persistence for ssh keys

src-tauri/Cargo.lock

@@ -1204,6 +1204,7 @@ dependencies = [
  "aws-sdk-sts",
  "aws-smithy-types",
  "aws-types",
+ "base64 0.22.1",
  "chacha20poly1305",
  "clap",
  "dirs 5.0.1",

src-tauri/Cargo.toml

@@ -65,5 +65,8 @@ default = ["custom-protocol"]
 # DO NOT remove this
 custom-protocol = ["tauri/custom-protocol"]
 
+[dev-dependencies]
+base64 = "0.22.1"
+
 # [profile.dev.build-override]
 # opt-level = 3

src-tauri/migrations/20240617142724_credential_split.sql

@@ -69,8 +69,10 @@ DROP TABLE aws_tmp;
 
 
 -- SSH keys are the new hotness
-CREATE TABLE ssh_keys (
+CREATE TABLE ssh_credentials (
-    name TEXT UNIQUE NOT NULL,
+    id BLOB UNIQUE NOT NULL,
+    algorithm TEXT NOT NULL,
+    comment TEXT NOT NULL,
     public_key BLOB NOT NULL,
     private_key_enc BLOB NOT NULL,
     nonce BLOB NOT NULL

src-tauri/src/credentials/fixtures/ssh_credentials.sql

@@ -0,0 +1,34 @@
+INSERT INTO ssh_credentials (id, algorithm, comment, public_key, private_key_enc, nonce)
+VALUES
+    (
+        X'11111111111111111111111111111111',
+        'ssh-rsa',
+        'hello world',
+        X'000000077373682D727361000000030100010000018100C4ABCE6D69400912EBAD527733401E30EBF3DC9433B79C8E343D7AFBE19A9F309934822577D9807346B48D4FB0604D022DA826E5624635E4CE19851AA5D30DFD2007DE99B04AE4C2F00823DFFC3C8DDE62F074831C1F8903067C83DCCD7D9CEE8643C93C5291F6B5047F53646A37C84098934FFDE5882B5DD7696CDDC4421C39E2894768CFD6650CE585E35A3F739B015650AA469ABDEFC6987E55DAFEC7D40B4388654ED3205D18528D881927C42CBE210CCF6F49A90619AD6E6ACBF1768D7EC52FF9CB85BE607B9414961566292016875164C1C1D1FBD4C3569D4424A7F19D043ABCDEE50573DFC4FC7F2C2718AA76528FA226C0DD5530DC705C30901E1BDE88FE5CC35CAE5AB8826D1E7F970DBED0A0F7E9833CFC7323A1F1323528D5CC3C00AEB98165D677CAF64BD69729132264D971B5C491D0AEAF53AAD22D03756B2E43754502E84488117EEBB962CCDF5DF59682C1E9BA472D5AB9B83DB2862E7EA380E8FD20DE9368CABCBBC5C95C233A52DE5DFE5E91CB59019D00B529C70C4305',
+        X'DB9B6A3B97FBAE6AC12BDAF9DA57DBEE4DDF6A92DD682958AF147FF5EF64C18255D2A1714D543F2D16BEFD7ED4C419C7A0E9C18754C4CAA251BCFA5AA46508B006CDB08A7C0DB63D8A7FE27F99CCC2F351203B36D2BC3D02302318ECC741574CEF70D956C5CCA41E538F2CA29B20E04778A596B0C3E5CD991A423443B01E3F811E004E2547C5D3DDAEBCFBFB68CDB03D0C16538224BBAA0A80767D64D8F3D2840975DD12B4F648F81B4D4B541CB500BAA99F9808F450A02688D583A924B8AE2B0BE777BC35CE808FD53B5DB8C0838D24A6CE31C3973880CF3174E63E3404F2E77783140A62DDBA06F9CD89ADE448A54FBCBD6C0EC8C0641724CDDEF2A8126EC0D0F5BDF89EB8112366D7EB6D3CE3565DF9E4036EAF3109E50BED5D7BD3558FFF69AD823F6522C5701CE26BCAFCC03D27D87547728A3C700719FF564EAEC961FA209252B113B404D75AD67CA4E40C5DAA36E9B0FB4ECDD6E5F853C81682123E8DF311A3C495F61A2CEE6A2B04C7FD3D0906583B9C724BC0D00D71106B7167983D6A0FBD3EA7361EE063A0B05E5A6B5CD82D0F795820BFC90E4F422E7CE2BDEBEAEE9493F5408F38732EB41741F15632185131CD6160433DD286869DF38679F6797A268EDE8ED0F442C4394FF52EFDE82EBEC5871A087288F7A12964615DA5AA02149FB661B0F76551CD53771B0DD180837A9D52A2BDF4757C4CF56DCD90B968F32B9F9EE5EE09EF5B791DB0366A4E6CCBBF0AF7D9CB5B7760BABAF4DE16BCC971DC95DCBD068A92DB8E8C709C0FBE9E2AB5B770EDFBCC6FB5045B706FB31DDEB6C52647618CD3B222CEF2DFD8D08ABAE6333A2E3C8768B8DB970BFF1777B75AE6DCE54DA7063F76846EFBDB92E55192A031DBA889D9DEDB0BF0FAA2FA6B4A0B0151B6F03D142D6B140EBB874CAF0A44D67AAD121127946DA90A14176EBB7B6C03DD2034987A100855E23F440CF6A404DEE46617B52581C7A248B7393FF56D8652855B23D19C35E1B535E5EC5EE87F3FF455458A740A55CDCB806053D4BCF44CDC2D76A1998418A60E11728BBC69F12C7E52A539E3834362C47A3E1863D265B3A7C2A41FA1953BB0FC64508679BB5F068DAF84C394A1497D564A3D6023B90D9A1C50E30FDC3E1C9B925EB0C19F960E7377B0678D662362129677E4B9AA515D2E4408A17A260D862F3C5D4291841855B91FE6EEA11C8E8EC19449CD9C31E6505BA364A45E7E3B89C5FA1C55708AF521F97440CED0ED0FAF06B7930E6A6F3A2B547E33EF73163D4C2E75B1AFA24BEB3129FFA978BC4EC43D0919ED262C0BE29AB78A87A57EAA55D51BE479A9E4015F9C3F2381745808AECF3783DEF5AB82E37C6EF68B97485CD36F7018B59C37E0EB93EAA32385E5E8CB95A5A3818B70F4CBE6102FC197946AAAAAABAD8B93750031CAC73C3F1B6B2F825B29435F2426B6AFABE35B1F8468E5A1CF73CC78E2FBB639AEFC171B7AD5D1728A536AB384B3F4AE924D5CEFA3F5EE5412094AE97303B8E728C7ACBCD9F9FB7C4FE7893145A55D96B7EDC1DD6257368C03AAC98B4F23D9AF15EF730BFD3FF09C2A11747035C8FD58EF97003503F568090C02A63117F3304989CFBAF20A281A729C8A8A4470524B3FDD2B4183E78BDE58BBB0B58B16D1E81702E58E225F7EED1A8E7F3920870FC9EE44D1433EEB39248A38108000EC1E151A26399A3F36CC41F6D272B3441198E8B56616E9A6C5A16303E562A62B4E6C27D16E9FADAF7E5A4AC7EFBD912883474302D5C9BB7D35C671DDECE68482A9472DAFA56B9AFF4E811A5BE7462FA6A988FED04178786DDB490A2010B8C178BD5601C23BBF5E3B1D13E86BB9980892B9999A6511FE2ECDAC681123745F676C155BB4627EFFAA65B1110B590A7FEE6D3359AED898D73C1B51AC8D534E94731934CCA9514F89E74C2BE5A799D8072C52399A7A647AF8F37F2D536C1B29D64214C490FE00565D912772256BF5E68F888E02FB704017F4D9FDD22E1C007A5FB4FCB51BC7A101DCAA56529231A59ACE14368268B7820C7C2BFBB0F5F78625E442C6EA83C88A9DEE318B2323AF0F3687ACF7B2B791D0B42B0576F0FF73E046DE1A56A5C2CBF6731E8D9485A02E9AD67D7752EBDBF3EBE703A760264363650CB9639B75985A9D00D210FFEBC93894E8E4BEAE7053FB6619BA9A8F0ECC4F822CF27606A6E58A8D5DAF55B519E7729B65A83FB859A3A028477BFBB7C8C01ABBE38EEDAAE11AA10ECC75868A281281792FA8D4EBDCC47DEB03868779A84D992D56612A8F46CAFADF65C5B32CFEA2974ECE34E4EDE9AF0AB4365C55D1A95FE551453BCFA5DF28CAF5AFA025CD5BD1CF86FB19AEB581135BFE2CBAA78643F209DE6A4D58206B0B236ADDD5A9122E8A21630907D0C5F23E86C151B8BFD8EA874DFF37DA7DE49D520DDAB7D074B37A726883211A788684A74D4E13A80CBC7655D8BBFF901CC44EF0A0368A3A69200695E277857AD620F2872D83224405A4DDD1E34AF68B72145AA442278C02DB7453AA8C184893AEBBCD4E15252CB8AF5972C49E047318362322CFAE99C38C5989A76C57E9D997BAACF6E13C19F66FCD618878D218DE7846C3D042E7E631B9AC126935AD6A3E15A659A3C4B9B5E521545A5A9B8A3CDFD21EADC2A5A74DBFA0769D63EC4F758D',
+        X'1A44F10CBD2579B378EF1ECE61005DBD0ED6189512B41293'
+    ),
+    (
+        X'22222222222222222222222222222222',
+        'ssh-rsa',
+        'hello world',
+        X'000000077373682D727361000000030100010000018100B021E0FE494231E75D4CFC9CED6DF524122F0E86717710BB066236D1ABF001CB4C7CB58964E998E5385836912300129A1334E549A7EF5E0EC4115D97E099038ACFBBA0AD2FE5D574F7F3FF122A97B59F75D8B62DCD921FF1A5BBFDCB55D77779A41ABD46528AEF8B2C0DA96370FCEC79387EED6AC1C0CED041AE979CBB880BEC6C17917711143F1C4D035548D273773D01E3F643463811B7339D9F4B3FC8D1FECF761C8878C135E2E600D9D230F11A3AD8E0415D1A923A398D108E9043F630A9B7BB1310927CA8A46455096E1A272BA56B6F06FEE5764E3C8AC85EA5DE408AED8EC549BE749FB231C1A2CC95DA0035DB009A9DFB2C622833A54CFCCB9FFB173159065F3335C6DDAFBB52A82CD5C327198C496C2A4404F1A544D82175F915954492A4488954B37C78C1F81B467A05F96CCC26146CDF517AF71674046947B11CE80B0E277B2ABA23915AF11E9A9F9D05717E1F0ED70341F470085569F88D8F5CBB8179605A0BF88537A57893329D15F1F8CA3582BE3612410F06568533F801602F',
+        X'AD54C319103CFBA088A4B70AEC743CDED7B0A3EE3DDE370BBD14AA4FA4EACBDD1BBE2FCEF499BB4EC4DDEA9D472F27BBF93453C612BF1689B714C9718212E78C0E1B2133AEB0E7C954413F6EBFC4155CC975A252962AB7C1BBEAE8DA8C6F990B9DE96313F0158AA8DD7896000AE2A4406080B81C37605B3986E463D5DEC01AC0BC4981A74BAF6413DF99119F65A337692885E9C5FBA9B483AA83783823981A0E66105083EB6CDB07AB93714AAF6AAF9A6239D256D8C9C56992AC846CF104E2B1B9DF96D0E67DF2EC9258E914EDFAA5AC36ABE3E9D5D641C92C6188D90D9B083DC3AFA9409B7809718279B52399145FE3173DA8E8A7E5C21715E0B140B22BFF8A0116E102B55C9BCB19B5B4FCCA88FBC5A2844E7E2AEC84ACA303BE8AC9448F93BB35366DFC2E38CEE31C66748847DA11CBB8A31F2CA4DD905362A8C513B6B8E3040EFCEC5BCFEB2E52902F33BF6DFEF911E56A00E51274C1548546DCA62261F94F580DCBAF7357F0C8F5058D2D1D5C91E0AAAB396A305E79350FC0F9879CAFD33316DB77586C36A8246F4D5A14EEC495CFCFA108B70A00008CE64ABC2EBC656DFE760612194B526BC1AE8C08325E3FE76999E6341D6C2BA35BA87CB9FB30A269891A0013E989246E80D5CF7590A66D8494CA79D5E2FD6A8FF7ECA1169379C2D45F4108BA5A796309D4CBDBEE6F45A0F6536B45666E1CF977B26612BC8108FCF32FF0D9296C9C414812C221032B2E5107CFCE1E4FCC2E07C5D31F1A1492732D0ECEB3920E50DFBCAA89561CE52436D23DA40D8678CE901BDC57C3F80233BBAF7AE5CA432547EB51DFBABF5B8BC94C0F6EAE47C94649CECE192D6436D609EE040A3AC059529E7CAAFA45D1B2E331E0E73BAFB1C6E05F71EBF28E222D2B15E724D5EBB3B9C3A709F0F9BCD41C87DF158BDCD3C1FCA86A8D4B57B98F4386AA6956BC3DC6BC2AF6A479560C1598B866935795C29F22CB93072E9D8D4D110AAC2B0F22CD8662354BF5D509750068613C052E88629EFF9488BD1C0B3E6FFD010A5B739F943234AA456F998B4DC7FA7B877961DE1CC744760712337B70971EED7AA4B97121F26298DCFDC2282D721CAB90098585ACFD31EC776EEE2C0211AB711BE94F31ED0D2BA4A9D8EFFC155FC68AB02EA1DC380A1525EF2BD14B55CC71210B54E5F55A8C3C876A6667EFA271095B1280B9ED6FAE9E73601A698FE2732756780BF453F927FD171F497F9C1FA6ADE7DC8187FEDA309E807E2E7895E1763DE1758E50035CE24D54A814745F05446FFD91F8E27770577384BBDC6E11E435658404533D32C461A0DB1CC6AE0847ABB744FB61C524CF9162E3660941CA3DA96F56EA5C036BF5E633C6CA0F033335AB5B623D08A024E87235FF8324B284FB981A9998DD0028A0DE54B4D6BE04C51E8D71DD09B3563C84E5C43826418365FB7912DFABDC5BB25BDE2C558DAC14AEED79F705F34E2D04F17829515C725675571EE1E4BDD21D8EBAA9C6075DE48EF8F2ED7814E20836A2721E46B5C71EE365CFE996A07ADABD84FE5B1E25EF5D9CC66B945084A4207004372AA792BA1BE97B67397635EA7DCC2F99C6AD5C394A8F4C0B7CBC87C38DE52F120993E6DC6BEA27D5B90D90E1C8F7626C860386121E53BE3D4F7B4005A69EB0334E118E70B7207CEDFCEE1EC2A30C789174AAA6531EAAD2E0BED7400CA44911E896E4C82DCA85ADBA92CA01B2CE75924AE81FE286C4CBD8073B7546313A75E52CA1882D8935D2F6058FECEBA4626B4445FCED2E9986632F9F5597C7BBD44F375027727D51B0033B87D23395EEC26EE06378B247B0C1469286F868828C942FCE2BF1BFFDC07CAEC1E214D37ADE737A7DFF082972C6E8411591BEE4B54BED231A7F856C022B26887ADD115A252807D3C58DCD8FB5D7D71DC3766C288438DB3D9D98FC8A22FEC92A7E6E3855ACD36BBEA79C5F98C7ABD9CCECB37C18C3315E5CC7B3BFF699FD201419F8EA402E422EFE62A25D4A76B2CCA0F6D43313BA7DF6537619FD2AE8ACF55B17F709961228076DBBB3592B6B7A1C3C271D54C06403902B0384492AE486E931DD63F68E739769E174D97EA46E7D780D03529EA21B418E0A68E44ED15AB9471B5F139E29EA25C7AE881E216A2863D6E908790002B0B1CC23B1DB3266CEACA2771BD661941AEDEE196316E8D8D7CE361C23E7C1BFFBFD0467329E948CD936B54C7313DC053F96BAFD139500ACB0CCDCA7C0AFBFEC02CFD31FECF4193C1E13F8E59378959BE3360C3B57BD325E5D87CA3D9CE08EFD00980200004D01EE4C6D4450C545A82BE0E1A527AE3432AD6500AF6C8B4400095D9CA7DAA0AA956DC8CD6A4336B876988128119997DB4847AFEFDF2CB8E3F88D5B66CC1E5A32229F79324063584C95C775C5D8D3B05956F0BC8432B9FB28D006247F1DF22C431515BDB4234C91B10CA20B5C05924CAAF82094C8C49123776F1C7170218FEC6C1D2D94F242277765EB9A6C48BE8751D92FFC4C3314155C7685940CA07BB70722D0B65585BC50253A9A6F793CD7A3269657B234C72EC8F2DD4F3B61A7260B3028FFB2B866A311E027C3D8D56592AB4795AA22452CBE37AEE68D7952EE473BB67CE6839E0F5DAA7C9B09F26CBF99CF5BF1181A41B683B9EA939A1823C3733B1EE8066614D3A692C99E5F9EA22231',
+        X'B9DF74AE34E4E7E17EA2EABECE5FD85B14ADB53EDB5BF27C'
+    ),
+    (
+        X'33333333333333333333333333333333',
+        'ssh-ed25519',
+        'hello world',
+        X'0000000B7373682D6564323535313900000020BBB05846908A7F4819CA69BE50E94658FD6F51D24FFECED678566D43E1DD6BF2',
+        X'7E3719254AB02100F159D971C17322CF51ECB60AC9E2CDA511EDFD88E75D9828A5A308F1F6A7D6919ED080FD0E6D3FAB64583A946334EE8870006AB7EDC57E6D7BCD145485D1F2A06D946B4DB69591467F289A5CD3BBF922FAAF5B54275F56CF81CC450DE4C8C0F24078C395BA02E8C646731FA6A50480392B13784FD2A85D094DDB8E73C56120936C02C3F94E910C23787FC307369239E264600BBE799EA851CE16FD653BE71D024AA73A582AACC390DD1F341C095788ECE6F4CC37D045A2BFFEC9F14AEBE73E43C6E78E00A9645C6A46D03F2847355DBCD33DA09C76148089A0FC1B3793AB5DA577B879D25EF7B8A8661387F19F392522CFD2886F6FEB65584841',
+        x'58E67EEE49A11FFDD9D32F63ED99053008091B415F87F1BA'
+    ),
+    (
+        X'44444444444444444444444444444444',
+        'ssh-ed25519',
+        'hello world',
+        X'0000000B7373682D65643235353139000000200491C64AD1D7E9C20D989937677C32EBE5FB35BCBA77422550A8FAA54C023923',
+        X'6BA994C263935729D807579173B377323F6353A88F660143EA92DE1E1A92F00682B8A1FAD838F0D211BD69855E8E34AE84D5A7B3C23F23A822B2AFF6E861BC81D89AFDDEB0DED063C84644B3EFEF2612DA1DA9C3C12EDAEFCBEA3542EA0ED1903FC1922E5F56E19FAD8CC75A2A30D64C83BF27ADE00E66BCCFE1CA67E95A00819F7BF91DDD22C4A1FB419E91B5D61544175D8D69EB5B416E6547DFD55CD386B62293B778322FB840D1F4DBBDCE2364A6FE4A7B090425031E7DB347314CEBD9BA09F85CC45CF3B4D02FE78B7F365D5C7E95331AA7A6F91A619E8A8663B77A31BAF639652D72B4FD11C8D430C8A1C5542C69DF4ACA74BAB7608B7E9ADD15BAF4674AFB',
+        X'46F31DCF22250039168D80F26D50C129C9AFDA166682C89A'
+    );

src-tauri/src/credentials/fixtures/ssh_ed25519_plain.json

@@ -1 +1 @@
-{"path":"./src/credentials/fixtures/ssh_ed25519_plain","algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}
+{"algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}

src-tauri/src/credentials/mod.rs

@@ -32,6 +32,7 @@ pub use ssh::SshKey;
 pub enum Credential {
     AwsBase(AwsBaseCredential),
     AwsSession(AwsSessionCredential),
+    Ssh(SshKey),
 }
 
 

src-tauri/src/credentials/record.rs

@@ -260,7 +260,7 @@ mod tests {
 
 
     #[sqlx::test]
-    async fn test_save_load(pool: SqlitePool) {
+    async fn test_save_load_aws(pool: SqlitePool) {
         let crypt = Crypto::random();
         let mut record = aws_record();
         record.id = random_uuid();

src-tauri/src/credentials/ssh.rs

@@ -1,11 +1,25 @@
+use std::fmt::{self, Formatter};
 use std::path::PathBuf;
 
+use chacha20poly1305::XNonce;
 use serde::{
     Deserialize,
+    Deserializer,
     Serialize,
     Serializer,
-    ser::Error,
+};
-    ser::SerializeStruct,
+use serde::ser::{
+    self,
+    Error as SerError,
+    SerializeStruct,
+};
+use serde::de::{self, Visitor};
+use sqlx::{
+    FromRow,
+    Sqlite,
+    SqlitePool,
+    Transaction,
+    types::Uuid,
 };
 use ssh_key::{
     Algorithm,
@@ -15,19 +29,37 @@ use ssh_key::{
 };
 
 use crate::errors::*;
+use super::{
+    Credential,
+    Crypto,
+    PersistentCredential,
+};
 
 
-#[derive(Debug, Clone, Eq, PartialEq)]
+#[derive(Debug, Clone, FromRow)]
+pub struct SshRow {
+    id: Uuid,
+    algorithm: String,
+    comment: String,
+    public_key: Vec<u8>,
+    private_key_enc: Vec<u8>,
+    nonce: Vec<u8>,
+}
+
+
+#[derive(Debug, Clone, Eq, PartialEq, Deserialize)]
 pub struct SshKey {
-    pub path: String,
+    #[serde(deserialize_with = "deserialize_algorithm")]
     pub algorithm: Algorithm,
     pub comment: String,
+    #[serde(deserialize_with = "deserialize_pubkey")]
     pub public_key: PublicKey,
+    #[serde(deserialize_with = "deserialize_privkey")]
     pub private_key: PrivateKey,
 }
 
 impl SshKey {
-    pub fn from_file(path: String, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+    pub fn from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
         let mut privkey = PrivateKey::read_openssh_file(path.as_ref())?;
         if privkey.is_encrypted() {
             privkey = privkey.decrypt(passphrase)
@@ -35,7 +67,6 @@ impl SshKey {
         }
 
         Ok(SshKey {
-            path,
             algorithm: privkey.algorithm(),
             comment: privkey.comment().into(),
             public_key: privkey.public_key().clone(),
@@ -45,10 +76,63 @@ impl SshKey {
 }
 
 
+impl PersistentCredential for SshKey {
+    type Row = SshRow;
+
+    fn type_name() -> &'static str { "ssh" }
+
+    fn into_credential(self) -> Credential { Credential::Ssh(self) }
+
+    fn row_id(row: &SshRow) -> Uuid { row.id }
+
+    fn from_row(row: SshRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
+        let nonce = XNonce::clone_from_slice(&row.nonce);
+        let privkey_bytes = crypto.decrypt(&nonce, &row.private_key_enc)?;
+
+        
+        let algorithm = Algorithm::new(&row.algorithm)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+        let public_key = PublicKey::from_bytes(&row.public_key)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+        let private_key = PrivateKey::from_bytes(&privkey_bytes)
+            .map_err(|_| LoadCredentialsError::InvalidData)?;
+
+        Ok(SshKey {
+            algorithm,
+            comment: row.comment,
+            public_key,
+            private_key,
+        })
+    }
+
+    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
+        let alg = self.algorithm.as_str();
+        let pubkey_bytes = self.public_key.to_bytes()?;
+        let privkey_bytes = self.private_key.to_bytes()?;
+        let (nonce, ciphertext) = crypto.encrypt(privkey_bytes.as_ref())?;
+        let nonce_bytes = nonce.as_slice();
+
+        sqlx::query!(
+            "INSERT OR REPLACE INTO ssh_credentials (
+                id,
+                algorithm,
+                comment,
+                public_key,
+                private_key_enc,
+                nonce
+            )
+            VALUES (?, ?, ?, ?, ?, ?)",
+            id, alg, self.comment, pubkey_bytes, ciphertext, nonce_bytes,
+        ).execute(&mut **txn).await?;
+
+        Ok(())
+    }
+}
+
+
 impl Serialize for SshKey {
     fn serialize<S: Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
         let mut key = s.serialize_struct("SshKey", 5)?;
-        key.serialize_field("path", &self.path)?;
         key.serialize_field("algorithm", self.algorithm.as_str())?;
         key.serialize_field("comment", &self.comment)?;
 
@@ -65,45 +149,183 @@ impl Serialize for SshKey {
 }
 
 
+struct PubkeyVisitor;
+
+impl<'de> Visitor<'de> for PubkeyVisitor {
+    type Value = PublicKey;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an OpenSSH-encoded public key, e.g. `ssh-rsa ...`")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        PublicKey::from_openssh(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_pubkey<'de, D>(deserializer: D) -> Result<PublicKey, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(PubkeyVisitor)
+}
+
+
+struct PrivkeyVisitor;
+
+impl<'de> Visitor<'de> for PrivkeyVisitor {
+    type Value = PrivateKey;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an OpenSSH-encoded private key")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        PrivateKey::from_openssh(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_privkey<'de, D>(deserializer: D) -> Result<PrivateKey, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(PrivkeyVisitor)
+}
+
+
+struct AlgorithmVisitor;
+
+impl<'de> Visitor<'de> for AlgorithmVisitor {
+    type Value = Algorithm;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an SSH key algorithm identifier, e.g. `ssh-rsa`")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
+        Algorithm::new(v)
+            .map_err(|e| E::custom(format!("{e}")))
+    }
+}
+
+fn deserialize_algorithm<'de, D>(deserializer: D) -> Result<Algorithm, D::Error>
+    where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(AlgorithmVisitor)
+}
+
+
+
 #[cfg(test)]
 mod tests {
+    use std::fs::{self, File};
+    use ssh_key::Fingerprint;
+    use sqlx::types::uuid::uuid;
     use super::*;
-    use std::fs;
 
     fn path(name: &str) -> String {
         format!("./src/credentials/fixtures/{name}")
     }
 
+    fn random_uuid() -> Uuid {
+        let bytes = Crypto::salt();
+        Uuid::from_slice(&bytes[..16]).unwrap()
+    }
 
-    #[test]
+    fn rsa_plain() -> SshKey {
-    fn test_load_rsa_plain() {
+        SshKey::from_file(&path("ssh_rsa_plain"), "")
-        let k = SshKey::from_file(path("ssh_rsa_plain"), "")
+            .expect("Failed to load SSH key")
-            .expect("Failed to load SSH key");
+    }
+
+    fn rsa_enc() -> SshKey {
+        SshKey::from_file(
+            &path("ssh_rsa_enc"),
+            "correct horse battery staple"
+        ).expect("Failed to load SSH key")
+    }
+
+    fn ed25519_plain() -> SshKey {
+        SshKey::from_file(&path("ssh_ed25519_plain"), "")
+            .expect("Failed to load SSH key")
+    }
+
+    fn ed25519_enc() -> SshKey {
+        SshKey::from_file(
+            &path("ssh_ed25519_enc"),
+            "correct horse battery staple"
+        ).expect("Failed to load SSH key")
     }
 
 
     #[test]
-    fn test_load_rsa_enc() {
+    fn test_from_file_rsa_plain() {
-        let k = SshKey::from_file(
+        let k = rsa_plain();
-            path("ssh_rsa_enc"),
+        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
-            "correct horse battery staple",
+        assert_eq!(&k.comment, "hello world");
-        ).expect("Failed to load SSH key");
+        
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [90,162,92,235,160,164,88,179,144,234,84,135,1,249,9,206,
+            201,172,233,129,82,11,145,191,186,144,209,43,81,119,197,18],
+        );
     }
 
 
     #[test]
-    fn test_load_ed25519_plain() {
+    fn test_from_file_rsa_enc() {
-        let k = SshKey::from_file(path("ssh_ed25519_plain"), "")
+        let k = rsa_enc();
-            .expect("Failed to load SSH key");
+        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
+        assert_eq!(&k.comment, "hello world");
+        
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [254,147,219,185,96,234,125,190,195,128,37,243,214,193,8,162,
+            34,237,126,199,241,91,195,251,232,84,144,120,25,63,224,157],
+        );
     }
 
 
     #[test]
-    fn test_load_ed25519_enc() {
+    fn test_from_file_ed25519_plain() {
-        let k = SshKey::from_file(
+        let k = ed25519_plain();
-            path("ssh_ed25519_enc"),
+        assert_eq!(k.algorithm.as_str(),"ssh-ed25519");
-            "correct horse battery staple",
+        assert_eq!(&k.comment, "hello world");
-        ).expect("Failed to load SSH key");
+        
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [29,30,193,72,239,167,35,89,1,206,126,186,123,112,78,187,
+            240,59,1,15,107,189,72,30,44,64,114,216,32,195,22,201],
+        );
+    }
+
+
+    #[test]
+    fn test_from_file_ed25519_enc() {
+        let k = ed25519_enc();
+        assert_eq!(k.algorithm.as_str(), "ssh-ed25519");
+        assert_eq!(&k.comment, "hello world");
+        
+        assert_eq!(
+            k.public_key.fingerprint(Default::default()),
+            k.private_key.fingerprint(Default::default()),
+        );
+        assert_eq!(
+            k.private_key.fingerprint(Default::default()).as_bytes(),
+            [87,233,161,170,18,47,245,116,30,177,120,211,248,54,65,255,
+            41,45,113,107,182,221,189,167,110,9,245,254,44,6,118,141],
+        );
     }
 
 
@@ -111,10 +333,61 @@ mod tests {
     fn test_serialize() {
         let expected = fs::read_to_string(path("ssh_ed25519_plain.json")).unwrap();
 
-        let k = SshKey::from_file(path("ssh_ed25519_plain"), "").unwrap();
+        let k = ed25519_plain();
         let computed = serde_json::to_string(&k)
             .expect("Failed to serialize SshKey");
 
         assert_eq!(expected, computed);
     }
+
+
+    #[test]
+    fn test_deserialize() {
+        let expected = ed25519_plain();
+
+        let json_file = File::open(path("ssh_ed25519_plain.json")).unwrap();
+        let computed = serde_json::from_reader(json_file)
+            .expect("Failed to deserialize json file");
+
+        assert_eq!(expected, computed);
+    }
+
+
+    #[sqlx::test]
+    async fn test_save_db(pool: SqlitePool) {
+        let crypto = Crypto::random();
+        let k = rsa_plain();
+        let mut txn = pool.begin().await.unwrap();
+        k.save_details(&random_uuid(), &crypto, &mut txn).await
+            .expect("Failed to save SSH key to database");
+        txn.commit().await.expect("Failed to finalize transaction");
+    }
+
+
+    #[sqlx::test(fixtures("ssh_credentials"))]
+    async fn test_load_db(pool: SqlitePool) {
+        let crypto = Crypto::fixed();
+        let id = uuid!("11111111-1111-1111-1111-111111111111");
+        let k = SshKey::load(&id, &crypto, &pool).await
+            .expect("Failed to load SSH key from database");
+    }
+
+
+    #[sqlx::test]
+    async fn test_save_load_db(pool: SqlitePool) {
+        let crypto = Crypto::random();
+        let id = uuid!("7bc994dd-113a-4841-bcf7-b47c2fffdd25");
+        let known = ed25519_plain();
+        let mut txn = pool.begin().await.unwrap();
+        known.save_details(&id, &crypto, &mut txn).await.unwrap();
+        txn.commit().await.unwrap();
+
+        let loaded = SshKey::load(&id, &crypto, &pool).await.unwrap();
+
+        assert_eq!(known.algorithm, loaded.algorithm);
+        assert_eq!(known.comment, loaded.comment);
+        // comment gets stripped by saving as bytes, so we just compare raw key data
+        assert_eq!(known.public_key.key_data(), loaded.public_key.key_data());
+        assert_eq!(known.private_key, loaded.private_key);
+    }
 }

src-tauri/src/errors.rs

@@ -277,6 +277,8 @@ pub enum SaveCredentialsError {
     NotPersistent,
     #[error("A credential with that name already exists")]
     Duplicate,
+    #[error("Failed to save credentials: {0}")]
+    Encode(#[from] ssh_key::Error),
     // rekeying is fundamentally a save operation,
     // but involves loading in order to re-save
     #[error(transparent)]

src-tauri/src/ipc.rs

@@ -136,7 +136,7 @@ pub async fn list_credentials(app_state: State<'_, AppState>) -> Result<Vec<Cred
 
 
 #[tauri::command]
-pub async fn sshkey_from_file(path: String, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
+pub async fn sshkey_from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
     SshKey::from_file(path, passphrase)
 }