From 4a7c1d3e743a86f77a47402509bcf60a0c97b2cf Mon Sep 17 00:00:00 2001 From: Modestas Vainius Date: Mon, 12 Jul 2021 00:08:01 +0300 Subject: [PATCH] Support encrypted openssh private keys (#50) Currently ssh-vault does not appear to support encrypted openssh private keys, i.e. those which type is "OPENSSH PRIVATE KEY". While trying to view a file encrypted against such a key, user gets the following error: could not parse private key: ssh: this private key is passphrase protected This commit fixes the problem by trying to decrypt the key without password first and then handling missing password error appropriately. --- view.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/view.go b/view.go index 1a48c26..b7c8568 100644 --- a/view.go +++ b/view.go @@ -4,7 +4,6 @@ import ( "bufio" "bytes" "crypto/rsa" - "crypto/x509" "encoding/base64" "encoding/pem" "fmt" @@ -77,7 +76,8 @@ func (v *vault) View() ([]byte, error) { var privateKey interface{} - if x509.IsEncryptedPEMBlock(block) { + privateKey, err = ssh.ParseRawPrivateKey(keyFile) + if err, ok := err.(*ssh.PassphraseMissingError); ok { keyPassword, err := v.GetPassword() if err != nil { return nil, fmt.Errorf("unable to get private key password, Decryption failed") @@ -87,11 +87,8 @@ func (v *vault) View() ([]byte, error) { if err != nil { return nil, fmt.Errorf("could not parse private key: %v", err) } - } else { - privateKey, err = ssh.ParseRawPrivateKey(keyFile) - if err != nil { - return nil, fmt.Errorf("could not parse private key: %v", err) - } + } else if err != nil { + return nil, fmt.Errorf("could not parse private key: %v", err) } ciphertext, err := base64.StdEncoding.DecodeString(payload[0])