Add encrypted private key support

.github/workflows/rust.yml

@@ -18,7 +18,7 @@ jobs:
     - name: Build
       run: cargo build --features="yubikey" --examples --verbose
     - name: Run tests
-      run: cargo test --verbose
+      run: cargo test --features="encrypted-keys" --verbose
 
   ubuntu-build-test-no-yubikey:
     runs-on: ubuntu-latest
@@ -28,4 +28,4 @@ jobs:
     - name: Build
       run: cargo build --examples --verbose
     - name: Run tests
-      run: cargo test --verbose
+      run: cargo test --features="encrypted-keys" --verbose

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sshcerts"
-version = "0.5.0"
+version = "0.6.0"
 authors = ["Mitchell Grenier <[email protected]>"]
 edition = "2018"
 license-file = "LICENSE"
@@ -13,10 +13,11 @@ categories = ["authentication"]
 [features]
 default = ["rsa-signing"]
 
-all = ["yubikey", "rsa-signing"]
+all = ["encrypted-keys", "rsa-signing", "yubikey"]
 
 yubikey = ["yubikey-piv", "log"]
 rsa-signing = ["simple_asn1", "num-bigint"]
+encrypted-keys = ["aes", "bcrypt-pbkdf", "ctr"]
 
 [dependencies]
 base64 = "0.13"
@@ -31,6 +32,11 @@ log = {version = "0.4", optional = true}
 yubikey-piv = {version = "0.1.0", features = ["untested"], optional = true}
 lexical-core = {version = ">0.7.4", optional = true}
 
+# Dependencies for encrypted keys
+aes = {version = "0.7", features = ["ctr"], optional = true}
+bcrypt-pbkdf = {version = "0.6", optional = true}
+ctr = {version = "0.8", optional = true}
+
 [dev-dependencies]
 env_logger = "0.8.2"
 hex = "0.4.2"
@@ -49,3 +55,12 @@ required-features = ["yubikey"]
 [[example]]
 name = "yk-provision"
 required-features = ["yubikey"]
+
+[[example]]
+name = "ssh-pkey-info"
+required-features = ["encrypted-keys"]
+
+[[test]]
+name = "privkey-encrypted"
+path = "tests/privkey_encrypted.rs"
+required-features = ["encrypted-keys"]

examples/ssh-pkey-info.rs

@@ -0,0 +1,35 @@
+use std::env;
+
+use sshcerts::ssh::PrivateKey;
+
+fn help() {
+    println!("An SSH Private Key reader based on the sshcerts library");
+    println!("Usage: ssh-pkey-info <path to file>");
+}
+
+fn main() -> Result<(), String> {
+    let args: Vec<String> = env::args().collect();
+
+    if args.len() < 2 {
+        help();
+        return Ok(());
+    }
+
+    let path = &args[1];
+
+    let passphrase = if args.len() == 3 {
+        Some(args[2].clone())
+    } else {
+        None
+    };
+
+    match PrivateKey::from_path_with_passphrase(path, passphrase) {
+        Ok(c) => {
+            println!("{:#}", c);
+            Ok(())
+        },
+        Err(e) => {
+            Err(format!("{}: Private key at {} not valid", e, &args[1]))
+        }
+    }
+}

src/error.rs

@@ -23,7 +23,9 @@ pub enum Error {
     CertificateInvalidSignature,
     /// A cryptographic operation failed.
     SigningError,
-    /// An encrypted private key was supplied and is not supported
+    /// An encrypted private key was provided with no decryption key
+    EncryptedPrivateKey,
+    /// An encrypted private key was supplied but the encryption method is not supported
     EncryptedPrivateKeyNotSupported,
     /// The key type is unknown
     UnknownKeyType(String),
@@ -47,7 +49,8 @@ impl fmt::Display for Error {
             Error::KeyTypeMismatch => write!(f, "Key type mismatch"),
             Error::CertificateInvalidSignature => write!(f, "Certificate is improperly signed"),
             Error::SigningError => write!(f, "Could not sign data"),
-            Error::EncryptedPrivateKeyNotSupported => write!(f, "Encrypted private keys are not supported"),
+            Error::EncryptedPrivateKey => write!(f, "Encountered encrypted private key with no decryption key"),
+            Error::EncryptedPrivateKeyNotSupported => write!(f, "This method of private key encryption is not supported or sshcerts was not compiled with encrypted private key support"),
             Error::UnknownKeyType(ref v) => write!(f, "Unknown key type {}", v),
             Error::UnknownCurve(ref v) => write!(f, "Unknown curve {}", v),
             #[cfg(feature = "yubikey")]