wip

bin/deterministic_rsa_privkey

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+
+# https://stackoverflow.com/a/18266970
+
+from Crypto.PublicKey import RSA
+from struct import pack
+from hashlib import sha3_512
+from sys import argv
+from base64 import b64decode, b64encode
+
+
+class PRNG(object):
+    def __init__(self, seed):
+        self.index = 0
+        self.seed = sha3_512(seed).digest()
+        self.buffer = b""
+
+    def __call__(self, n):
+        while len(self.buffer) < n:
+            self.buffer += sha3_512(self.seed + pack("<d", self.index)).digest()
+            self.index += 1
+
+        result, self.buffer = self.buffer[:n], self.buffer[n:]
+        return result
+
+
+bits = int(argv[1])
+secret = b64decode(argv[2])
+key = RSA.generate(bits, randfunc=PRNG(secret))
+
+print(
+    b64encode(key.export_key('DER')).decode()
+)

bundles/opendkim/metadata.py

@@ -1,8 +1,5 @@
-from os.path import join, exists
 from re import sub
 from cryptography.hazmat.primitives import serialization as crypto_serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.hazmat.primitives.serialization import load_der_private_key
 from base64 import b64decode
 
 
@@ -27,6 +24,7 @@ def keys(metadata):
 
     for domain in metadata.get('mailserver/domains'):
         privkey = repo.libs.rsa.generate_deterministic_rsa_private_key(
+            repo.path,
             b64decode(str(repo.vault.random_bytes_as_base64_for('dkim' + domain)))
         )
         keys[domain] = {

libs/rsa.py

@@ -1,29 +1,21 @@
 # https://stackoverflow.com/a/18266970
 
-from Crypto.PublicKey import RSA
-from Crypto.Hash import HMAC
-from struct import pack
-from hashlib import sha3_512
+from base64 import b64decode, b64encode
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from functools import cache
-
-
-class PRNG(object):
-    def __init__(self, seed):
-        self.index = 0
-        self.seed = sha3_512(seed).digest()
-        self.buffer = b""
-    def __call__(self, n):
-        while len(self.buffer) < n:
-            self.buffer += sha3_512(self.seed + pack("<d", self.index)).digest()
-            self.index += 1
-        result, self.buffer = self.buffer[:n], self.buffer[n:]
-        return result
+from subprocess import check_output
+from os.path import join
 
 
 @cache
-def generate_deterministic_rsa_private_key(secret_bytes):
+def generate_deterministic_rsa_private_key(repo_path, secret_bytes):
+    privkey_der = check_output([
+        join(repo_path, 'bin', 'deterministic_rsa_privkey'),
+        '2048',
+        b64encode(secret_bytes),
+    ])
+
     return load_der_private_key(
-        RSA.generate(2048, randfunc=PRNG(secret_bytes)).export_key('DER'),
+        b64decode(privkey_der),
         password=None,
     )