serialized delusions

To content | To menu | To search

Thursday 2 June 2016

Converting RSA public keys from OpenSSH into GPG

All snippets are for Python 2.

Extracting parameters from SSH key.

The format is blessedly simple, so we can do this without additional libraries. For anything beyond, paramiko probably has it.

import base64
import struct
import binascii

def parsersakey(data):
    """:param data: RSA ssh pubkey string in rfc4253 ssh-rsa format
    :returns tuple exponent,modulus,comment. """
    data = data.encode('ascii').split(b' ',2)
    x = base64.b64decode(data[1])
    res = []
    start = 0
    while(start < len(x)-4):
        l = struct.unpack('>l',x[start:start+4])[0]
        r = struct.unpack('%ds' % l, x[start+4:start+4+l])
        start = start+4+l
    if(len(res) != 3):
        raise Exception("unexpected # of pieces: %d" % len(res))
    if(start != len(x)):
        print("len got: %d expected: %d" % (len(x),start))
    if res[0] != b"ssh-rsa":
        raise Exception("not rsa key: %s" % binascii.hexlify(res[0]))
    e = 0
    for i in res[1]:
        e = (e<<8) + ord(i)
    N = 0
    for i in res[2]:
        N = (N<<8) + ord(i)
    return (e,N,data[2] if len(data) == 3 else '')

Creating an PGP pubkey from the parameters

Uses PGPy 0.4.0. There is no API for creating keys from known RSA parameters, so the classes need some massaging. YMMV using other PGPy version.

The resulting key can be converted to rfc4880 form just by applying str() on it.

import pgpy
from pgpy.packet.fields import RSAPub,MPI
from pgpy.packet.packets import PubKeyV4
from pgpy.constants import PubKeyAlgorithm

def custRSAPub(n,e):
    res = RSAPub()
    res.n = MPI(n)
    res.e = MPI(e)
    return res

def custPubKeyV4(custkey):
    res = PubKeyV4()
    res.pkalg = PubKeyAlgorithm.RSAEncryptOrSign
    res.keymaterial = custkey
    return res

def rsatogpg(e,N,name,**idargs):
    :param e,N: RSA parameters as Python integers or longints
    :param name: Identity name
    :param idargs: PGP Identity parameters, such as comment,email
    :return: PGPy pubkey object
    rsakey = custPubKeyV4(custRSAPub(N,e))
    pgpkey = pgpy.PGPKey()
    pgpkey._key = rsakey

    uid =, **idargs)
    uid._parent = pgpkey
    return pgpkey

Sunday 10 April 2016

Scripting the web

This blog, as any blog, attracts plenty of comment spam. But so far there's not much traffic and I was filtering it manually. There is lot of repeated spam, which should be easy to filter automatically.

Continue reading...

Wednesday 2 March 2016

Wget malignant featuritis

I had problems to find stuff in deedbot archive, so decided to make a mirror to be able to grep things in. Such a simple website would be an ideal job for wget, no?

Continue reading...

Tuesday 1 March 2016

F.MPIF 2015 trading statements

The trading was not very eventful, so I ceased to blog the report every month and they were published only via deedbot. But having some TOC for them is in order.

Continue reading...

Monday 29 February 2016

Embedded Common Lisp for Eulora

I have not commented on Eulora here yet, afraid it would come out as rambling and swearing. Mostly due to need for repetitive tasks and barely adequate bots in existence. I play it quite much anyway, even became official dealer of game currency.

Continue reading...

Wednesday 2 December 2015

Tragedy of web security

I have found myself in the middle of depressing discussion about XSS. A security company released scary video how it is used in practice to hijack admin session. And the reactions? As usual.

"This won't happen with $magicunicornframework, ain't no shitty PHP."

"Easy, just tie it to user's browser version, system version, IP address, geo location, shoe size...."

"That's banal bug, we only need proper sanitation of user input."

As it happens to me more and more often recently, such situations ring my "let's invent us an profitable hard problem" sense. In this case.. really there is no option how application A running on computer AA can uniquely authenticate to application B running on server BB? I thought this is solved problem in crypto, we have Diffie-Hellman, PKI,...

But it's impossible when A may run rogue code and access these secrets! We can't do much about it!

Oh really, then why do you have that shit code manage secrets?


I can't believe no one ever thought of a way for browser to authenticate a session without giving out secrets to anyone, including javascript. It would be really worthwhile addition to HTTP protocol... but let's instead do compression and pipelining and whatnot. Actually it goes way back to the beginning, when HTTP login authentication went largely unused because browser vendors forgot to include logout button. Just sad.

Update: got a reply from security company owner, and it's really symptomatic:

Nonsense. We have so much work that we'd like to solve interesting problems and not trivial bullshit. And there are many more areas that need better security. Our goal is better internet and I don't know any pentester who has fun to submit same bugs over and over. We also want new challenges and to move on so I believe such bugs will soon really be solved with frameworks, better session management and proper separation of contexts (text, html, javascript, data, css, data from user, data from server, ...)

Sunday 2 August 2015

F.MPIF July 2015 trading statement

GPG signed statement

Continue reading...

Wednesday 1 July 2015

F.MPIF June 2015 trading statement

GPG signed statement

Continue reading...

Friday 5 June 2015

Eulora 0.1.0 for Windows

My fateful involvement with #bitcoin-assets was today sealed with another achievement.

Continue reading...

Monday 1 June 2015

F.MPIF May 2015 trading statement

GPG signed statement

Continue reading...

Saturday 2 May 2015

F.MPIF April 2015 trading statement

GPG signed statement

Continue reading...

Wednesday 1 April 2015

F.MPIF March 2015 trading statement

GPG signed statement

Continue reading...

Sunday 1 March 2015

F.MPIF February 2015 trading statement

GPG signed statement

Continue reading...

Monday 2 February 2015

F.MPIF January 2015 trading statement

GPG signed statement - January December statement was originally published only on #bitcoin-assets: GPG signed statement - December

Continue reading...

Tuesday 2 December 2014

The Bitcoin Foundation November 2014 Statement

GPG signed statement

Continue reading...

F.MPIF November 2014 trading statement

GPG signed statement

Continue reading...

Sunday 2 November 2014

F.MPIF October 2014 trading statement

GPG signed statement

Continue reading...

Wednesday 29 October 2014

A dangerous idea

Somebody someday, got a dangerous idea to procure bound hardcopy of Satoshi source code. As there is a printer in chan, discussion soon ensued about which version and which files to include. The particular somebody was very insistent that the font were legible and the volume properly bound. Inquiries about human skin binding and art illuminations aside, main question was what to exclude to preserve minimal working code. Also, the book ought to not be too thick to handle.

Continue reading...

Wednesday 1 October 2014

F.MPIF September 2014 trading statement

GPG signed statement

Continue reading...

Monday 1 September 2014

F.MPIF August 2014 trading statement

GPG signed statement

Continue reading...

- page 1 of 2