enable use of ed25519 keys

Author: ddebin

README.md

@@ -30,7 +30,7 @@ A seed is used to generate the secret, it's recommended you don't use the same s
 
 ## ⚠️ Limitations
 
-- Can't use ecdsa/ed25519 keys, they always give different signatures
+- Can't use ECDSA keys, they always give different signatures
 
 ## 💻 CLI usage
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ssh-agent-secrets",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "Encrypt and decrypt secrets using an SSH agent",
   "keywords": [
     "ssh",

src/lib/ssh_agent_client.ts

@@ -256,7 +256,7 @@ export class SSHAgentClient {
     key: SSHKey,
     seed: string,
   ): Promise<{ cipherKey: crypto.KeyObject; ivLength: number }> {
-    if (key.type !== 'ssh-rsa') {
+    if (key.type !== 'ssh-rsa' && key.type !== 'ssh-ed25519') {
       throw new Error(`${key.type} key is forbidden, it always gives different signatures!`)
     }
     // Use SSH signature as decryption key

test/ssh_agent_cli.spec.ts

@@ -30,7 +30,7 @@ describe('ssh-crypt cli tests', () => {
   })
   it('should encrypt', () => {
     const output = execSync(
-      `echo 'Lorem ipsum dolor' | npm exec -- tsx src/cli.ts -k key_rsa -s not_a_secret --encryptEncoding hex encrypt`,
+      `echo 'Lorem ipsum dolor' | npm exec -- tsx src/cli.ts -k key_ed25519 -s not_a_secret --encryptEncoding hex encrypt`,
       {
         encoding: 'ascii',
       },

test/ssh_agent_mandatory_rsa.spec.ts test/ssh_agent_mandatory_key_type.spec.tstest/ssh_agent_mandatory_rsa.spec.ts renamed to test/ssh_agent_mandatory_key_type.spec.ts

@@ -5,26 +5,39 @@ import { SSHAgentClient } from '../src/lib/ssh_agent_client.ts'
 
 chai.use(chaiAsPromised)
 
-describe('RSA key mandatory tests', () => {
-  it("doesn't give the same signature twice with an ECDSA key", async () => {
+describe('SSH key type tests', () => {
+  it('does give the same signature twice with RSA key', async () => {
     const agent = new SSHAgentClient()
-    const identity = await agent.getIdentity('key_ecdsa')
+    const identity = await agent.getIdentity('key_rsa')
     if (!identity) {
       throw new Error()
     }
-    const signature1 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
-    const signature2 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
-    chai.assert.notEqual(signature1, signature2)
+    const buffer = Buffer.from('not_a_secret', 'utf8')
+    const signature1 = await agent.sign(identity, buffer)
+    const signature2 = await agent.sign(identity, buffer)
+    chai.assert.equal(signature1.signature, signature2.signature)
   })
-  it("doesn't give the same signature twice with an ED25519 key", async () => {
+  it('does give the same signature twice with ED25519 key', async () => {
     const agent = new SSHAgentClient()
     const identity = await agent.getIdentity('key_ed25519')
     if (!identity) {
       throw new Error()
     }
-    const signature1 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
-    const signature2 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
-    chai.assert.notEqual(signature1, signature2)
+    const buffer = Buffer.from('not_a_secret', 'utf8')
+    const signature1 = await agent.sign(identity, buffer)
+    const signature2 = await agent.sign(identity, buffer)
+    chai.assert.equal(signature1.signature, signature2.signature)
+  })
+  it("doesn't give the same signature twice with an ECDSA key", async () => {
+    const agent = new SSHAgentClient()
+    const identity = await agent.getIdentity('key_ecdsa')
+    if (!identity) {
+      throw new Error()
+    }
+    const buffer = Buffer.from('not_a_secret', 'utf8')
+    const signature1 = await agent.sign(identity, buffer)
+    const signature2 = await agent.sign(identity, buffer)
+    chai.assert.notEqual(signature1.signature, signature2.signature)
   })
   it('should throw if using ECDSA key for encrypting', async () => {
     const agent = new SSHAgentClient()
@@ -52,24 +65,4 @@ describe('RSA key mandatory tests', () => {
         'ecdsa-sha2-nistp256 key is forbidden, it always gives different signatures!',
       )
   })
-  it('should throw if using ED25519 key for encrypting', async () => {
-    const agent = new SSHAgentClient()
-    const identity = await agent.getIdentity('key_ed25519')
-    if (!identity) {
-      throw new Error()
-    }
-    return chai
-      .expect(agent.encrypt(identity, 'not_a_secret', Buffer.from('', 'utf8')))
-      .to.be.rejectedWith(Error, 'ssh-ed25519 key is forbidden, it always gives different signatures!')
-  })
-  it('should throw if using ED25519 key for decrypting', async () => {
-    const agent = new SSHAgentClient()
-    const identity = await agent.getIdentity('key_ed25519')
-    if (!identity) {
-      throw new Error()
-    }
-    return chai
-      .expect(agent.decrypt(identity, 'not_a_secret', ''))
-      .to.be.rejectedWith(Error, 'ssh-ed25519 key is forbidden, it always gives different signatures!')
-  })
 })