mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-12-26 14:14:58 +08:00
74 lines
1.7 KiB
Go
74 lines
1.7 KiB
Go
package main
|
|
|
|
import (
|
|
"bufio"
|
|
"crypto/ed25519"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"filippo.io/edwards25519"
|
|
"github.com/Mic92/sops-nix/pkgs/bech32"
|
|
"golang.org/x/crypto/ssh"
|
|
)
|
|
|
|
func ed25519PublicKeyToCurve25519(pk ed25519.PublicKey) ([]byte, error) {
|
|
// See https://blog.filippo.io/using-ed25519-keys-for-encryption and
|
|
// https://pkg.go.dev/filippo.io/edwards25519#Point.BytesMontgomery.
|
|
p, err := new(edwards25519.Point).SetBytes(pk)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return p.BytesMontgomery(), nil
|
|
}
|
|
|
|
func main() {
|
|
if len(os.Args) != 1 {
|
|
println("Usage: " + os.Args[0])
|
|
println("Pipe a SSH public key or the output of ssh-keyscan into it")
|
|
os.Exit(1)
|
|
}
|
|
|
|
scanner := bufio.NewScanner(os.Stdin)
|
|
for scanner.Scan() {
|
|
text := scanner.Text() + "\n"
|
|
var err error
|
|
var pk ssh.PublicKey
|
|
if strings.HasPrefix(text, "ssh-") {
|
|
pk, _, _, _, err = ssh.ParseAuthorizedKey([]byte(text))
|
|
} else {
|
|
_, _, pk, _, _, err = ssh.ParseKnownHosts([]byte(text))
|
|
}
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
// We only care about ed25519
|
|
if pk.Type() != ssh.KeyAlgoED25519 {
|
|
continue
|
|
}
|
|
// Get the bytes
|
|
cpk, ok := pk.(ssh.CryptoPublicKey)
|
|
if !ok {
|
|
panic(errors.New("pk does not implement ssh.CryptoPublicKey"))
|
|
}
|
|
epk, ok := cpk.CryptoPublicKey().(ed25519.PublicKey)
|
|
if !ok {
|
|
panic(errors.New("unexpected public key type"))
|
|
}
|
|
// Convert the key to curve ed25519
|
|
mpk, err := ed25519PublicKeyToCurve25519(epk)
|
|
if err != nil {
|
|
panic(fmt.Errorf("invalid Ed25519 public key: %v", err))
|
|
}
|
|
// Encode the key
|
|
s, err := bech32.Encode("age", mpk)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
fmt.Println(s)
|
|
}
|
|
if err := scanner.Err(); err != nil {
|
|
panic(err)
|
|
}
|
|
}
|