gpg-shadow-key-from-x509-cert-req/create-gpg-shadow-key-from-x509-cert-req.py

#!/usr/bin/env python3

import cryptography.hazmat.backends
import cryptography.hazmat.primitives.serialization
import cryptography.x509
import math
import sys

backend = cryptography.hazmat.backends.default_backend()

with open('smartcard-app-id.hex', 'r') as f:
    appid = int(f.read(), 16)

with open('cert-request.pem', 'rb') as f:
    req = cryptography.x509.load_pem_x509_csr(f.read(), backend)
assert req.is_signature_valid

pubnums = req.public_key().public_numbers()

key_data = ['shadowed-private-key', [
    'rsa',
    ['n', pubnums.n],
    ['e', pubnums.e],
    ['shadowed', 't1-v1', [appid, 'OPENPGP.1']],
]]

def convert(data):
    if isinstance(data, int):
        return convert(data.to_bytes(
            math.ceil(data.bit_length() / 8),
            'big',
        ))
    elif isinstance(data, str):
        return convert(data.encode())
    elif isinstance(data, bytes):
        return str(len(data)).encode() + b':' + data
    else:
        return b'(' + b''.join(convert(i) for i in data) + b')'

key = convert(key_data)

with open('gpg-key.sexp', 'wb') as f:
    f.write(key)