Skip to content

enable use of ed25519 keys #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ddebin merged 1 commit into from
Mar 29, 2026
Merged

enable use of ed25519 keys #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ A seed is used to generate the secret, it's recommended you don't use the same s

## ⚠️ Limitations

- Can't use ecdsa/ed25519 keys, they always give different signatures
- Can't use ECDSA keys, they always give different signatures

## 💻 CLI usage

Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ssh-agent-secrets",
"version": "0.3.0",
"version": "0.3.1",
"description": "Encrypt and decrypt secrets using an SSH agent",
"keywords": [
"ssh",
Expand Down
2 changes: 1 addition & 1 deletion src/lib/ssh_agent_client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ export class SSHAgentClient {
key: SSHKey,
seed: string,
): Promise<{ cipherKey: crypto.KeyObject; ivLength: number }> {
if (key.type !== 'ssh-rsa') {
if (key.type !== 'ssh-rsa' && key.type !== 'ssh-ed25519') {
throw new Error(`${key.type} key is forbidden, it always gives different signatures!`)
}
// Use SSH signature as decryption key
Expand Down
2 changes: 1 addition & 1 deletion test/ssh_agent_cli.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ describe('ssh-crypt cli tests', () => {
})
it('should encrypt', () => {
const output = execSync(
`echo 'Lorem ipsum dolor' | npm exec -- tsx src/cli.ts -k key_rsa -s not_a_secret --encryptEncoding hex encrypt`,
`echo 'Lorem ipsum dolor' | npm exec -- tsx src/cli.ts -k key_ed25519 -s not_a_secret --encryptEncoding hex encrypt`,
{
encoding: 'ascii',
},
Expand Down
53 changes: 23 additions & 30 deletions test/ssh_agent_mandatory_rsa.spec.ts → test/ssh_agent_mandatory_key_type.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,39 @@ import { SSHAgentClient } from '../src/lib/ssh_agent_client.ts'

chai.use(chaiAsPromised)

describe('RSA key mandatory tests', () => {
it("doesn't give the same signature twice with an ECDSA key", async () => {
describe('SSH key type tests', () => {
it('does give the same signature twice with RSA key', async () => {
const agent = new SSHAgentClient()
const identity = await agent.getIdentity('key_ecdsa')
const identity = await agent.getIdentity('key_rsa')
if (!identity) {
throw new Error()
}
const signature1 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
const signature2 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
chai.assert.notEqual(signature1, signature2)
const buffer = Buffer.from('not_a_secret', 'utf8')
const signature1 = await agent.sign(identity, buffer)
const signature2 = await agent.sign(identity, buffer)
chai.assert.equal(signature1.signature, signature2.signature)
})
it("doesn't give the same signature twice with an ED25519 key", async () => {
it('does give the same signature twice with ED25519 key', async () => {
const agent = new SSHAgentClient()
const identity = await agent.getIdentity('key_ed25519')
if (!identity) {
throw new Error()
}
const signature1 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
const signature2 = await agent.sign(identity, Buffer.from('hello', 'utf8'))
chai.assert.notEqual(signature1, signature2)
const buffer = Buffer.from('not_a_secret', 'utf8')
const signature1 = await agent.sign(identity, buffer)
const signature2 = await agent.sign(identity, buffer)
chai.assert.equal(signature1.signature, signature2.signature)
})
it("doesn't give the same signature twice with an ECDSA key", async () => {
const agent = new SSHAgentClient()
const identity = await agent.getIdentity('key_ecdsa')
if (!identity) {
throw new Error()
}
const buffer = Buffer.from('not_a_secret', 'utf8')
const signature1 = await agent.sign(identity, buffer)
const signature2 = await agent.sign(identity, buffer)
chai.assert.notEqual(signature1.signature, signature2.signature)
})
it('should throw if using ECDSA key for encrypting', async () => {
const agent = new SSHAgentClient()
Expand Down Expand Up @@ -52,24 +65,4 @@ describe('RSA key mandatory tests', () => {
'ecdsa-sha2-nistp256 key is forbidden, it always gives different signatures!',
)
})
it('should throw if using ED25519 key for encrypting', async () => {
const agent = new SSHAgentClient()
const identity = await agent.getIdentity('key_ed25519')
if (!identity) {
throw new Error()
}
return chai
.expect(agent.encrypt(identity, 'not_a_secret', Buffer.from('', 'utf8')))
.to.be.rejectedWith(Error, 'ssh-ed25519 key is forbidden, it always gives different signatures!')
})
it('should throw if using ED25519 key for decrypting', async () => {
const agent = new SSHAgentClient()
const identity = await agent.getIdentity('key_ed25519')
if (!identity) {
throw new Error()
}
return chai
.expect(agent.decrypt(identity, 'not_a_secret', ''))
.to.be.rejectedWith(Error, 'ssh-ed25519 key is forbidden, it always gives different signatures!')
})
})