def wildcard_revoke(cert_pem,account):
#Check if registrar exists
if account not in os.listdir(REG_DIRECTORY):
print "This account does not exists, register it first with new_account.py"
sys.exit(1)
#Load files from disk
with open(REG_DIRECTORY + "/" + account + "/private.key", "rb") as key_file:
privkey = serialization.load_pem_private_key(
key_file.read(),
password=None,
backend=default_backend()
)
with open(REG_DIRECTORY + "/" + account + "/reguri.txt", "r") as reguri_file:
reg_uri = reguri_file.read()
#Compose registration resource (regr)
key = jose.JWKRSA(key=privkey)
regr = messages.RegistrationResource(
body=messages.Registration(
key=key.public_key()),
uri = reg_uri)
#Init ACME
net = ClientNetwork(key)
directory = net.get(DIRECTORY_URL).json()
acme = client.ClientV2(directory, net)
#Check if registration is valid
if acme.query_registration(regr).body.status == u'valid':
print "Registration valid"
else:
print "Registration invalid"
sys.exit(1)
#Deserialize key from variable
cert = jose.ComparableX509(OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem))
#Try to revoke cert, return false on error or revoked-already state
try:
revokation = acme.revoke(cert,1)
except messages.Error,acme_exc:
if str(acme_exc) == str("urn:ietf:params:acme:error:alreadyRevoked :: Certificate already revoked"):
return ["Certificate already revoked",False]
else:
return [acme_exc, False]
def create_registration():
global privkey, regr
privkey = rsa.generate_private_key(public_exponent=65537,
key_size=BITS,
backend=default_backend())
key = jose.JWKRSA(key=privkey)
net = ClientNetwork(key)
directory = net.get(DIRECTORY_URL).json()
acme = client.ClientV2(directory, net)
regbody = dict(
messages.Registration(contact=('mailto:[email protected]', ),
terms_of_service_agreed=True,
key=key.public_key()))
#NEED TO SAVE REGBODY VARIABLE TO FILE
regr = acme.new_account(messages.NewRegistration(**regbody))
class ClientNetworkWithMockedResponseTest(unittest.TestCase):
"""Tests for acme.client.ClientNetwork which mock out response."""
# pylint: disable=too-many-instance-attributes
def setUp(self):
from acme.client import ClientNetwork
self.net = ClientNetwork(key=None, alg=None)
self.response = mock.MagicMock(ok=True, status_code=http_client.OK)
self.response.headers = {}
self.response.links = {}
self.checked_response = mock.MagicMock()
self.obj = mock.MagicMock()
self.wrapped_obj = mock.MagicMock()
self.content_type = mock.sentinel.content_type
self.all_nonces = [
jose.b64encode(b'Nonce'),
jose.b64encode(b'Nonce2'),
jose.b64encode(b'Nonce3')
]
self.available_nonces = self.all_nonces[:]
def send_request(*args, **kwargs):
# pylint: disable=unused-argument,missing-docstring
if self.available_nonces:
self.response.headers = {
self.net.REPLAY_NONCE_HEADER:
self.available_nonces.pop().decode()
}
else:
self.response.headers = {}
return self.response
# pylint: disable=protected-access
self.net._send_request = self.send_request = mock.MagicMock(
side_effect=send_request)
self.net._check_response = self.check_response
self.net._wrap_in_jws = mock.MagicMock(return_value=self.wrapped_obj)
def check_response(self, response, content_type):
# pylint: disable=missing-docstring
self.assertEqual(self.response, response)
self.assertEqual(self.content_type, content_type)
return self.checked_response
def test_head(self):
self.assertEqual(
self.response,
self.net.head('http://example.com/', 'foo', bar='baz'))
self.send_request.assert_called_once_with('HEAD',
'http://example.com/',
'foo',
bar='baz')
def test_get(self):
self.assertEqual(
self.checked_response,
self.net.get('http://example.com/',
content_type=self.content_type,
bar='baz'))
self.send_request.assert_called_once_with('GET',
'http://example.com/',
bar='baz')
def test_post_no_content_type(self):
self.content_type = self.net.JOSE_CONTENT_TYPE
self.assertEqual(self.checked_response, self.net.post('uri', self.obj))
def test_post(self):
# pylint: disable=protected-access
self.assertEqual(
self.checked_response,
self.net.post('uri', self.obj, content_type=self.content_type))
self.net._wrap_in_jws.assert_called_once_with(
self.obj, jose.b64decode(self.all_nonces.pop()))
self.available_nonces = []
self.assertRaises(errors.MissingNonce,
self.net.post,
'uri',
self.obj,
content_type=self.content_type)
self.net._wrap_in_jws.assert_called_with(
self.obj, jose.b64decode(self.all_nonces.pop()))
def test_post_wrong_initial_nonce(self): # HEAD
self.available_nonces = [b'f', jose.b64encode(b'good')]
self.assertRaises(errors.BadNonce,
self.net.post,
'uri',
self.obj,
content_type=self.content_type)
def test_post_wrong_post_response_nonce(self):
self.available_nonces = [jose.b64encode(b'good'), b'f']
self.assertRaises(errors.BadNonce,
self.net.post,
'uri',
self.obj,
content_type=self.content_type)
def test_post_failed_retry(self):
check_response = mock.MagicMock()
check_response.side_effect = messages.Error.with_code('badNonce')
# pylint: disable=protected-access
self.net._check_response = check_response
self.assertRaises(messages.Error,
self.net.post,
'uri',
self.obj,
content_type=self.content_type)
def test_post_not_retried(self):
check_response = mock.MagicMock()
check_response.side_effect = [
messages.Error.with_code('malformed'), self.checked_response
]
# pylint: disable=protected-access
self.net._check_response = check_response
self.assertRaises(messages.Error,
self.net.post,
'uri',
self.obj,
content_type=self.content_type)
def test_post_successful_retry(self):
check_response = mock.MagicMock()
check_response.side_effect = [
messages.Error.with_code('badNonce'), self.checked_response
]
# pylint: disable=protected-access
self.net._check_response = check_response
self.assertEqual(
self.checked_response,
self.net.post('uri', self.obj, content_type=self.content_type))
def test_head_get_post_error_passthrough(self):
self.send_request.side_effect = requests.exceptions.RequestException
for method in self.net.head, self.net.get:
self.assertRaises(requests.exceptions.RequestException, method,
'GET', 'uri')
self.assertRaises(requests.exceptions.RequestException,
self.net.post,
'uri',
obj=self.obj)
class ClientNetworkWithMockedResponseTest(unittest.TestCase):
"""Tests for acme.client.ClientNetwork which mock out response."""
# pylint: disable=too-many-instance-attributes
def setUp(self):
from acme.client import ClientNetwork
self.net = ClientNetwork(key=None, alg=None)
self.response = mock.MagicMock(ok=True, status_code=http_client.OK)
self.response.headers = {}
self.response.links = {}
self.checked_response = mock.MagicMock()
self.obj = mock.MagicMock()
self.wrapped_obj = mock.MagicMock()
self.content_type = mock.sentinel.content_type
self.all_nonces = [jose.b64encode(b'Nonce'), jose.b64encode(b'Nonce2')]
self.available_nonces = self.all_nonces[:]
def send_request(*args, **kwargs):
# pylint: disable=unused-argument,missing-docstring
if self.available_nonces:
self.response.headers = {
self.net.REPLAY_NONCE_HEADER:
self.available_nonces.pop().decode()}
else:
self.response.headers = {}
return self.response
# pylint: disable=protected-access
self.net._send_request = self.send_request = mock.MagicMock(
side_effect=send_request)
self.net._check_response = self.check_response
self.net._wrap_in_jws = mock.MagicMock(return_value=self.wrapped_obj)
def check_response(self, response, content_type):
# pylint: disable=missing-docstring
self.assertEqual(self.response, response)
self.assertEqual(self.content_type, content_type)
return self.checked_response
def test_head(self):
self.assertEqual(self.response, self.net.head('url', 'foo', bar='baz'))
self.send_request.assert_called_once_with(
'HEAD', 'url', 'foo', bar='baz')
def test_get(self):
self.assertEqual(self.checked_response, self.net.get(
'url', content_type=self.content_type, bar='baz'))
self.send_request.assert_called_once_with('GET', 'url', bar='baz')
def test_post(self):
# pylint: disable=protected-access
self.assertEqual(self.checked_response, self.net.post(
'uri', self.obj, content_type=self.content_type))
self.net._wrap_in_jws.assert_called_once_with(
self.obj, jose.b64decode(self.all_nonces.pop()))
assert not self.available_nonces
self.assertRaises(errors.MissingNonce, self.net.post,
'uri', self.obj, content_type=self.content_type)
self.net._wrap_in_jws.assert_called_with(
self.obj, jose.b64decode(self.all_nonces.pop()))
def test_post_wrong_initial_nonce(self): # HEAD
self.available_nonces = [b'f', jose.b64encode(b'good')]
self.assertRaises(errors.BadNonce, self.net.post, 'uri',
self.obj, content_type=self.content_type)
def test_post_wrong_post_response_nonce(self):
self.available_nonces = [jose.b64encode(b'good'), b'f']
self.assertRaises(errors.BadNonce, self.net.post, 'uri',
self.obj, content_type=self.content_type)
def test_head_get_post_error_passthrough(self):
self.send_request.side_effect = requests.exceptions.RequestException
for method in self.net.head, self.net.get:
self.assertRaises(
requests.exceptions.RequestException, method, 'GET', 'uri')
self.assertRaises(requests.exceptions.RequestException,
self.net.post, 'uri', obj=self.obj)
def wildcard_request(cn, account):
def dns_check_ns1():
recieved_data_dup = []
recieved_data = []
ns1_resolver = dns.resolver.Resolver()
#ns1_resolver.nameservers = ['130.193.8.82','2a03:b780::1:1']
ns1_resolver.nameservers = ['173.245.58.51']
for data in validation_data:
domainname = data[1]
#challenge = data[0]
answers = ns1_resolver.query(domainname, 'txt')
for rdata in answers:
recieved_data_dup.append(
[str(rdata).replace('"', ''), domainname])
#Deduplication of ns records (in case of more cnames)
for i in recieved_data_dup:
if i not in recieved_data:
recieved_data.append(i)
# print sorted(recieved_data)
# print sorted(validation_data)
if sorted(validation_data) == sorted(recieved_data):
return True
else:
return False
#Check if CN is valid domain
domain_regex = re.compile(
"^([a-zA-Z0-9]([\-a-zA-Z0-9]{0,61}[a-zA-Z0-9])?\.)*([a-zA-Z0-9]([\-a-zA-Z0-9]{0,61}[a-zA-Z0-9])+\.)([a-zA-Z0-9]+([\-a-zA-Z0-9]{0,61}[a-zA-Z])+)$"
)
if not domain_regex.match(cn):
print 'First argument is not valid CN'
sys.exit(1)
#Check if registrar exists
if account not in os.listdir(REG_DIRECTORY):
print "This account does not exists, register it first with new_account.py"
sys.exit(1)
#Load files from disk
with open(REG_DIRECTORY + "/" + account + "/private.key",
"rb") as key_file:
privkey = serialization.load_pem_private_key(key_file.read(),
password=None,
backend=default_backend())
with open(REG_DIRECTORY + "/" + account + "/reguri.txt",
"r") as reguri_file:
reg_uri = reguri_file.read()
#Compose regr
key = jose.JWKRSA(key=privkey)
regr = messages.RegistrationResource(
body=messages.Registration(key=key.public_key()), uri=reg_uri)
#Init ACME
net = ClientNetwork(key)
directory = net.get(DIRECTORY_URL).json()
acme = client.ClientV2(directory, net)
#Check if registration is valid
if acme.query_registration(regr).body.status == u'valid':
print "Registration valid"
else:
print "Registration invalid"
sys.exit(1)
#Generate private key for certificate
pkey = OpenSSL.crypto.PKey()
pkey.generate_key(OpenSSL.crypto.TYPE_RSA, BITS)
#Serialize key for output
pkey_printable = OpenSSL.crypto.dump_privatekey(
OpenSSL.crypto.FILETYPE_PEM, pkey, cipher=None, passphrase=None)
#Compose request for acme
req = crypto_util.make_csr(
OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, pkey),
[cn, '*.' + cn])
#begin order
orderr = acme.new_order(req)
validation_data = []
for authr in orderr.authorizations:
for chalr in authr.body.challenges:
if type(chalr.chall) == type(challenges.DNS01()):
validation_data.append([
str(chalr.chall.validation(key)),
chalr.chall.validation_domain_name(cn)
])
#print validation_data
#Now, call DNS writing function to apply challenges
dns_apply(cn, validation_data)
#Check if DNS is valid on our server
sys.stdin.readline() #DEBUG: wait for manual DNS input
limiter = 2
while not dns_check_ns1():
if limiter != 0:
print "DNS records are not correct, trying again in few seconds"
limiter = limiter - 1
time.sleep(5)
else:
print "DNS are not correct even after several tries. Aborting"
sys.exit(1)
for authr in orderr.authorizations:
for chalr in authr.body.challenges:
if type(chalr.chall) == type(challenges.DNS01()):
try:
acme.answer_challenge(chalr, challenges.DNS01Response())
except:
print chalr.chall.encode(
'token'
) + " already answered (challenge failed, you have to generate new one)"
#After filling DNS and waiting for propagation, finalize order
try:
res = acme.poll_and_finalize(orderr)
finally:
dns_remove(cn)
#logging.info(res)
cert = x509.load_pem_x509_certificate(str(res.fullchain_pem),
default_backend())
output_data = {
'wildcard': {
'cn': cn,
'private_key': str(pkey_printable),
'certificate': str(res.fullchain_pem),
'expiration': cert.not_valid_after.strftime(
"%x %X"
) #Locale-specific time+date representation. Edit to your need
}
}
print json.dumps(output_data)
def build_sync(cls, directory_url, account_key, **kw):
net = ClientNetwork(account_key, user_agent=USER_AGENT, **kw)
directory = Directory.from_json(net.get(directory_url).json())
return cls(_ClientV2PlusPlus(directory, net=net))
