Support more formats in NewPublicKeys SSH helper

By switching to `ParsePrivateKey` and `ParsePrivateKeyWithPassphrase` from `crypto/ssh`, which has support for RSA (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys. Signed-off-by: Hidde Beydals <hello@hidde.co>
go-git · Apr 16, 2021 · 022cc6c · 022cc6c
1 parent 832d390
commit 022cc6c
Showing 1 changed file with 4 additions and 18 deletions.
diff --git a/plumbing/transport/ssh/auth_method.go b/plumbing/transport/ssh/auth_method.go
@@ -1,8 +1,6 @@
 package ssh
 
 import (
-	"crypto/x509"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -121,27 +119,15 @@ type PublicKeys struct {
 // NewPublicKeys returns a PublicKeys from a PEM encoded private key. An
 // encryption password should be given if the pemBytes contains a password
 // encrypted PEM block otherwise password should be empty. It supports RSA
-// (PKCS#1), DSA (OpenSSL), and ECDSA private keys.
+// (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys.
 func NewPublicKeys(user string, pemBytes []byte, password string) (*PublicKeys, error) {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return nil, errors.New("invalid PEM data")
-	}
-	if x509.IsEncryptedPEMBlock(block) {
-		key, err := x509.DecryptPEMBlock(block, []byte(password))
-		if err != nil {
-			return nil, err
-		}
-
-		block = &pem.Block{Type: block.Type, Bytes: key}
-		pemBytes = pem.EncodeToMemory(block)
-	}
-
 	signer, err := ssh.ParsePrivateKey(pemBytes)
+	if _, ok := err.(*ssh.PassphraseMissingError); ok {
+		signer, err = ssh.ParsePrivateKeyWithPassphrase(pemBytes, []byte(password))
+	}
 	if err != nil {
 		return nil, err
 	}
-
 	return &PublicKeys{User: user, Signer: signer}, nil
 }