "usage: acmecert directory" | |
397 | pprint.pprint(directory()) | |
398 | commands["directory"] = cmd_directory | |
399 | ||
61d08fc2 | 400 | def usage(out): |
cc8619b5 FT |
401 | out.write("usage: acmecert [-D SERVICE] COMMAND [ARGS...]\n") |
402 | out.write(" acmecert -h [COMMAND]\n") | |
403 | buf = " COMMAND is any of: " | |
404 | f = True | |
405 | for cmd in commands: | |
406 | if len(buf) + len(cmd) > 70: | |
407 | out.write("%s\n" % (buf,)) | |
408 | buf = " " | |
409 | f = True | |
410 | if not f: | |
411 | buf += ", " | |
412 | buf += cmd | |
413 | f = False | |
414 | if not f: | |
415 | out.write("%s\n" % (buf,)) | |
61d08fc2 FT |
416 | |
417 | def main(argv): | |
418 | global service | |
419 | opts, args = getopt.getopt(argv[1:], "hD:") | |
420 | for o, a in opts: | |
421 | if o == "-h": | |
cc8619b5 FT |
422 | if len(args) > 0: |
423 | cmd = commands.get(args[0]) | |
424 | if cmd is None: | |
425 | sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],)) | |
426 | sys.exit(1) | |
427 | sys.stdout.write("%s\n" % (cmd.__doc__,)) | |
428 | else: | |
429 | usage(sys.stdout) | |
61d08fc2 FT |
430 | sys.exit(0) |
431 | elif o == "-D": | |
432 | service = a | |
433 | if len(args) < 1: | |
434 | usage(sys.stderr) | |
435 | sys.exit(1) | |
cc8619b5 FT |
436 | cmd = commands.get(args[0]) |
437 | if cmd is None: | |
61d08fc2 FT |
438 | sys.stderr.write("acmecert: unknown command: %s\n" % (args[0],)) |
439 | usage(sys.stderr) | |
440 | sys.exit(1) | |
cc8619b5 FT |
441 | try: |
442 | cmd(args) | |
443 | except usageerr: | |
444 | sys.stderr.write("%s\n" % (cmd.__doc__,)) | |
445 | sys.exit(1) | |
61d08fc2 FT |
446 | |
447 | if __name__ == "__main__": | |
448 | try: | |
449 | main(sys.argv) | |
450 | except KeyboardInterrupt: | |
451 | signal.signal(signal.SIGINT, signal.SIG_DFL) | |
452 | os.kill(os.getpid(), signal.SIGINT) |