Add support for SSH Key with a passphrase (#40)

* Added passphrase handling
* Improved field parsing
* Refactor error handling.

---------

Co-authored-by: Ricky White <[email protected]>

Author: idimov-keeper

cmd/ssh-sign/main.go

@@ -91,7 +91,7 @@ func main() {
 		}
 		fileMode := fileinfo.Mode()
 
-		sig, err := sign.SignCommit(keyPair.PrivateKey, file)
+		sig, err := sign.SignCommit(keyPair.PrivateKey, keyPair.Passphrase, file)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)

internal/sign/sign.go

@@ -4,12 +4,13 @@ import (
 	"crypto/rand"
 	"crypto/sha512"
 	"encoding/pem"
-	"golang.org/x/crypto/ssh"
 	"io"
+
+	"golang.org/x/crypto/ssh"
 )
 
-/* 
-	The code in this module is heavily based on the great work done by the 
+/*
+	The code in this module is heavily based on the great work done by the
 	sigstore/rekor project: https://github.com/sigstore/rekor/
 */
 
@@ -89,8 +90,14 @@ func NewSignature(signer ssh.AlgorithmSigner, data io.Reader) (*ssh.Signature, e
 }
 
 // Sign a commit(data) using the given private key.
-func SignCommit(sshPrivateKey string, data io.Reader) ([]byte, error) {
-	s, err := ssh.ParsePrivateKey([]byte(sshPrivateKey))
+func SignCommit(sshPrivateKey string, passphrase string, data io.Reader) ([]byte, error) {
+	var err error
+	var s ssh.Signer
+	if passphrase != "" {
+		s, err = ssh.ParsePrivateKeyWithPassphrase([]byte(sshPrivateKey), []byte(passphrase))
+	} else {
+		s, err = ssh.ParsePrivateKey([]byte(sshPrivateKey))
+	}
 	if err != nil {
 		return nil, err
 	}

internal/sign/sign_test.go

@@ -87,12 +87,11 @@ func TestSignCommit(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := SignCommit(tt.key, data)
+			_, err := SignCommit(tt.key, "", data)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("TestSignCommit expected: %v, got: %v", tt.wantErr, err)
 				return
 			}
 		})
 	}
 }
-

internal/vault/vault.go

@@ -16,6 +16,7 @@ type ConfigOptions struct {
 type KeyPair struct {
 	PrivateKey string
 	PublicKey  string
+	Passphrase string
 }
 
 // Build the config options based on the given options.
@@ -71,8 +72,29 @@ func FetchKeys(uid string) (*KeyPair, error) {
 	// "keyPair".
 	keys := records[0].GetFieldsByType("keyPair")[0]["value"].([]interface{})[0]
 
+	privateKey, ok := keys.(map[string]interface{})["privateKey"].(string)
+	if !ok || (privateKey == "") {
+		return nil, fmt.Errorf("no private key found for UID: %s", uid)
+	}
+
+	publicKey, ok := keys.(map[string]interface{})["publicKey"].(string)
+	if !ok || (publicKey == ""){
+		return nil, fmt.Errorf("no public key found for UID: %s", uid)
+	}
+
+	// If a passphrase is set, it is stored in the password field of the
+	// SSH template. If no passphrase is set, passPhrase is set to an empty 
+	// string.
+	passPhrase := ""
+	if passArr, ok := records[0].GetFieldsByType("password")[0]["value"].([]interface{}); ok && len(passArr) > 0 {
+		if passStr, ok := passArr[0].(string); ok {
+			passPhrase = passStr
+		}
+	}
+
 	return &KeyPair{
-		PrivateKey: keys.(map[string]interface{})["privateKey"].(string),
-		PublicKey:  keys.(map[string]interface{})["publicKey"].(string),
+		PrivateKey: privateKey,
+		PublicKey:  publicKey,
+		Passphrase: passPhrase,
 	}, nil
 }