velzend/reolinkRotateCertificate.py

## reolinkRotateCertificate.py
#!/usr/bin/env python3
"""
I wanted to replace the self-signed certificate with one signed by Let's Encrypt, and
did not want to perform this action manually.

I asked Reolink technical support, but they answered there is no API to manage certificates.

So I did some research and found the Reolink doorbell camera and probably other models
do support to upload your own certificates.

In developer tools I checked the API and found the annoying client side AES encryption
implementation where the key is generated/ rotated in the script during login.

To reveal the key and iv, I simply set a breakpoint on the login logic and have the `e` and `t` values.

To decrypt the JSON payload I wrote the script below:

--------------------------------------------------------------------------------
#!/usr/bin/env python3

from crypto.Cipher import AES
import base64

#e = "B642D317BD521D58", t = "0D6A4261FCD46185"
key = b"B642D317BD521D58"
iv = b"0D6A4261FCD46185"

encrypted_payload = "Plha/2eKtaMXwqNXZAlawvZB88qw3KdkRpLrMRol2nh1EmKPQJN****"

decipher = AES.new(key, AES.MODE_CFB, IV=iv, segment_size=128)

decrypted_payload = decipher.decrypt(base64.b64decode(encrypted_payload))

print(decrypted_payload.decode("UTF-8"))

--------------------------------------------------------------------------------

Now I know the endpoints and payload of API requests.

Important notes:
The webservice in the doorbell camera only supports RSA certificates and not EC (Elliptic Curve, ec256 for example).
If you use this script the certificate and key filenames are hardcoded to `server.crt` and `server.key`,
but during testing I found using filenames that contains the FQDN the API fails.

Next, you need a certificate and key.

I use Cloudflare as DNS provider, and prefer Lego as ACME client.

To request the certificate from Let's Encrypt I used the Lego container image below:

docker run \
    -v "$(pwd)/.lego:/.lego" \
    -e "CF_DNS_API_TOKEN=***" \
    goacme/lego \
    --key-type="rsa4096" \
    --accept-tos \
    --email="***" \
    --domains="***" \
    --dns="cloudflare" \
    run

Next step is to update some values in the script below, schedule this
script to run periodically after the docker run above and
enjoy automatic certificate updates/ rotation.

"""

import requests
import os
import base64
import time
import ssl
import sys

os.environ['no_proxy'] = '*'

base_url = "https://***"
username = "admin"
password = "****"

certificate_path = ".lego/***.crt"
key_path = ".lego/***.key"

class Reolink(object):
    def __init__(self, **kwargs):
        self.base_url = kwargs.pop('base_url', None)
        self.username = kwargs.pop('username', None)
        self.password = kwargs.pop('password', None)
        self.token = None

    def login(self):
        login_req = [{"cmd":"Login",
                    "param": {"User": {"userName": self.username,
                                        "password": self.password}
                                        }
                                }
                    ]

        url = f'{self.base_url}/cgi-bin/api.cgi?cmd=Login'

        login_resp = requests.post(url=url, json=login_req, verify=False)
        login_data = login_resp.json()

        self.token = login_data[0]['value']['Token']['name']

        print(f"Login was succesfull, got token: {self.token}")
        return self.token

    def verify_ssl_certificate(self):
        try:
            response = requests.get(self.base_url)
            response.raise_for_status()
            print(f"Certificate for {self.base_url} is valid.")
            return True
        except ssl.SSLCertVerificationError as err:
            print(f"Certificate verification failed for {self.base_url}, error: {err}", file=sys.stderr)
            return False

    def clear_certs(self):

        url = f"{self.base_url}/cgi-bin/api.cgi?cmd=CertificateClear&token={self.token}"
        clear_req = [{
            "cmd": "CertificateClear",
            "action": 0,
            "param": {}
        }]

        clear_certs_resp = requests.post(url=url, json=clear_req, verify=False)
        clear_certs_data = clear_certs_resp.json

        return clear_certs_data


    def update_certs(self, certificate_path, key_path):
        crtfile_stats = os.stat(certificate_path)
        crt_filesize = crtfile_stats.st_size

        with open(certificate_path, "rb") as crt_file:
            b64_crt = base64.b64encode(crt_file.read())

        keyfile_stats = os.stat(key_path)
        key_filesize = keyfile_stats.st_size

        with open(key_path, "rb") as key_file:
            b64_key = base64.b64encode(key_file.read())

        cert_req = [{
                    "cmd": "ImportCertificate",
                    "action": 0,
                    "param": {
                        "importCertificate": {
                            "crt": {
                                "size": crt_filesize,
                                "name": "server.crt",
                                "content": b64_crt.decode("UTF-8")
                            },
                            "key": {
                                "size": key_filesize,
                                "name": "server.key",
                                "content": b64_key.decode("UTF-8")
                            }
                        }
                    }
                    }
                    ]

        url = f"{self.base_url}/cgi-bin/api.cgi?cmd=ImportCertificate&token={self.token}"
        update_certs_resp = requests.post(url=url, json=cert_req, verify=False)
        update_certs_data = update_certs_resp.json

        return update_certs_data

    def logout(self):

        url = f"{self.base_url}/cgi-bin/api.cgi?cmd=Logout&token={self.token}"
        logout_resp = requests.get(url=url, verify=False)
        logout_data = logout_resp.json

        print(f"Logout was succesfull, got response: {logout_data}")
        return logout_data

def main():
    reolink = Reolink(base_url=base_url,
                      username=username,
                      password=password)

    reolink.login()

    reolink.clear_certs()

    # the doorbell will restart the internal web daemon
    time.sleep(5)

    reolink.update_certs(certificate_path=certificate_path,
                         key_path=key_path)

    # the doorbell will restart the internal web daemon
    time.sleep(5)

    reolink.logout()

    if not reolink.verify_ssl_certificate():
        exit(1)

if __name__ == "__main__":
    main()
	#!/usr/bin/env python3
	"""
	I wanted to replace the self-signed certificate with one signed by Let's Encrypt, and
	did not want to perform this action manually.

	I asked Reolink technical support, but they answered there is no API to manage certificates.

	So I did some research and found the Reolink doorbell camera and probably other models
	do support to upload your own certificates.

	In developer tools I checked the API and found the annoying client side AES encryption
	implementation where the key is generated/ rotated in the script during login.

	To reveal the key and iv, I simply set a breakpoint on the login logic and have the `e` and `t` values.

	To decrypt the JSON payload I wrote the script below:

	--------------------------------------------------------------------------------
	#!/usr/bin/env python3

	from crypto.Cipher import AES
	import base64

	#e = "B642D317BD521D58", t = "0D6A4261FCD46185"
	key = b"B642D317BD521D58"
	iv = b"0D6A4261FCD46185"

	encrypted_payload = "Plha/2eKtaMXwqNXZAlawvZB88qw3KdkRpLrMRol2nh1EmKPQJN****"

	decipher = AES.new(key, AES.MODE_CFB, IV=iv, segment_size=128)

	decrypted_payload = decipher.decrypt(base64.b64decode(encrypted_payload))

	print(decrypted_payload.decode("UTF-8"))

	--------------------------------------------------------------------------------

	Now I know the endpoints and payload of API requests.

	Important notes:
	The webservice in the doorbell camera only supports RSA certificates and not EC (Elliptic Curve, ec256 for example).
	If you use this script the certificate and key filenames are hardcoded to `server.crt` and `server.key`,
	but during testing I found using filenames that contains the FQDN the API fails.

	Next, you need a certificate and key.

	I use Cloudflare as DNS provider, and prefer Lego as ACME client.

	To request the certificate from Let's Encrypt I used the Lego container image below:

	docker run \
	-v "$(pwd)/.lego:/.lego" \
	-e "CF_DNS_API_TOKEN=***" \
	goacme/lego \
	--key-type="rsa4096" \
	--accept-tos \
	--email="***" \
	--domains="***" \
	--dns="cloudflare" \
	run

	Next step is to update some values in the script below, schedule this
	script to run periodically after the docker run above and
	enjoy automatic certificate updates/ rotation.

	"""

	import requests
	import os
	import base64
	import time
	import ssl
	import sys

	os.environ['no_proxy'] = '*'

	base_url = "https://***"
	username = "admin"
	password = "****"

	certificate_path = ".lego/***.crt"
	key_path = ".lego/***.key"

	class Reolink(object):
	def __init__(self, **kwargs):
	self.base_url = kwargs.pop('base_url', None)
	self.username = kwargs.pop('username', None)
	self.password = kwargs.pop('password', None)
	self.token = None

	def login(self):
	login_req = [{"cmd":"Login",
	"param": {"User": {"userName": self.username,
	"password": self.password}
	}
	}
	]

	url = f'{self.base_url}/cgi-bin/api.cgi?cmd=Login'

	login_resp = requests.post(url=url, json=login_req, verify=False)
	login_data = login_resp.json()

	self.token = login_data[0]['value']['Token']['name']

	print(f"Login was succesfull, got token: {self.token}")
	return self.token

	def verify_ssl_certificate(self):
	try:
	response = requests.get(self.base_url)
	response.raise_for_status()
	print(f"Certificate for {self.base_url} is valid.")
	return True
	except ssl.SSLCertVerificationError as err:
	print(f"Certificate verification failed for {self.base_url}, error: {err}", file=sys.stderr)
	return False

	def clear_certs(self):

	url = f"{self.base_url}/cgi-bin/api.cgi?cmd=CertificateClear&token={self.token}"
	clear_req = [{
	"cmd": "CertificateClear",
	"action": 0,
	"param": {}
	}]

	clear_certs_resp = requests.post(url=url, json=clear_req, verify=False)
	clear_certs_data = clear_certs_resp.json

	return clear_certs_data


	def update_certs(self, certificate_path, key_path):
	crtfile_stats = os.stat(certificate_path)
	crt_filesize = crtfile_stats.st_size

	with open(certificate_path, "rb") as crt_file:
	b64_crt = base64.b64encode(crt_file.read())

	keyfile_stats = os.stat(key_path)
	key_filesize = keyfile_stats.st_size

	with open(key_path, "rb") as key_file:
	b64_key = base64.b64encode(key_file.read())

	cert_req = [{
	"cmd": "ImportCertificate",
	"action": 0,
	"param": {
	"importCertificate": {
	"crt": {
	"size": crt_filesize,
	"name": "server.crt",
	"content": b64_crt.decode("UTF-8")
	},
	"key": {
	"size": key_filesize,
	"name": "server.key",
	"content": b64_key.decode("UTF-8")
	}
	}
	}
	}
	]

	url = f"{self.base_url}/cgi-bin/api.cgi?cmd=ImportCertificate&token={self.token}"
	update_certs_resp = requests.post(url=url, json=cert_req, verify=False)
	update_certs_data = update_certs_resp.json

	return update_certs_data

	def logout(self):

	url = f"{self.base_url}/cgi-bin/api.cgi?cmd=Logout&token={self.token}"
	logout_resp = requests.get(url=url, verify=False)
	logout_data = logout_resp.json

	print(f"Logout was succesfull, got response: {logout_data}")
	return logout_data

	def main():
	reolink = Reolink(base_url=base_url,
	username=username,
	password=password)

	reolink.login()

	reolink.clear_certs()

	# the doorbell will restart the internal web daemon
	time.sleep(5)

	reolink.update_certs(certificate_path=certificate_path,
	key_path=key_path)

	# the doorbell will restart the internal web daemon
	time.sleep(5)

	reolink.logout()

	if not reolink.verify_ssl_certificate():
	exit(1)

	if __name__ == "__main__":
	main()