Add support for ssh keys

Hinton · Hinton · commit 0532353e4c3f · 2025-08-01T10:27:14.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/bitwarden-exporters/Cargo.toml b/crates/bitwarden-exporters/Cargo.toml
@@ -30,6 +30,7 @@ bitwarden-core = { workspace = true }
 bitwarden-crypto = { workspace = true }
 bitwarden-error = { workspace = true }
 bitwarden-fido = { workspace = true }
+bitwarden-ssh = { workspace = true }
 bitwarden-vault = { workspace = true }
 chrono = { workspace = true, features = ["std"] }
 credential-exchange-format = ">=0.1, <0.2"
diff --git a/crates/bitwarden-exporters/src/cxf/api_key.rs b/crates/bitwarden-exporters/src/cxf/api_key.rs
@@ -3,7 +3,7 @@ use credential_exchange_format::ApiKeyCredential;
 use crate::{cxf::editable_field::create_field, Field};
 
 /// Convert API key credentials to custom fields
-pub fn api_key_to_fields(api_key: &ApiKeyCredential) -> Vec<Field> {
+pub(super) fn api_key_to_fields(api_key: &ApiKeyCredential) -> Vec<Field> {
     [
         api_key.key.as_ref().map(|key| create_field("API Key", key)),
         api_key
diff --git a/crates/bitwarden-exporters/src/cxf/import.rs b/crates/bitwarden-exporters/src/cxf/import.rs
@@ -1,13 +1,14 @@
 use chrono::{DateTime, Utc};
 use credential_exchange_format::{
     Account as CxfAccount, ApiKeyCredential, BasicAuthCredential, Credential, CreditCardCredential,
-    Item, PasskeyCredential, WifiCredential,
+    Item, PasskeyCredential, SshKeyCredential, WifiCredential,
 };
 
 use crate::{
     cxf::{
         api_key::api_key_to_fields,
         login::{to_fields, to_login},
+        ssh::to_ssh,
         wifi::wifi_to_fields,
         CxfError,
     },
@@ -121,6 +122,24 @@ fn parse_item(value: Item) -> Vec<ImportingCipher> {
         })
     }
 
+    // SSH Key credentials
+    if let Some(ssh) = grouped.ssh.first() {
+        let (ssh_key, fields) = to_ssh(ssh);
+
+        output.push(ImportingCipher {
+            folder_id: None, // TODO: Handle folders
+            name: value.title.clone(),
+            notes: None,
+            r#type: CipherType::SshKey(Box::new(ssh_key)),
+            favorite: false,
+            reprompt: 0,
+            fields: [fields, scope.map(to_fields).unwrap_or_default()].concat(),
+            revision_date,
+            creation_date,
+            deleted_date: None,
+        })
+    }
+
     output
 }
 
@@ -150,12 +169,16 @@ fn group_credentials_by_type(credentials: Vec<Credential>) -> GroupedCredentials
             Credential::BasicAuth(basic_auth) => Some(basic_auth.as_ref()),
             _ => None,
         }),
+        credit_card: filter_credentials(&credentials, |c| match c {
+            Credential::CreditCard(credit_card) => Some(credit_card.as_ref()),
+            _ => None,
+        }),
         passkey: filter_credentials(&credentials, |c| match c {
             Credential::Passkey(passkey) => Some(passkey.as_ref()),
             _ => None,
         }),
-        credit_card: filter_credentials(&credentials, |c| match c {
-            Credential::CreditCard(credit_card) => Some(credit_card.as_ref()),
+        ssh: filter_credentials(&credentials, |c| match c {
+            Credential::SshKey(ssh) => Some(ssh.as_ref()),
             _ => None,
         }),
         wifi: filter_credentials(&credentials, |c| match c {
@@ -168,8 +191,9 @@ fn group_credentials_by_type(credentials: Vec<Credential>) -> GroupedCredentials
 struct GroupedCredentials {
     api_key: Vec<ApiKeyCredential>,
     basic_auth: Vec<BasicAuthCredential>,
-    passkey: Vec<PasskeyCredential>,
     credit_card: Vec<CreditCardCredential>,
+    passkey: Vec<PasskeyCredential>,
+    ssh: Vec<SshKeyCredential>,
     wifi: Vec<WifiCredential>,
 }
 
diff --git a/crates/bitwarden-exporters/src/cxf/mod.rs b/crates/bitwarden-exporters/src/cxf/mod.rs
@@ -16,4 +16,5 @@ mod api_key;
 mod card;
 mod editable_field;
 mod login;
+mod ssh;
 mod wifi;
diff --git a/crates/bitwarden-exporters/src/cxf/ssh.rs b/crates/bitwarden-exporters/src/cxf/ssh.rs
@@ -0,0 +1,96 @@
+use bitwarden_ssh::import::import_der_key;
+use bitwarden_vault::FieldType;
+use credential_exchange_format::SshKeyCredential;
+
+use crate::{cxf::editable_field::create_field, Field, SshKey};
+
+pub(super) fn to_ssh(credential: &SshKeyCredential) -> (SshKey, Vec<Field>) {
+    // Convert to OpenSSH format
+    let encoded_key: Vec<u8> = credential.private_key.as_ref().into();
+    let encoded_key = import_der_key(&encoded_key).expect("valid SSH key format");
+
+    let ssh = SshKey {
+        private_key: encoded_key.private_key,
+        public_key: encoded_key.public_key,
+        fingerprint: encoded_key.fingerprint,
+    };
+
+    let fields = [
+        credential.key_comment.as_ref().map(|comment| Field {
+            name: Some("Key Comment".into()),
+            value: Some(comment.into()),
+            r#type: FieldType::Text as u8,
+            linked_id: None,
+        }),
+        credential
+            .creation_date
+            .as_ref()
+            .map(|date| create_field("Creation Date", date)),
+        credential
+            .expiry_date
+            .as_ref()
+            .map(|date| create_field("Expiry Date", date)),
+        credential
+            .key_generation_source
+            .as_ref()
+            .map(|source| create_field("Key Generation Source", source)),
+    ]
+    .into_iter()
+    .flatten()
+    .collect();
+
+    (ssh, fields)
+}
+
+#[cfg(test)]
+mod tests {
+    use bitwarden_vault::FieldType;
+    use chrono::NaiveDate;
+    use credential_exchange_format::EditableFieldDate;
+
+    use super::*;
+
+    #[test]
+    fn test_to_ssh() {
+        let credential = SshKeyCredential {
+            key_type: "ssh-ed25519".into(),
+            private_key: "MC4CAQAwBQYDK2VwBCIEID-U9VakauO4Fsv4b_znpDHcdYg74U68siZjnWLPn7Q1"
+                .try_into()
+                .unwrap(),
+            key_comment: Some("Work SSH Key".into()),
+            creation_date: Some(
+                EditableFieldDate(NaiveDate::from_ymd_opt(2023, 1, 1).unwrap()).into(),
+            ),
+            expiry_date: Some(
+                EditableFieldDate(NaiveDate::from_ymd_opt(2025, 1, 1).unwrap()).into(),
+            ),
+            key_generation_source: Some("Generated using OpenSSH".to_owned().into()),
+        };
+
+        let (ssh, fields) = to_ssh(&credential);
+
+        assert_eq!(ssh.private_key, "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACDQiCIk4t4YPC6bOSb7CLzac/vC+ZudqhYqY00cxqr8zAAAAIilFVdupRVX\nbgAAAAtzc2gtZWQyNTUxOQAAACDQiCIk4t4YPC6bOSb7CLzac/vC+ZudqhYqY00cxqr8zA\nAAAEA/lPVWpGrjuBbL+G/856Qx3HWIO+FOvLImY51iz5+0NdCIIiTi3hg8Lps5JvsIvNpz\n+8L5m52qFipjTRzGqvzMAAAAAAECAwQF\n-----END OPENSSH PRIVATE KEY-----\n");
+        assert_eq!(
+            ssh.public_key,
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCIIiTi3hg8Lps5JvsIvNpz+8L5m52qFipjTRzGqvzM"
+        );
+        assert_eq!(
+            ssh.fingerprint,
+            "SHA256:mZ0BOhUVicE81yPEpFJrv1rEXB2R3Y3t5nh/riicTvs"
+        );
+
+        assert_eq!(fields.len(), 4);
+        assert_eq!(
+            fields[0],
+            Field {
+                name: Some("Key Comment".to_string()),
+                value: Some("Work SSH Key".to_string()),
+                r#type: FieldType::Text as u8,
+                linked_id: None,
+            }
+        );
+        assert_eq!(fields[1].value.as_deref(), Some("2023-01-01"));
+        assert_eq!(fields[2].value.as_deref(), Some("2025-01-01"));
+        assert_eq!(fields[3].value.as_deref(), Some("Generated using OpenSSH"));
+    }
+}
diff --git a/crates/bitwarden-exporters/src/cxf/wifi.rs b/crates/bitwarden-exporters/src/cxf/wifi.rs
@@ -3,7 +3,7 @@ use credential_exchange_format::WifiCredential;
 use crate::{cxf::editable_field::create_field, Field};
 
 /// Convert WiFi credentials to custom fields following the CXF mapping convention
-pub fn wifi_to_fields(wifi: &WifiCredential) -> Vec<Field> {
+pub(super) fn wifi_to_fields(wifi: &WifiCredential) -> Vec<Field> {
     [
         // SSID: Text field
         wifi.ssid.as_ref().map(|ssid| create_field("SSID", ssid)),
diff --git a/crates/bitwarden-ssh/src/import.rs b/crates/bitwarden-ssh/src/import.rs
@@ -32,25 +32,11 @@ pub fn import_key(
     }
 }
 
-fn import_pkcs8_key(
-    encoded_key: String,
-    password: Option<String>,
-) -> Result<SshKeyView, SshKeyImportError> {
-    let doc = if let Some(password) = password {
-        SecretDocument::from_pkcs8_encrypted_pem(&encoded_key, password.as_bytes()).map_err(
-            |err| match err {
-                pkcs8::Error::EncryptedPrivateKey(pkcs5::Error::DecryptFailed) => {
-                    SshKeyImportError::WrongPassword
-                }
-                _ => SshKeyImportError::ParsingError,
-            },
-        )?
-    } else {
-        SecretDocument::from_pkcs8_pem(&encoded_key).map_err(|_| SshKeyImportError::ParsingError)?
-    };
-
+/// Import a DER encoded private key, and returns a decoded [SshKeyView]. This is primarily used for
+/// importing SSH keys from other Credential Managers through Credential Exchange.
+pub fn import_der_key(encoded_key: &[u8]) -> Result<SshKeyView, SshKeyImportError> {
     let private_key_info =
-        PrivateKeyInfo::from_der(doc.as_bytes()).map_err(|_| SshKeyImportError::ParsingError)?;
+        PrivateKeyInfo::from_der(encoded_key).map_err(|_| SshKeyImportError::ParsingError)?;
 
     let private_key = match private_key_info.algorithm.oid {
         ed25519::pkcs8::ALGORITHM_OID => {
@@ -75,6 +61,26 @@ fn import_pkcs8_key(
     ssh_private_key_to_view(private_key).map_err(|_| SshKeyImportError::ParsingError)
 }
 
+fn import_pkcs8_key(
+    encoded_key: String,
+    password: Option<String>,
+) -> Result<SshKeyView, SshKeyImportError> {
+    let doc = if let Some(password) = password {
+        SecretDocument::from_pkcs8_encrypted_pem(&encoded_key, password.as_bytes()).map_err(
+            |err| match err {
+                pkcs8::Error::EncryptedPrivateKey(pkcs5::Error::DecryptFailed) => {
+                    SshKeyImportError::WrongPassword
+                }
+                _ => SshKeyImportError::ParsingError,
+            },
+        )?
+    } else {
+        SecretDocument::from_pkcs8_pem(&encoded_key).map_err(|_| SshKeyImportError::ParsingError)?
+    };
+
+    import_der_key(doc.as_bytes())
+}
+
 fn import_openssh_key(
     encoded_key: String,
     password: Option<String>,

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ use credential_exchange_format::ApiKeyCredential;`
`3`	`3`	`use crate::{cxf::editable_field::create_field, Field};`
`4`	`4`
`5`	`5`	`/// Convert API key credentials to custom fields`
`6`		`-pub fn api_key_to_fields(api_key: &ApiKeyCredential) -> Vec<Field> {`
	`6`	`+pub(super) fn api_key_to_fields(api_key: &ApiKeyCredential) -> Vec<Field> {`
`7`	`7`	`[`
`8`	`8`	`api_key.key.as_ref().map(\|key\| create_field("API Key", key)),`
`9`	`9`	`api_key`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ use credential_exchange_format::WifiCredential;`
`3`	`3`	`use crate::{cxf::editable_field::create_field, Field};`
`4`	`4`
`5`	`5`	`/// Convert WiFi credentials to custom fields following the CXF mapping convention`
`6`		`-pub fn wifi_to_fields(wifi: &WifiCredential) -> Vec<Field> {`
	`6`	`+pub(super) fn wifi_to_fields(wifi: &WifiCredential) -> Vec<Field> {`
`7`	`7`	`[`
`8`	`8`	`// SSID: Text field`
`9`	`9`	`wifi.ssid.as_ref().map(\|ssid\| create_field("SSID", ssid)),`