alkdev/wraith
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb032c87f16514bcffba3d8833448b31e144c311
wraith/tasks/auth/key-loading.md

2.3 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
auth/key-loading Implement SSH key material loading (file paths and in-memory data) pending
auth/error-types
setup/project-init
narrow low component implementation

Description

Implement key material loading that accepts both file paths and in-memory data per the programmatic-first API (ADR-011). Key inputs (--identity, --authorized-keys, --cert-authority, --key) accept either:

  • File path: load from filesystem
  • In-memory data: raw key bytes provided programmatically

All keys must be in OpenSSH key format (not PEM/PKCS#1/PKCS#8). This module handles:

  • Loading private keys (OpenSSH format: -----BEGIN OPENSSH PRIVATE KEY-----)
  • Loading public keys (OpenSSH format: ssh-ed25519 AAAA... user@host)
  • Loading authorized_keys files (standard OpenSSH format)
  • Parsing cert-authority entries in authorized_keys

Acceptance Criteria

  • crates/wraith-core/src/auth/keys.rs exports key loading functions
  • KeySource enum: File(PathBuf) and Memory(Vec<u8>) for unified key input handling
  • load_private_key(source: KeySource) -> Result<russh::key::KeyPair> — loads OpenSSH private key from file or memory
  • load_public_keys(source: KeySource) -> Result<Vec<russh::key::PublicKey>> — loads one or more public keys from authorized_keys format
  • Parses standard authorized_keys format including options (e.g., cert-authority,permit-port-forwarding ssh-ed25519 AAAA...)
  • CertAuthorityEntry struct: public_key: PublicKey, options: Vec<String> parsed from authorized_keys cert-authority lines
  • Returns ConfigError::KeyFileNotFound for missing file paths
  • Returns ConfigError::InvalidFlag with clear message for PEM-encoded (non-OpenSSH) keys
  • Unit tests: load Ed25519 key from file, load from memory, parse authorized_keys with multiple entries, reject PEM format

References

  • docs/architecture/client.md — Key Material Format section
  • docs/architecture/server.md — Key Material Format section
  • docs/architecture/decisions/012-auth-ed25519-and-cert-authority.md — authorized_keys format with cert-authority
  • docs/architecture/decisions/011-no-ssh-config-programmatic-api.md — programmatic-first, file paths or in-memory

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink