From ebb6956b8201b41e9ef7e3eaa3a67e012d4a2868 Mon Sep 17 00:00:00 2001
From: Eugene <inbox@null.page>
Date: Tue, 16 Jul 2024 22:01:07 +0200
Subject: [PATCH] re-save ed25519 keys to fix the encoding error

---
 Cargo.lock                        | 17 +++++++++++++----
 warpgate-admin/Cargo.toml         |  2 +-
 warpgate-protocol-ssh/Cargo.toml  |  4 ++--
 warpgate-protocol-ssh/src/keys.rs | 22 ++++++++++++++++++----
 warpgate-protocol-ssh/src/lib.rs  |  2 +-
 5 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index ec4161a..0059f5e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -552,6 +552,12 @@ dependencies = [
  "shlex",
 ]
 
+[[package]]
+name = "bit-vec"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -3723,9 +3729,9 @@ dependencies = [
 
 [[package]]
 name = "russh"
-version = "0.44.0-beta.4"
+version = "0.44.0-beta.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c0c8b1a1213ee9cbae3c644c76f304ddfff8de66c1e7194626e511e9e5c91f7"
+checksum = "2f5827ad9882c902e17911af4db2995bf6247e333f6615668a39df31d94262cd"
 dependencies = [
  "aes",
  "aes-gcm",
@@ -3775,9 +3781,9 @@ dependencies = [
 
 [[package]]
 name = "russh-keys"
-version = "0.44.0-beta.4"
+version = "0.44.0-beta.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65d9d07bb169099e6e0ae7e30b64965f005d613170c6e019586cd30be596e2ee"
+checksum = "e86b69bb1b6a00b3ce02a6d4e9152a4bc39350847e9170c19caa9bc3e363a608"
 dependencies = [
  "aes",
  "async-trait",
@@ -3821,6 +3827,7 @@ dependencies = [
  "tokio",
  "tokio-stream",
  "typenum",
+ "yasna",
  "zeroize",
 ]
 
@@ -6234,6 +6241,8 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
 dependencies = [
+ "bit-vec",
+ "num-bigint",
  "time",
 ]
 
diff --git a/warpgate-admin/Cargo.toml b/warpgate-admin/Cargo.toml
index 6d291c4..132be87 100644
--- a/warpgate-admin/Cargo.toml
+++ b/warpgate-admin/Cargo.toml
@@ -24,7 +24,7 @@ poem-openapi = { version = "2.0", features = [
     "uuid",
     "static-files",
 ] }
-russh-keys = { version = "0.44.0-beta.4" }
+russh-keys = { version = "0.44.0-beta.5", features = ["legacy-ed25519-pkcs8-parser"] }
 # russh-keys = { version = "0.23.0-beta.1", path = "../../russh/russh-keys" }
 rust-embed = "8.3"
 sea-orm = { version = "0.12.2", features = [
diff --git a/warpgate-protocol-ssh/Cargo.toml b/warpgate-protocol-ssh/Cargo.toml
index de0c11f..85cc21d 100644
--- a/warpgate-protocol-ssh/Cargo.toml
+++ b/warpgate-protocol-ssh/Cargo.toml
@@ -14,9 +14,9 @@ dialoguer = "0.10"
 curve25519-dalek = "4.0.0" # pin due to build fail on x86
 ed25519-dalek = "2.0.0" # pin due to build fail on x86 in 2.1
 futures = "0.3"
-russh = { version = "0.44.0-beta.4" }
+russh = { version = "0.44.0-beta.5" }
 # russh = { version = "0.35.0-beta.6", path = "../../russh/russh"}
-russh-keys = { version = "0.44.0-beta.4" }
+russh-keys = { version = "0.44.0-beta.5", features = ["legacy-ed25519-pkcs8-parser"] }
 # russh-keys = { version = "0.23.0-beta.1", path = "../../russh/russh-keys" }
 sea-orm = { version = "0.12.2", features = [
     "runtime-tokio-rustls",
diff --git a/warpgate-protocol-ssh/src/keys.rs b/warpgate-protocol-ssh/src/keys.rs
index ba0e026..9f7dfa5 100644
--- a/warpgate-protocol-ssh/src/keys.rs
+++ b/warpgate-protocol-ssh/src/keys.rs
@@ -1,5 +1,5 @@
 use std::fs::{create_dir_all, File};
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 
 use anyhow::{Context, Result};
 use russh_keys::key::{KeyPair, SignatureHash};
@@ -46,7 +46,7 @@ pub fn load_host_keys(config: &WarpgateConfig) -> Result<Vec<KeyPair>, russh_key
     let mut keys = Vec::new();
 
     let key_path = path.join("host-ed25519");
-    keys.push(load_secret_key(key_path, None)?);
+    keys.push(load_and_maybe_resave_ed25519_key(key_path)?);
 
     let key_path = path.join("host-rsa");
     let key = load_secret_key(key_path, None)?;
@@ -94,11 +94,25 @@ pub fn load_client_keys(config: &WarpgateConfig) -> Result<Vec<KeyPair>, russh_k
     let path = get_keys_path(config);
     let mut keys = Vec::new();
 
-    let key_path = path.join("client-ed25519");
-    keys.push(load_secret_key(key_path, None)?);
+    let key_path: PathBuf = path.join("client-ed25519");
+    keys.push(load_and_maybe_resave_ed25519_key(key_path)?);
 
     let key_path = path.join("client-rsa");
     keys.push(load_secret_key(key_path, None)?);
 
     Ok(keys)
 }
+
+/// russh 0.43 has a bug that generates incorrect PKCS#8 encoding for Ed25519 keys
+/// This will preemptively try to correctly re-encode and save the key
+fn load_and_maybe_resave_ed25519_key<P: AsRef<Path>>(p: P) -> Result<KeyPair, russh_keys::Error> {
+    let key = load_secret_key(&p, None)?;
+    if let KeyPair::Ed25519(_) = &key {
+        if let Ok(f) = File::create(p) {
+            if let Err(e) = encode_pkcs8_pem(&key, f) {
+                error!("Failed to re-save the Ed25519 key: {e:?}");
+            }
+        }
+    };
+    Ok(key)
+}
diff --git a/warpgate-protocol-ssh/src/lib.rs b/warpgate-protocol-ssh/src/lib.rs
index 68a2929..7538f6b 100644
--- a/warpgate-protocol-ssh/src/lib.rs
+++ b/warpgate-protocol-ssh/src/lib.rs
@@ -1,4 +1,4 @@
-#![feature(type_alias_impl_trait)]
+#![feature(type_alias_impl_trait, try_blocks)]
 mod client;
 mod common;
 mod compat;