Home Explore Help
Sign In
fphammerle
/
gpg-shadow-key-from-x509-cert-req
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 68b7e9db27
Branches Tags
gpg-shadow-key-...
/
create-gpg-shadow-key-from-x509-cert-req.py

create-gpg-shadow-key-from-x509-cert-req.py 2.4 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. #!/usr/bin/env python3
    2. 

  2. 

  3. import cryptography.hazmat.backends
    4. 

  4. import cryptography.hazmat.primitives.serialization
    5. 

  5. import cryptography.x509
    6. 

  6. import math
    7. 

  7. 

  8. DEFAULT_KEY_OUTPUT_PATH = 'gpg-key.sexp'
    9. 

  9. DEFAULT_SMARTCARD_APP_ID_HEX = 'D2760001240102010001234567890000'
    10. 

  10. 

  11. 

  12. def convert_to_sexp(data):
    13. 

  13.     if isinstance(data, int):
    14. 

  14.         return convert_to_sexp(data.to_bytes(
    15. 

  15.             math.ceil(data.bit_length() / 8),
    16. 

  16.             'big',
    17. 

  17.         ))
    18. 

  18.     elif isinstance(data, str):
    19. 

  19.         return convert_to_sexp(data.encode())
    20. 

  20.     elif isinstance(data, bytes):
    21. 

  21.         return str(len(data)).encode() + b':' + data
    22. 

  22.     else:
    23. 

  23.         return b'(' + b''.join(convert_to_sexp(i) for i in data) + b')'
    24. 

  24. 

  25. 

  26. def create_gpg_key(input_path, gpg_key_output_path, smartcard_app_id_hex):
    27. 

  27.     backend = cryptography.hazmat.backends.default_backend()
    28. 

  28.     with open(input_path, 'rb') as f:
    29. 

  29.         req = cryptography.x509.load_pem_x509_csr(f.read(), backend)
    30. 

  30.     assert req.is_signature_valid
    31. 

  31.     pubnums = req.public_key().public_numbers()
    32. 

  32.     key_data = ['shadowed-private-key', [
    33. 

  33.         'rsa',
    34. 

  34.         ['n', pubnums.n],
    35. 

  35.         ['e', pubnums.e],
    36. 

  36.         ['shadowed', 't1-v1', [int(smartcard_app_id_hex, 16), 'OPENPGP.1']],
    37. 

  37.     ]]
    38. 

  38.     key = convert_to_sexp(key_data)
    39. 

  39.     with open(gpg_key_output_path, 'wb') as f:
    40. 

  40.         f.write(key)
    41. 

  41. 

  42. 

  43. def _init_argparser():
    44. 

  44.     import argparse
    45. 

  45.     argparser = argparse.ArgumentParser(
    46. 

  46.         description='create a shadowed-private-key in sexp format for gnupg\'s private-keys-v1.d folder'
    47. 

  47.             + ' containing the public key of a PEM-encoded X.509 certificate signing request (CSR)',
    48. 

  48.     )
    49. 

  49.     argparser.add_argument(
    50. 

  50.         'input_path',
    51. 

  51.         help='path to PEM-encoded X.509 signing request',
    52. 

  52.     )
    53. 

  53.     argparser.add_argument(
    54. 

  54.         '--gpg-key-output-path',
    55. 

  55.         dest='gpg_key_output_path',
    56. 

  56.         default=DEFAULT_KEY_OUTPUT_PATH,
    57. 

  57.         help='path to sexp-encoded shadowed-private-key to be created (default: "%(default)s")',
    58. 

  58.     )
    59. 

  59.     argparser.add_argument(
    60. 

  60.         '--smartcard-app-id',
    61. 

  61.         dest='smartcard_app_id_hex',
    62. 

  62.         metavar='hex-string',
    63. 

  63.         default=DEFAULT_SMARTCARD_APP_ID_HEX,
    64. 

  64.         help='default: %(default)s',
    65. 

  65.     )
    66. 

  66.     return argparser
    67. 

  67. 

  68. 

  69. def main(argv):
    70. 

  70.     argparser = _init_argparser()
    71. 

  71.     args = argparser.parse_args(argv[1:])
    72. 

  72.     create_gpg_key(**vars(args))
    73. 

  73.     return 0
    74. 

  74. 

  75. if __name__ == '__main__':
    76. 

  76.     import sys
    77. 

  77.     sys.exit(main(sys.argv))
    78.