From de7c1fb5658455345ff279b0b82118d961b0e48c Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Wed, 29 Jun 2022 11:46:34 +0200
Subject: [PATCH] agessh: support PKCS#8-encoded Ed25519 private keys

OpenSSH never generated them (unencrypted, and golang.org/x/crypto/ssh
doesn't support encrypted PKCS#8 for now, so the encrypted_keys.go
change is technically superfluous) but there are other systems that
produce them (for example, 1Password). Unfortunately, ParseRawPrivateKey
returns a value type for PKCS#8 and a pointer type for the OpenSSH
format (golang/go#51974), so we need to handle both.

Fixes #429
---
 agessh/agessh.go           |  3 +++
 agessh/encrypted_keys.go   |  4 ++++
 cmd/age/testdata/pkcs8.txt | 12 ++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 cmd/age/testdata/pkcs8.txt

diff --git a/agessh/agessh.go b/agessh/agessh.go
index 27b463d..ec2ccdd 100644
--- a/agessh/agessh.go
+++ b/agessh/agessh.go
@@ -274,6 +274,9 @@ func ParseIdentity(pemBytes []byte) (age.Identity, error) {
 	switch k := k.(type) {
 	case *ed25519.PrivateKey:
 		return NewEd25519Identity(*k)
+	// ParseRawPrivateKey returns inconsistent types. See Issue 429.
+	case ed25519.PrivateKey:
+		return NewEd25519Identity(k)
 	case *rsa.PrivateKey:
 		return NewRSAIdentity(k)
 	}
diff --git a/agessh/encrypted_keys.go b/agessh/encrypted_keys.go
index e4b648f..9414bcf 100644
--- a/agessh/encrypted_keys.go
+++ b/agessh/encrypted_keys.go
@@ -113,6 +113,10 @@ func (i *EncryptedSSHIdentity) Unwrap(stanzas []*age.Stanza) (fileKey []byte, er
 	case *ed25519.PrivateKey:
 		i.decrypted, err = NewEd25519Identity(*k)
 		pubKey = k.Public().(ed25519.PublicKey)
+	// ParseRawPrivateKey returns inconsistent types. See Issue 429.
+	case ed25519.PrivateKey:
+		i.decrypted, err = NewEd25519Identity(k)
+		pubKey = k.Public().(ed25519.PublicKey)
 	case *rsa.PrivateKey:
 		i.decrypted, err = NewRSAIdentity(k)
 		pubKey = &k.PublicKey
diff --git a/cmd/age/testdata/pkcs8.txt b/cmd/age/testdata/pkcs8.txt
new file mode 100644
index 0000000..5ade753
--- /dev/null
+++ b/cmd/age/testdata/pkcs8.txt
@@ -0,0 +1,12 @@
+# https://github.com/FiloSottile/age/discussions/428
+# encrypt and decrypt a file with an Ed25519 key encoded with PKCS#8
+age -e -i key.pem -o test.age input
+age -d -i key.pem test.age
+stdout test
+
+-- input --
+test
+-- key.pem --
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIJT4Wpo+YG11yybKL/bYXQW7ekz4PAsmV/4tfmY1vU7x
+-----END PRIVATE KEY-----