feat(age): add Identity::from_secret_bytes

RyderFreeman4Logos · RyderFreeman4Logos · commit effb1b1a2a3e · 2025-12-04T01:40:55.000-08:00
diff --git a/age/src/x25519.rs b/age/src/x25519.rs
@@ -62,6 +62,19 @@ impl Identity {
         Identity(StaticSecret::random_from_rng(rng))
     }
 
+    /// Deserializes this secret key from a 32-byte array.
+    ///
+    /// # Security
+    ///
+    /// The `bytes` argument **must** be a high-entropy value, such as a key generated by a CSPRNG
+    /// or derived from a high-entropy seed (e.g. using BIP39 or scrypt).
+    ///
+    /// **Do not** use this method with low-entropy input (like a simple string cast to bytes),
+    /// as this will result in a weak key that is trivial to crack.
+    pub fn from_secret_bytes(bytes: [u8; 32]) -> Self {
+        Identity(StaticSecret::from(bytes))
+    }
+
     /// Serializes this secret key as a string.
     pub fn to_string(&self) -> SecretString {
         let mut sk_bytes = self.0.to_bytes();
@@ -263,6 +276,14 @@ pub(crate) mod tests {
         assert_eq!(key.to_public().to_string(), TEST_PK);
     }
 
+    #[test]
+    fn identity_from_secret_bytes() {
+        let (_, bytes) = crate::util::parse_bech32(TEST_SK).expect("TEST_SK is valid Bech32");
+        let bytes: [u8; 32] = bytes.try_into().expect("TEST_SK is 32 bytes");
+        let key = Identity::from_secret_bytes(bytes);
+        assert_eq!(key.to_string().expose_secret(), TEST_SK);
+    }
+
     proptest! {
         #[test]
         fn wrap_and_unwrap(sk_bytes in proptest::collection::vec(any::<u8>(), ..=32)) {
