ddebin · ddebin · Mar 29, 2026 · Mar 29, 2026
diff --git a/src/cli.ts b/src/cli.ts
@@ -2,6 +2,7 @@
 
 import { Argument, Option, program } from '@commander-js/extra-typings'
 import { createReadStream, createWriteStream } from 'node:fs'
+import { pipeline } from 'node:stream/promises'
 import { SSHAgentClient } from './lib/ssh_agent_client.js'
 
 program
@@ -23,13 +24,18 @@ program
       }
       const readable = options.input ? createReadStream(options.input) : process.stdin
       const writable = options.output ? createWriteStream(options.output) : process.stdout
-      const transform =
+      const getTransform =
         action === 'decrypt'
-          ? await agent.getDecryptTransform(key, options.seed, options.decryptEncoding)
-          : await agent.getEncryptTransform(key, options.seed, options.encryptEncoding)
-      readable.pipe(transform).pipe(writable)
+          ? agent.getDecryptTransform(key, options.seed, options.decryptEncoding)
+          : agent.getEncryptTransform(key, options.seed, options.encryptEncoding)
+      await getTransform.then(transform => pipeline(readable, transform, writable))
     } catch (err) {
-      program.error(`Error: ${(err as Error).message}`)
+      const error = err as Error
+      if ('code' in error && error.code === 'ERR_OSSL_BAD_DECRYPT') {
+        program.error("Bad secret or key, can't decrypt")
+      } else {
+        program.error(`Error: ${error.message}`)
+      }
     }
   })
 

diff --git a/src/lib/ssh_agent_client.ts b/src/lib/ssh_agent_client.ts
@@ -219,18 +219,7 @@ export class SSHAgentClient {
       const iv = buffer.subarray(0, ivLength)
       const encrypted = buffer.subarray(ivLength)
       const decipher = crypto.createDecipheriv(this.cipherAlgo, cipherKey, iv)
-      try {
-        return Buffer.concat([decipher.update(encrypted), decipher.final()])
-      } catch (err) {
-        const error = err as Error
-        if ('code' in error && error.code === 'ERR_OSSL_BAD_DECRYPT') {
-          throw new Error("Bad secret or key, can't decrypt", {
-            cause: err,
-          })
-        } else {
-          throw err
-        }
-      }
+      return Buffer.concat([decipher.update(encrypted), decipher.final()])
     })
   }
 

diff --git a/test/ssh_agent_cli.spec.ts b/test/ssh_agent_cli.spec.ts
@@ -48,4 +48,15 @@ describe('ssh-crypt cli tests', () => {
     )
     chai.assert.strictEqual(output, 'Lorem ipsum dolor')
   })
+  it('should exit with error', () => {
+    const data =
+      'ecfd6bb57f4891ba7226886e90d2eb848022a495b15ffd91ffe760bca5605f9062c305ee14226d9daf7faa58460c8f50'
+    chai
+      .expect(() =>
+        execSync(
+          `echo '${data}' | npm exec -- tsx src/cli.ts -k key_rsa -s wrong_secret --decryptEncoding hex decrypt`,
+        ),
+      )
+      .to.throw(/bad secret or key, can't decrypt/iu)
+  })
 })
diff --git a/test/ssh_agent_client.spec.ts b/test/ssh_agent_client.spec.ts
@@ -88,7 +88,7 @@ describe('SSHAgentClient tests', () => {
       'ecfd6bb57f4891ba7226886e90d2eb848022a495b15ffd91ffe760bca5605f9062c305ee14226d9daf7faa58460c8f50'
     return chai
       .expect(agent.decrypt(identity, 'wrong_secret', data))
-      .to.be.rejectedWith(Error, "Bad secret or key, can't decrypt")
+      .to.be.rejectedWith(Error, /bad decrypt/iu)
   })
   it('should throw if corrupted encrypted data', async () => {
     const agent = new SSHAgentClient()