stavxyz/pubsshkey.py

## pubsshkey.py
"""This should work with python 2 & 3

Something curious: if private_bytes() is
called with a format other than
serialization.PrivateFormat.TraditionalOpenSSL,
the generated key will prompt for a password
when running `ssh-keygen -f test-key -e` even when
encryption is set to serialization.NoEncryption()

There's a hunch that this ^^ only occurs on mac os x.

"""

import base64
import functools
import operator
import os
import struct
import sys

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa


if sys.version_info > (3,):
    long = int


def generate_private_key():
    return rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )


def multiple_precision(number):
    if number == 0:
        return b'\000' * 4
    assert number > 0
    bn = b''
    number = long(number)
    while number > 0:
        bn = struct.pack('>I', number & long('FFFFFFFF', base=16)) + bn
        #bn = struct.pack('>I', long(number)) + bn
        number = number >> 32
    # strip off leading zeros
    for i in range(len(bn)):
        if bn[i] != b'\000'[0]:
            break
    else:
        # only happens when n == 0
        bn = b'\000'
        i = 0
    bn = bn[i:]
    if ord(bn.decode('latin-1')[0]) & 128:
        bn = b'\000' + bn
    return struct.pack('>L', len(bn)) + bn


def blob(pubkey):

    assert isinstance(pubkey, rsa.RSAPublicKeyWithNumbers)
    numbers = pubkey.public_numbers()

    items = [
        struct.pack('!L', len('ssh-rsa')) + b'ssh-rsa',
        multiple_precision(numbers.e),
        multiple_precision(numbers.n),
    ]

    cat = functools.reduce(operator.add, items)
    return base64.standard_b64encode(cat)


if __name__ == '__main__':

    private = generate_private_key()
    serialized = private.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption(),
    )
    with open('test-key', 'wb+') as k:
        k.write(serialized)

    os.chmod(k.name, 0o600)

    pub = private.public_key()
    data = blob(pub)
    output = 'ssh-rsa {}'.format(data.decode('latin-1')).strip()
    with open('test-key.pub', 'w+') as k:
        k.write(output)

    # now read it back in
    with open('test-key.pub', 'rb') as p:
        pub = serialization.load_ssh_public_key(p.read(), default_backend())

    assert pub.public_numbers() == private.public_key().public_numbers()
    print('Good.')


## requirements.txt
cryptography==0.9.3
	"""This should work with python 2 & 3

	Something curious: if private_bytes() is
	called with a format other than
	serialization.PrivateFormat.TraditionalOpenSSL,
	the generated key will prompt for a password
	when running `ssh-keygen -f test-key -e` even when
	encryption is set to serialization.NoEncryption()

	There's a hunch that this ^^ only occurs on mac os x.

	"""

	import base64
	import functools
	import operator
	import os
	import struct
	import sys

	from cryptography.hazmat.backends import default_backend
	from cryptography.hazmat.primitives import serialization
	from cryptography.hazmat.primitives.asymmetric import rsa


	if sys.version_info > (3,):
	long = int


	def generate_private_key():
	return rsa.generate_private_key(
	public_exponent=65537,
	key_size=2048,
	backend=default_backend()
	)


	def multiple_precision(number):
	if number == 0:
	return b'\000' * 4
	assert number > 0
	bn = b''
	number = long(number)
	while number > 0:
	bn = struct.pack('>I', number & long('FFFFFFFF', base=16)) + bn
	#bn = struct.pack('>I', long(number)) + bn
	number = number >> 32
	# strip off leading zeros
	for i in range(len(bn)):
	if bn[i] != b'\000'[0]:
	break
	else:
	# only happens when n == 0
	bn = b'\000'
	i = 0
	bn = bn[i:]
	if ord(bn.decode('latin-1')[0]) & 128:
	bn = b'\000' + bn
	return struct.pack('>L', len(bn)) + bn


	def blob(pubkey):

	assert isinstance(pubkey, rsa.RSAPublicKeyWithNumbers)
	numbers = pubkey.public_numbers()

	items = [
	struct.pack('!L', len('ssh-rsa')) + b'ssh-rsa',
	multiple_precision(numbers.e),
	multiple_precision(numbers.n),
	]

	cat = functools.reduce(operator.add, items)
	return base64.standard_b64encode(cat)



	if __name__ == '__main__':

	private = generate_private_key()
	serialized = private.private_bytes(
	encoding=serialization.Encoding.PEM,
	format=serialization.PrivateFormat.TraditionalOpenSSL,
	encryption_algorithm=serialization.NoEncryption(),
	)
	with open('test-key', 'wb+') as k:
	k.write(serialized)

	os.chmod(k.name, 0o600)

	pub = private.public_key()
	data = blob(pub)
	output = 'ssh-rsa {}'.format(data.decode('latin-1')).strip()
	with open('test-key.pub', 'w+') as k:
	k.write(output)

	# now read it back in
	with open('test-key.pub', 'rb') as p:
	pub = serialization.load_ssh_public_key(p.read(), default_backend())

	assert pub.public_numbers() == private.public_key().public_numbers()
	print('Good.')