From 344602edb64abd1c3c7c7263cdeac27e87826fae Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:37:53 -0700 Subject: [PATCH 1/9] actually the challenge code decrypts y for us to get r --- client-webserver/client.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client-webserver/client.py b/client-webserver/client.py index d8a9367d8..6fa1afe5c 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -57,9 +57,9 @@ sni_todo = [] for chall in r.challenge: print chall if chall.type == r.DomainValidateSNI: - key = M2Crypto.RSA.load_key_string(open("key.pem").read()) dvsni_nonce, dvsni_y, dvsni_ext = chall.data - dvsni_r = key.private_decrypt(dvsni_y, M2Crypto.RSA.pkcs1_oaep_padding) - sni_todo.append( (chall.name, dvsni_nonce, dvsni_r) ) +# key = M2Crypto.RSA.load_key_string(open("key.pem").read()) +# dvsni_r = key.private_decrypt(dvsni_y, M2Crypto.RSA.pkcs1_oaep_padding) + sni_todo.append( (chall.name, dvsni_y, dvsni_nonce, dvsni_ext) ) print sni_todo From 7bef1f50b9fe6d4693fbd20e502dd7c0d8e2b4d1 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:38:33 -0700 Subject: [PATCH 2/9] actually do the challenge and wait for the results --- client-webserver/client.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/client-webserver/client.py b/client-webserver/client.py index 6fa1afe5c..ef155cdbc 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -63,3 +63,16 @@ for chall in r.challenge: sni_todo.append( (chall.name, dvsni_y, dvsni_nonce, dvsni_ext) ) print sni_todo +import sni_challenge + +sni_challenge.perform_sni_cert_challenge(sni_todo, "req.pem", "key.pem") + +r=decode(do(k)) +print r +while r.challenge or r.proceed.IsInitialized(): + print "waiting", 5 + time.sleep(5) + k.session = r.session + r = decode(do(k)) + print r + From 7699bf8583af7abd9e3e3153954a4f0e635b739f Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:43:07 -0700 Subject: [PATCH 3/9] key is also in CHOC_DIR --- client-webserver/sni_challenge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client-webserver/sni_challenge.py b/client-webserver/sni_challenge.py index 5191a8ecd..567cad51b 100644 --- a/client-webserver/sni_challenge.py +++ b/client-webserver/sni_challenge.py @@ -41,7 +41,7 @@ LimitRequestBody 1048576 \n \ \n \ Include " + OPTIONS_SSL_CONF + " \n \ SSLCertificateFile " + getChocCertFile(nonce) + " \n \ -SSLCertificateKeyFile " + key + " \n \ +SSLCertificateKeyFile " + CHOC_DIR + key + " \n \ \n \ DocumentRoot " + CHOC_DIR + "challenge_page/ \n \ \n\n " From f40f372b88a2e475d8a9a7b6711a9210051bd457 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:44:44 -0700 Subject: [PATCH 4/9] I really like this looking from /etc better because it's faster (I realize that on some systems httpd.conf is somewhere other than /etc!) --- client-webserver/sni_challenge.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/client-webserver/sni_challenge.py b/client-webserver/sni_challenge.py index 567cad51b..a5c95b78d 100644 --- a/client-webserver/sni_challenge.py +++ b/client-webserver/sni_challenge.py @@ -21,8 +21,9 @@ def getChocCertFile(nonce): def findApacheConfigFile(): #This needs to be fixed to account for multiple httpd.conf files + # TODO: reliably and quickly find the httpd.conf anywher on the system? try: - p = subprocess.check_output(["sudo", "find", "/", "-name", "httpd.conf"], stderr=open("/dev/null")) + p = subprocess.check_output(["sudo", "find", "/etc", "-name", "httpd.conf"], stderr=open("/dev/null")) p = p[:len(p)-1] print "Apache Config: ", p return p From 30622a436a7dd0a16ad59852768bbe0e981969c0 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:45:41 -0700 Subject: [PATCH 5/9] fix indentation --- client-webserver/client.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/client-webserver/client.py b/client-webserver/client.py index ef155cdbc..ac1792fea 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -70,9 +70,8 @@ sni_challenge.perform_sni_cert_challenge(sni_todo, "req.pem", "key.pem") r=decode(do(k)) print r while r.challenge or r.proceed.IsInitialized(): - print "waiting", 5 - time.sleep(5) - k.session = r.session - r = decode(do(k)) - print r - + print "waiting", 5 + time.sleep(5) + k.session = r.session + r = decode(do(k)) + print r From 34b61f68fa4b33fcf4e328392b5e9680cd01f3d9 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:47:40 -0700 Subject: [PATCH 6/9] save certificate after it gets issued --- client-webserver/client.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/client-webserver/client.py b/client-webserver/client.py index ac1792fea..dd3373a13 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -75,3 +75,7 @@ while r.challenge or r.proceed.IsInitialized(): k.session = r.session r = decode(do(k)) print r + +if r.success.IsInitialized(): + open("cert.pem", "w").write(r.success.certificate) + print "Served issued certificate; certificate written to cert.pem" From dd2dc32a96277918fcc08efda01e1d809429a523 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:48:20 -0700 Subject: [PATCH 7/9] report failure after attempted issuance --- client-webserver/client.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/client-webserver/client.py b/client-webserver/client.py index dd3373a13..c7e5c6a9e 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -78,4 +78,6 @@ while r.challenge or r.proceed.IsInitialized(): if r.success.IsInitialized(): open("cert.pem", "w").write(r.success.certificate) - print "Served issued certificate; certificate written to cert.pem" + print "Server issued certificate; certificate written to cert.pem" +elif r.failure.IsInitialized(): + print "Server failed." From e12d7f8feabaede3fc090b29da29a2fcb27b96da Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:49:19 -0700 Subject: [PATCH 8/9] report failures --- client-webserver/client.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/client-webserver/client.py b/client-webserver/client.py index c7e5c6a9e..029b3c9f2 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -53,6 +53,10 @@ while r.proceed.IsInitialized(): r = decode(do(k)) print r +if r.failure.IsInitialized(): + print "Server reported failure." + sys.exit(1) + sni_todo = [] for chall in r.challenge: print chall @@ -80,4 +84,5 @@ if r.success.IsInitialized(): open("cert.pem", "w").write(r.success.certificate) print "Server issued certificate; certificate written to cert.pem" elif r.failure.IsInitialized(): - print "Server failed." + print "Server reported failure." + sys.exit(1) From 5407be4df6120e305a305eec59aa2a91ad11bef9 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Thu, 12 Jul 2012 16:49:28 -0700 Subject: [PATCH 9/9] exit when failures are reported --- client-webserver/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client-webserver/client.py b/client-webserver/client.py index 029b3c9f2..5ac8205a8 100644 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -3,7 +3,7 @@ from chocolate_protocol_pb2 import chocolatemessage from Crypto.Hash import SHA256 import M2Crypto -import urllib2, os, sys, time, random, CSR +import urllib2, os, sys, time, random, CSR, sys def sha256(m): return SHA256.new(m).hexdigest()