diff options
| author | Paul Buetow <paul@buetow.org> | 2026-03-19 22:58:27 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-03-19 22:58:27 +0200 |
| commit | fb0791d88f32f25f23021493a26067c9aff22053 (patch) | |
| tree | d6c48e88eae15d335e53045aae4933c12bb1243f | |
| parent | aa7f4a97b6a02484eacbdf9047bd4c570784df7a (diff) | |
task 256: support passphrase-protected key loading
| -rw-r--r-- | internal/ssh/ssh.go | 16 | ||||
| -rw-r--r-- | internal/ssh/ssh_test.go | 113 |
2 files changed, 128 insertions, 1 deletions
diff --git a/internal/ssh/ssh.go b/internal/ssh/ssh.go index a191fd5..25b9d28 100644 --- a/internal/ssh/ssh.go +++ b/internal/ssh/ssh.go @@ -6,6 +6,7 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" + "errors" "fmt" "net" "os" @@ -121,7 +122,20 @@ func PrivateKeySigner(keyFile string) (gossh.Signer, error) { } key, err := gossh.ParsePrivateKey(buffer) if err != nil { - return nil, err + var passphraseMissingErr *gossh.PassphraseMissingError + if !errors.As(err, &passphraseMissingErr) { + return nil, err + } + + passphrase := os.Getenv("DTAIL_KEY_PASSPHRASE") + if passphrase == "" { + return nil, err + } + + key, err = gossh.ParsePrivateKeyWithPassphrase(buffer, []byte(passphrase)) + if err != nil { + return nil, err + } } return key, nil } diff --git a/internal/ssh/ssh_test.go b/internal/ssh/ssh_test.go new file mode 100644 index 0000000..f413145 --- /dev/null +++ b/internal/ssh/ssh_test.go @@ -0,0 +1,113 @@ +package ssh + +import ( + "crypto/rand" + "crypto/rsa" + "encoding/pem" + "errors" + "os" + "path/filepath" + "testing" + + gossh "golang.org/x/crypto/ssh" +) + +func TestPrivateKeySignerLoadsUnencryptedKey(t *testing.T) { + keyFile := filepath.Join(t.TempDir(), "id_rsa") + privateKey, err := rsa.GenerateKey(rand.Reader, 1024) + if err != nil { + t.Fatalf("GenerateKey failed: %v", err) + } + + if err := os.WriteFile(keyFile, EncodePrivateKeyToPEM(privateKey), 0o600); err != nil { + t.Fatalf("WriteFile failed: %v", err) + } + + signer, err := PrivateKeySigner(keyFile) + if err != nil { + t.Fatalf("PrivateKeySigner failed: %v", err) + } + if signer == nil { + t.Fatalf("PrivateKeySigner returned nil signer") + } +} + +func TestPrivateKeySignerLoadsEncryptedKeyWithEnvPassphrase(t *testing.T) { + keyFile := filepath.Join(t.TempDir(), "id_rsa") + privateKey, err := rsa.GenerateKey(rand.Reader, 1024) + if err != nil { + t.Fatalf("GenerateKey failed: %v", err) + } + + block, err := gossh.MarshalPrivateKeyWithPassphrase(privateKey, "", []byte("secret-passphrase")) + if err != nil { + t.Fatalf("MarshalPrivateKeyWithPassphrase failed: %v", err) + } + if err := os.WriteFile(keyFile, pem.EncodeToMemory(block), 0o600); err != nil { + t.Fatalf("WriteFile failed: %v", err) + } + + t.Setenv("DTAIL_KEY_PASSPHRASE", "secret-passphrase") + + signer, err := PrivateKeySigner(keyFile) + if err != nil { + t.Fatalf("PrivateKeySigner failed: %v", err) + } + if signer == nil { + t.Fatalf("PrivateKeySigner returned nil signer") + } +} + +func TestPrivateKeySignerReturnsPassphraseMissingWithoutEnv(t *testing.T) { + keyFile := filepath.Join(t.TempDir(), "id_rsa") + privateKey, err := rsa.GenerateKey(rand.Reader, 1024) + if err != nil { + t.Fatalf("GenerateKey failed: %v", err) + } + + block, err := gossh.MarshalPrivateKeyWithPassphrase(privateKey, "", []byte("secret-passphrase")) + if err != nil { + t.Fatalf("MarshalPrivateKeyWithPassphrase failed: %v", err) + } + if err := os.WriteFile(keyFile, pem.EncodeToMemory(block), 0o600); err != nil { + t.Fatalf("WriteFile failed: %v", err) + } + + _, err = PrivateKeySigner(keyFile) + if err == nil { + t.Fatalf("PrivateKeySigner succeeded without passphrase env") + } + + var passphraseMissingErr *gossh.PassphraseMissingError + if !errors.As(err, &passphraseMissingErr) { + t.Fatalf("PrivateKeySigner returned %T, want PassphraseMissingError", err) + } +} + +func TestPrivateKeySignerRejectsIncorrectEnvPassphrase(t *testing.T) { + keyFile := filepath.Join(t.TempDir(), "id_rsa") + privateKey, err := rsa.GenerateKey(rand.Reader, 1024) + if err != nil { + t.Fatalf("GenerateKey failed: %v", err) + } + + block, err := gossh.MarshalPrivateKeyWithPassphrase(privateKey, "", []byte("secret-passphrase")) + if err != nil { + t.Fatalf("MarshalPrivateKeyWithPassphrase failed: %v", err) + } + if err := os.WriteFile(keyFile, pem.EncodeToMemory(block), 0o600); err != nil { + t.Fatalf("WriteFile failed: %v", err) + } + + t.Setenv("DTAIL_KEY_PASSPHRASE", "wrong-passphrase") + + _, err = PrivateKeySigner(keyFile) + if err == nil { + t.Fatalf("PrivateKeySigner succeeded with wrong passphrase env") + } + + var passphraseMissingErr *gossh.PassphraseMissingError + if errors.As(err, &passphraseMissingErr) { + t.Fatalf("PrivateKeySigner returned PassphraseMissingError instead of parse failure") + } +} |