mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-16 21:48:15 +00:00
Code Activity

Add sops-ssh-to-age tool

Browse source
This commit is contained in:
Janne Heß 2021-08-27 20:17:39 +02:00
parent db8fcb50a3
commit c980f2547e
No known key found for this signature in database
GPG key ID: 69165158F05265DF
4 changed files with 95 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
default.nix
View file

@ -11,6 +11,7 @@ in rec {
Also see https://github.com/Mic92/sops-nix/issues/98 Also see https://github.com/Mic92/sops-nix/issues/98
'' pkgs.callPackage ./pkgs/sops-pgp-hook { }; '' pkgs.callPackage ./pkgs/sops-pgp-hook { };
sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { }; sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { };
sops-ssh-to-age = pkgs.callPackage ./pkgs/sops-ssh-to-age { inherit vendorSha256; };
inherit sops-install-secrets; inherit sops-install-secrets;
# backwards compatibility # backwards compatibility

2
flake.nix
View file

@ -17,7 +17,7 @@
let let
localPkgs = import ./default.nix { pkgs = final; }; localPkgs = import ./default.nix { pkgs = final; };
in { in {
inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook; inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook sops-ssh-to-age;
# backward compatibility # backward compatibility
inherit (prev) ssh-to-pgp; inherit (prev) ssh-to-pgp;
}; };

19
pkgs/sops-ssh-to-age/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }:
buildGoModule {
pname = "sops-ssh-to-age";
version = "0.0.1";
src = ../..;
subPackages = [ "pkgs/sops-ssh-to-age" ];
inherit vendorSha256;
meta = with lib; {
description = "Converter that converts SSH public keys into age keys";
homepage = "https://github.com/Mic92/sops-nix";
license = licenses.mit;
maintainers = with maintainers; [ mic92 ];
platforms = platforms.linux;
};
}

74
pkgs/sops-ssh-to-age/main.go Normal file
View file

@ -0,0 +1,74 @@
package main
import (
"bufio"
"crypto/ed25519"
"errors"
"fmt"
"os"
"strings"
"filippo.io/edwards25519"
"github.com/Mic92/sops-nix/pkgs/bech32"
"golang.org/x/crypto/ssh"
)
func ed25519PublicKeyToCurve25519(pk ed25519.PublicKey) ([]byte, error) {
// See https://blog.filippo.io/using-ed25519-keys-for-encryption and
// https://pkg.go.dev/filippo.io/edwards25519#Point.BytesMontgomery.
p, err := new(edwards25519.Point).SetBytes(pk)
if err != nil {
return nil, err
}
return p.BytesMontgomery(), nil
}
func main() {
if len(os.Args) != 1 {
println("Usage: " + os.Args[0])
println("Pipe a SSH public key or the output of ssh-keyscan into it")
os.Exit(1)
}
scanner := bufio.NewScanner(os.Stdin)
for scanner.Scan() {
text := scanner.Text() + "\n"
var err error
var pk ssh.PublicKey
if strings.HasPrefix(text, "ssh-") {
pk, _, _, _, err = ssh.ParseAuthorizedKey([]byte(text))
} else {
_, _, pk, _, _, err = ssh.ParseKnownHosts([]byte(text))
}
if err != nil {
panic(err)
}
// We only care about ed25519
if pk.Type() != ssh.KeyAlgoED25519 {
continue
}
// Get the bytes
cpk, ok := pk.(ssh.CryptoPublicKey)
if !ok {
panic(errors.New("pk does not implement ssh.CryptoPublicKey"))
}
epk, ok := cpk.CryptoPublicKey().(ed25519.PublicKey)
if !ok {
panic(errors.New("unexpected public key type"))
}
// Convert the key to curve ed25519
mpk, err := ed25519PublicKeyToCurve25519(epk)
if err != nil {
panic(fmt.Errorf("invalid Ed25519 public key: %v", err))
}
// Encode the key
s, err := bech32.Encode("age", mpk)
if err != nil {
panic(err)
}
fmt.Println(s)
}
if err := scanner.Err(); err != nil {
panic(err)
}
}