summaryrefslogtreecommitdiffstats
path: root/sign_csr.py
diff options
context:
space:
mode:
authorDaniel Roesler <diafygi@gmail.com>2015-12-05 14:40:03 -0800
committerDaniel Roesler <diafygi@gmail.com>2015-12-05 14:40:03 -0800
commitb08e3789c02ca3b4e50452df151f014241e815de (patch)
tree426888ee0b1988ac04c25e871f64a05589467da2 /sign_csr.py
parent28f03f0ba332d9c355cb63a7633be32147105992 (diff)
fixed #40, updated formatting to be backwards compatible with python 2.6
Diffstat (limited to 'sign_csr.py')
-rw-r--r--sign_csr.py84
1 files changed, 42 insertions, 42 deletions
diff --git a/sign_csr.py b/sign_csr.py
index fed7807..3c80a95 100644
--- a/sign_csr.py
+++ b/sign_csr.py
@@ -23,7 +23,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
#CA = "https://acme-staging.api.letsencrypt.org"
CA = "https://acme-v01.api.letsencrypt.org"
TERMS = "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
- nonce_req = urllib2.Request("{}/directory".format(CA))
+ nonce_req = urllib2.Request("{0}/directory".format(CA))
nonce_req.get_method = lambda : 'HEAD'
def _b64(b):
@@ -36,7 +36,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
out, err = proc.communicate()
if proc.returncode != 0:
- raise IOError("Error loading {}".format(pubkey))
+ raise IOError("Error loading {0}".format(pubkey))
pub_hex, pub_exp = re.search(
"Modulus(?: \((?:2048|4096) bit\)|)\:\s+00:([a-f0-9\:\s]+?)Exponent\: ([0-9]+)",
out, re.MULTILINE|re.DOTALL).groups()
@@ -44,7 +44,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
pub_mod64 = _b64(pub_mod)
pub_exp = int(pub_exp)
pub_exp = "{0:x}".format(pub_exp)
- pub_exp = "0{}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
+ pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
pub_exp = binascii.unhexlify(pub_exp)
pub_exp64 = _b64(pub_exp)
header = {
@@ -65,7 +65,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
out, err = proc.communicate()
if proc.returncode != 0:
- raise IOError("Error loading {}".format(csr))
+ raise IOError("Error loading {0}".format(csr))
domains = set([])
common_name = re.search("Subject:.*? CN=([^\s,;/]+)", out)
if common_name is not None:
@@ -75,14 +75,14 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
for san in subject_alt_names.group(1).split(", "):
if san.startswith("DNS:"):
domains.add(san[4:])
- sys.stderr.write("Found domains {}\n".format(", ".join(domains)))
+ sys.stderr.write("Found domains {0}\n".format(", ".join(domains)))
# Step 3: Ask user for contact email
if not email:
- default_email = "webmaster@{}".format(min(domains, key=len))
+ default_email = "webmaster@{0}".format(min(domains, key=len))
stdout = sys.stdout
sys.stdout = sys.stderr
- input_email = raw_input("STEP 1: What is your contact email? ({}) ".format(default_email))
+ input_email = raw_input("STEP 1: What is your contact email? ({0}) ".format(default_email))
email = input_email if input_email else default_email
sys.stdout = stdout
@@ -92,7 +92,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
reg_nonce = urllib2.urlopen(nonce_req).headers['Replay-Nonce']
reg_raw = json.dumps({
"resource": "new-reg",
- "contact": ["mailto:{}".format(email)],
+ "contact": ["mailto:{0}".format(email)],
"agreement": TERMS,
}, sort_keys=True, indent=4)
reg_b64 = _b64(reg_raw)
@@ -100,7 +100,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
reg_protected.update({"nonce": reg_nonce})
reg_protected64 = _b64(json.dumps(reg_protected, sort_keys=True, indent=4))
reg_file = tempfile.NamedTemporaryFile(dir=".", prefix="register_", suffix=".json")
- reg_file.write("{}.{}".format(reg_protected64, reg_b64))
+ reg_file.write("{0}.{1}".format(reg_protected64, reg_b64))
reg_file.flush()
reg_file_name = os.path.basename(reg_file.name)
reg_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="register_", suffix=".sig")
@@ -109,7 +109,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
# need signature for each domain identifiers
ids = []
for domain in domains:
- sys.stderr.write("Building request for {}...\n".format(domain))
+ sys.stderr.write("Building request for {0}...\n".format(domain))
id_nonce = urllib2.urlopen(nonce_req).headers['Replay-Nonce']
id_raw = json.dumps({
"resource": "new-authz",
@@ -123,7 +123,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
id_protected.update({"nonce": id_nonce})
id_protected64 = _b64(json.dumps(id_protected, sort_keys=True, indent=4))
id_file = tempfile.NamedTemporaryFile(dir=".", prefix="domain_", suffix=".json")
- id_file.write("{}.{}".format(id_protected64, id_b64))
+ id_file.write("{0}.{1}".format(id_protected64, id_b64))
id_file.flush()
id_file_name = os.path.basename(id_file.name)
id_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="domain_", suffix=".sig")
@@ -154,7 +154,7 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
csr_protected.update({"nonce": csr_nonce})
csr_protected64 = _b64(json.dumps(csr_protected, sort_keys=True, indent=4))
csr_file = tempfile.NamedTemporaryFile(dir=".", prefix="cert_", suffix=".json")
- csr_file.write("{}.{}".format(csr_protected64, csr_b64))
+ csr_file.write("{0}.{1}".format(csr_protected64, csr_b64))
csr_file.flush()
csr_file_name = os.path.basename(csr_file.name)
csr_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="cert_", suffix=".sig")
@@ -164,13 +164,13 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
sys.stderr.write("""\
STEP 2: You need to sign some files (replace 'user.key' with your user private key).
-openssl dgst -sha256 -sign user.key -out {} {}
-{}
-openssl dgst -sha256 -sign user.key -out {} {}
+openssl dgst -sha256 -sign user.key -out {0} {1}
+{2}
+openssl dgst -sha256 -sign user.key -out {3} {4}
""".format(
reg_file_sig_name, reg_file_name,
- "\n".join("openssl dgst -sha256 -sign user.key -out {} {}".format(i['sig_name'], i['file_name']) for i in ids),
+ "\n".join("openssl dgst -sha256 -sign user.key -out {0} {1}".format(i['sig_name'], i['file_name']) for i in ids),
csr_file_sig_name, csr_file_name))
stdout = sys.stdout
@@ -186,14 +186,14 @@ openssl dgst -sha256 -sign user.key -out {} {}
i['sig64'] = _b64(i['sig'].read())
# Step 7: Register the user
- sys.stderr.write("Registering {}...\n".format(email))
+ sys.stderr.write("Registering {0}...\n".format(email))
reg_data = json.dumps({
"header": header,
"protected": reg_protected64,
"payload": reg_b64,
"signature": reg_sig64,
}, sort_keys=True, indent=4)
- reg_url = "{}/acme/new-reg".format(CA)
+ reg_url = "{0}/acme/new-reg".format(CA)
try:
resp = urllib2.urlopen(reg_url, reg_data)
result = json.loads(resp.read())
@@ -204,7 +204,7 @@ openssl dgst -sha256 -sign user.key -out {} {}
sys.stderr.write("Already registered. Skipping...\n")
else:
sys.stderr.write("Error: reg_data:\n")
- sys.stderr.write("POST {}\n".format(reg_url))
+ sys.stderr.write("POST {0}\n".format(reg_url))
sys.stderr.write(reg_data)
sys.stderr.write("\n")
sys.stderr.write(err)
@@ -215,30 +215,30 @@ openssl dgst -sha256 -sign user.key -out {} {}
responses = []
tests = []
for n, i in enumerate(ids):
- sys.stderr.write("Requesting challenges for {}...\n".format(i['domain']))
+ sys.stderr.write("Requesting challenges for {0}...\n".format(i['domain']))
id_data = json.dumps({
"header": header,
"protected": i['protected64'],
"payload": i['data64'],
"signature": i['sig64'],
}, sort_keys=True, indent=4)
- id_url = "{}/acme/new-authz".format(CA)
+ id_url = "{0}/acme/new-authz".format(CA)
try:
resp = urllib2.urlopen(id_url, id_data)
result = json.loads(resp.read())
except urllib2.HTTPError as e:
sys.stderr.write("Error: id_data:\n")
- sys.stderr.write("POST {}\n".format(id_url))
+ sys.stderr.write("POST {0}\n".format(id_url))
sys.stderr.write(id_data)
sys.stderr.write("\n")
sys.stderr.write(e.read())
sys.stderr.write("\n")
raise
challenge = [c for c in result['challenges'] if c['type'] == "http-01"][0]
- keyauthorization = "{}.{}".format(challenge['token'], thumbprint)
+ keyauthorization = "{0}.{1}".format(challenge['token'], thumbprint)
# challenge request
- sys.stderr.write("Building challenge responses for {}...\n".format(i['domain']))
+ sys.stderr.write("Building challenge responses for {0}...\n".format(i['domain']))
test_nonce = urllib2.urlopen(nonce_req).headers['Replay-Nonce']
test_raw = json.dumps({
"resource": "challenge",
@@ -249,7 +249,7 @@ openssl dgst -sha256 -sign user.key -out {} {}
test_protected.update({"nonce": test_nonce})
test_protected64 = _b64(json.dumps(test_protected, sort_keys=True, indent=4))
test_file = tempfile.NamedTemporaryFile(dir=".", prefix="challenge_", suffix=".json")
- test_file.write("{}.{}".format(test_protected64, test_b64))
+ test_file.write("{0}.{1}".format(test_protected64, test_b64))
test_file.flush()
test_file_name = os.path.basename(test_file.name)
test_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="challenge_", suffix=".sig")
@@ -266,7 +266,7 @@ openssl dgst -sha256 -sign user.key -out {} {}
# challenge response for server
responses.append({
- "uri": ".well-known/acme-challenge/{}".format(challenge['token']),
+ "uri": ".well-known/acme-challenge/{0}".format(challenge['token']),
"data": keyauthorization,
})
@@ -274,10 +274,10 @@ openssl dgst -sha256 -sign user.key -out {} {}
sys.stderr.write("""\
STEP 3: You need to sign some more files (replace 'user.key' with your user private key).
-{}
+{0}
""".format(
- "\n".join("openssl dgst -sha256 -sign user.key -out {} {}".format(
+ "\n".join("openssl dgst -sha256 -sign user.key -out {0} {1}".format(
i['sig_name'], i['file_name']) for i in tests)))
stdout = sys.stdout
@@ -294,11 +294,11 @@ STEP 3: You need to sign some more files (replace 'user.key' with your user priv
for n, i in enumerate(ids):
if file_based:
sys.stderr.write("""\
-STEP {}: Please update your server to serve the following file at this URL:
+STEP {0}: Please update your server to serve the following file at this URL:
--------------
-URL: http://{}/{}
-File contents: \"{}\"
+URL: http://{1}/{2}
+File contents: \"{3}\"
--------------
Notes:
@@ -313,11 +313,11 @@ Notes:
sys.stdout = stdout
else:
sys.stderr.write("""\
-STEP {}: You need to run this command on {} (don't stop the python command until the next step).
+STEP {0}: You need to run this command on {1} (don't stop the python command until the next step).
sudo python -c "import BaseHTTPServer; \\
h = BaseHTTPServer.BaseHTTPRequestHandler; \\
- h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('{}'); \\
+ h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('{2}'); \\
s = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), h); \\
s.serve_forever()"
@@ -329,7 +329,7 @@ sudo python -c "import BaseHTTPServer; \\
sys.stdout = stdout
# Step 12: Let the CA know you're ready for the challenge
- sys.stderr.write("Requesting verification for {}...\n".format(i['domain']))
+ sys.stderr.write("Requesting verification for {0}...\n".format(i['domain']))
test_data = json.dumps({
"header": header,
"protected": tests[n]['protected64'],
@@ -342,7 +342,7 @@ sudo python -c "import BaseHTTPServer; \\
test_result = json.loads(resp.read())
except urllib2.HTTPError as e:
sys.stderr.write("Error: test_data:\n")
- sys.stderr.write("POST {}\n".format(test_url))
+ sys.stderr.write("POST {0}\n".format(test_url))
sys.stderr.write(test_data)
sys.stderr.write("\n")
sys.stderr.write(e.read())
@@ -350,14 +350,14 @@ sudo python -c "import BaseHTTPServer; \\
raise
# Step 13: Wait for CA to mark test as valid
- sys.stderr.write("Waiting for {} challenge to pass...\n".format(i['domain']))
+ sys.stderr.write("Waiting for {0} challenge to pass...\n".format(i['domain']))
while True:
try:
resp = urllib2.urlopen(test_url)
challenge_status = json.loads(resp.read())
except urllib2.HTTPError as e:
sys.stderr.write("Error: test_data:\n")
- sys.stderr.write("GET {}\n".format(test_url))
+ sys.stderr.write("GET {0}\n".format(test_url))
sys.stderr.write(test_data)
sys.stderr.write("\n")
sys.stderr.write(e.read())
@@ -366,10 +366,10 @@ sudo python -c "import BaseHTTPServer; \\
if challenge_status['status'] == "pending":
time.sleep(2)
elif challenge_status['status'] == "valid":
- sys.stderr.write("Passed {} challenge!\n".format(i['domain']))
+ sys.stderr.write("Passed {0} challenge!\n".format(i['domain']))
break
else:
- raise KeyError("'{}' challenge did not pass: {}".format(i['domain'], challenge_status))
+ raise KeyError("'{0}' challenge did not pass: {1}".format(i['domain'], challenge_status))
# Step 14: Get the certificate signed
sys.stderr.write("Requesting signature...\n")
@@ -381,13 +381,13 @@ sudo python -c "import BaseHTTPServer; \\
"payload": csr_b64,
"signature": csr_sig64,
}, sort_keys=True, indent=4)
- csr_url = "{}/acme/new-cert".format(CA)
+ csr_url = "{0}/acme/new-cert".format(CA)
try:
resp = urllib2.urlopen(csr_url, csr_data)
signed_der = resp.read()
except urllib2.HTTPError as e:
sys.stderr.write("Error: csr_data:\n")
- sys.stderr.write("POST {}\n".format(csr_url))
+ sys.stderr.write("POST {0}\n".format(csr_url))
sys.stderr.write(csr_data)
sys.stderr.write("\n")
sys.stderr.write(e.read())
@@ -400,7 +400,7 @@ sudo python -c "import BaseHTTPServer; \\
signed_der64 = base64.b64encode(signed_der)
signed_pem = """\
-----BEGIN CERTIFICATE-----
-{}
+{0}
-----END CERTIFICATE-----
""".format("\n".join(textwrap.wrap(signed_der64, 64)))