From c980f2547e927a845f12d2bad9fa89c0b619563f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Fri, 27 Aug 2021 20:17:39 +0200 Subject: [PATCH] Add sops-ssh-to-age tool --- default.nix | 1 + flake.nix | 2 +- pkgs/sops-ssh-to-age/default.nix | 19 ++++++++ pkgs/sops-ssh-to-age/main.go | 74 ++++++++++++++++++++++++++++++++ 4 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 pkgs/sops-ssh-to-age/default.nix create mode 100644 pkgs/sops-ssh-to-age/main.go diff --git a/default.nix b/default.nix index 150e371..60481c3 100644 --- a/default.nix +++ b/default.nix @@ -11,6 +11,7 @@ in rec { Also see https://github.com/Mic92/sops-nix/issues/98 '' pkgs.callPackage ./pkgs/sops-pgp-hook { }; sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { }; + sops-ssh-to-age = pkgs.callPackage ./pkgs/sops-ssh-to-age { inherit vendorSha256; }; inherit sops-install-secrets; # backwards compatibility diff --git a/flake.nix b/flake.nix index 6ff768c..19a371c 100644 --- a/flake.nix +++ b/flake.nix @@ -17,7 +17,7 @@ let localPkgs = import ./default.nix { pkgs = final; }; in { - inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook; + inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook sops-ssh-to-age; # backward compatibility inherit (prev) ssh-to-pgp; }; diff --git a/pkgs/sops-ssh-to-age/default.nix b/pkgs/sops-ssh-to-age/default.nix new file mode 100644 index 0000000..32186a2 --- /dev/null +++ b/pkgs/sops-ssh-to-age/default.nix @@ -0,0 +1,19 @@ +{ stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }: +buildGoModule { + pname = "sops-ssh-to-age"; + version = "0.0.1"; + + src = ../..; + + subPackages = [ "pkgs/sops-ssh-to-age" ]; + + inherit vendorSha256; + + meta = with lib; { + description = "Converter that converts SSH public keys into age keys"; + homepage = "https://github.com/Mic92/sops-nix"; + license = licenses.mit; + maintainers = with maintainers; [ mic92 ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/sops-ssh-to-age/main.go b/pkgs/sops-ssh-to-age/main.go new file mode 100644 index 0000000..c725759 --- /dev/null +++ b/pkgs/sops-ssh-to-age/main.go @@ -0,0 +1,74 @@ +package main + +import ( + "bufio" + "crypto/ed25519" + "errors" + "fmt" + "os" + "strings" + + "filippo.io/edwards25519" + "github.com/Mic92/sops-nix/pkgs/bech32" + "golang.org/x/crypto/ssh" +) + +func ed25519PublicKeyToCurve25519(pk ed25519.PublicKey) ([]byte, error) { + // See https://blog.filippo.io/using-ed25519-keys-for-encryption and + // https://pkg.go.dev/filippo.io/edwards25519#Point.BytesMontgomery. + p, err := new(edwards25519.Point).SetBytes(pk) + if err != nil { + return nil, err + } + return p.BytesMontgomery(), nil +} + +func main() { + if len(os.Args) != 1 { + println("Usage: " + os.Args[0]) + println("Pipe a SSH public key or the output of ssh-keyscan into it") + os.Exit(1) + } + + scanner := bufio.NewScanner(os.Stdin) + for scanner.Scan() { + text := scanner.Text() + "\n" + var err error + var pk ssh.PublicKey + if strings.HasPrefix(text, "ssh-") { + pk, _, _, _, err = ssh.ParseAuthorizedKey([]byte(text)) + } else { + _, _, pk, _, _, err = ssh.ParseKnownHosts([]byte(text)) + } + if err != nil { + panic(err) + } + // We only care about ed25519 + if pk.Type() != ssh.KeyAlgoED25519 { + continue + } + // Get the bytes + cpk, ok := pk.(ssh.CryptoPublicKey) + if !ok { + panic(errors.New("pk does not implement ssh.CryptoPublicKey")) + } + epk, ok := cpk.CryptoPublicKey().(ed25519.PublicKey) + if !ok { + panic(errors.New("unexpected public key type")) + } + // Convert the key to curve ed25519 + mpk, err := ed25519PublicKeyToCurve25519(epk) + if err != nil { + panic(fmt.Errorf("invalid Ed25519 public key: %v", err)) + } + // Encode the key + s, err := bech32.Encode("age", mpk) + if err != nil { + panic(err) + } + fmt.Println(s) + } + if err := scanner.Err(); err != nil { + panic(err) + } +}