Add support for encrypted SSH key with new OpenSSH format

crypto/sshkeys/decrypt.go

@@ -10,9 +10,9 @@ import (
 	"fmt"
 	"strings"
 
-	"gopkg.in/errgo.v1"
-	"github.com/Scalingo/go-scalingo/debug"
 	"github.com/Scalingo/cli/term"
+	"github.com/Scalingo/go-scalingo/debug"
+	"gopkg.in/errgo.v1"
 )
 
 func (p *PrivateKey) Decrypt() error {
@@ -33,7 +33,7 @@ func (p *PrivateKey) Decrypt() error {
 		p.PasswordMethod = term.Password
 	}
 
-	password, err := p.PasswordMethod("Encrypted SSH Key, password: ")
+	password, err := p.PasswordMethod("Encrypted SSH key, password: ")
 	if err != nil {
 		return errgo.Mask(err)
 	}
@@ -43,13 +43,13 @@ func (p *PrivateKey) Decrypt() error {
 		key := genDES3Key(password, iv)
 		decryptedKey, err = decryptKey(p.Block.Bytes, iv, key, des.NewTripleDESCipher)
 		if err != nil {
-			return errgo.Newf("Key is tagged DES-ECE3-CBC, but is not: %v", err)
+			return errgo.Newf("key is tagged DES-ECE3-CBC, but is not: %v", err)
 		}
 	case "AES-128-CBC":
 		key := genAESKey(password, iv)
 		decryptedKey, err = decryptKey(p.Block.Bytes, iv, key, aes.NewCipher)
 		if err != nil {
-			return errgo.Newf("Key is tagged AES-128-CBC, but is not: %v", err)
+			return errgo.Newf("key is tagged AES-128-CBC, but is not: %v", err)
 		}
 	}
 	decryptedBlock := &pem.Block{}

crypto/sshkeys/private_key.go

@@ -2,6 +2,7 @@ package sshkeys
 
 import (
 	"encoding/pem"
+	"strings"
 
 	"golang.org/x/crypto/ssh"
 )
@@ -21,7 +22,7 @@ func (p *PrivateKey) Signer() (ssh.Signer, error) {
 }
 
 func (p *PrivateKey) IsEncrypted() bool {
-	return p.Block.Headers["Proc-Type"] == "4,ENCRYPTED"
+	return strings.Contains(p.Block.Headers["Proc-Type"], "ENCRYPTED")
 }
 
 func (p *PrivateKey) IsCipherImplemented(cipher string) bool {

crypto/sshkeys/read.go

@@ -3,6 +3,7 @@ package sshkeys
 import (
 	"encoding/asn1"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
@@ -20,39 +21,39 @@ var (
 func ReadPrivateKey(path string) (ssh.Signer, error) {
 	privateKeyContent, err := ioutil.ReadFile(path)
 	if err != nil {
-		return nil, errgo.Mask(err)
+		return nil, errgo.Notef(err, "fail to read the private key file")
 	}
-	return ReadPrivateKeyWithContent(path, privateKeyContent)
+	return readPrivateKeyWithContent(path, privateKeyContent)
 }
 
-func ReadPrivateKeyWithContent(path string, privateKeyContent []byte) (ssh.Signer, error) {
+func readPrivateKeyWithContent(path string, privateKeyContent []byte) (ssh.Signer, error) {
 	// We parse the private key on our own first so that we can
 	// show a nicer error if the private key has a password.
 	block, _ := pem.Decode(privateKeyContent)
 	if block == nil {
 		return nil, fmt.Errorf(
-			"Failed to read key '%s': is not in the PEM format", path)
+			"failed to read key '%s': is not in the PEM format", path)
 	}
 
 	privateKey := &PrivateKey{Block: block, Path: path}
 	if privateKey.IsEncrypted() {
 		err := privateKey.Decrypt()
 		if err != nil {
-			return nil, errgo.Mask(err)
+			return nil, errgo.Notef(err, "fail to decrypt the private key")
 		}
 	}
 
 	signer, err := privateKey.Signer()
 	if err != nil {
 		if err, ok := err.(asn1.StructuralError); ok && strings.HasPrefix(err.Msg, "tags don't match") || err.Msg == "length too large" {
-			return nil, errgo.Newf("Fail to decrypt SSH key, invalid password.")
+			return nil, errors.New("fail to decrypt SSH key, invalid password")
 		}
 		if err, ok := err.(asn1.SyntaxError); ok && err.Msg == "trailing data" {
-			return nil, errgo.Newf("The password was OK, but something went wrong.\n" +
+			return nil, errors.New("The password was OK, but something went wrong.\n" +
 				"Please re-run the command with the environment variable DEBUG=1 " +
 				"and create an issue with the command output: https://github.com/Scalingo/cli/issues")
 		}
-		return nil, errgo.Newf("Invalid SSH key or password: %v", err)
+		return nil, errgo.Notef(err, "invalid SSH key or password")
 	}
 
 	return signer, nil

crypto/sshkeys/read_test.go

@@ -21,7 +21,7 @@ var (
 )
 
 func TestInvalidKey(t *testing.T) {
-	_, err := ReadPrivateKeyWithContent("n/a", invalidKey)
+	_, err := readPrivateKeyWithContent("n/a", invalidKey)
 	if err == nil {
 		t.Error("expect error, got nil")
 	}
@@ -31,7 +31,7 @@ func TestInvalidKey(t *testing.T) {
 }
 
 func TestUnencryptedKey(t *testing.T) {
-	s, err := ReadPrivateKeyWithContent("n/a", unencryptedRSAKey)
+	s, err := readPrivateKeyWithContent("n/a", unencryptedRSAKey)
 	if err != nil {
 		t.Error("expect nil, got", err)
 	}

net/ssh/client.go

@@ -28,7 +28,7 @@ func Connect(opts ConnectOpts) (*ssh.Client, ssh.Signer, error) {
 		var agentConnection stdio.Closer
 		privateKeys, agentConnection, err = sshkeys.ReadPrivateKeysFromAgent()
 		if err != nil {
-			return nil, nil, errgo.Mask(err)
+			return nil, nil, errgo.Notef(err, "fail to read the private key from SSH agent")
 		}
 		defer agentConnection.Close()
 	}
@@ -39,7 +39,7 @@ func Connect(opts ConnectOpts) (*ssh.Client, ssh.Signer, error) {
 		}
 		privateKey, err := sshkeys.ReadPrivateKey(opts.Identity)
 		if err != nil {
-			return nil, nil, errgo.Mask(err)
+			return nil, nil, errgo.Notef(err, "fail to read the private key")
 		}
 		privateKeys = append(privateKeys, privateKey)
 	}