v0.5.0

finish SSH key support
fix compiler warnings
2024-07-03 14:56:35 -04:00 · 2024-07-03 14:54:10 -04:00 · 2024-07-03 06:47:25 -04:00 · 2024-07-03 06:33:58 -04:00 · 2024-07-02 09:57:02 -04:00 · 2024-07-01 13:27:20 -04:00
50 changed files with 1575 additions and 839 deletions
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "creddy",
-  "version": "0.4.9",
+  "version": "0.5.0",
  "scripts": {
    "dev": "vite",
    "build": "vite build",
--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
@ -1204,9 +1204,11 @@ dependencies = [
 "aws-sdk-sts",
 "aws-smithy-types",
 "aws-types",
 "base64 0.22.1",
 "chacha20poly1305",
 "clap",
 "dirs 5.0.1",
 "futures",
 "is-terminal",
 "once_cell",
 "rfd 0.13.0",
@ -1230,6 +1232,7 @@ dependencies = [
 "time",
 "tokio",
 "tokio-stream",
 "tokio-util",
 "which",
 "windows 0.51.1",
 ]
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "creddy"
-version = "0.4.9"
+version = "0.5.0"
 description = "A friendly AWS credentials manager"
 authors = ["Joseph Montanaro"]
 license = ""
@ -56,6 +56,8 @@ ssh-key = { version = "0.6.6", features = ["rsa", "ed25519", "encryption"] }
 signature = "2.2.0"
 tokio-stream = "0.1.15"
 sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "uuid"] }
 tokio-util = { version = "0.7.11", features = ["codec"] }
 futures = "0.3.30"
 [features]
 # by default Tauri runs in production mode
@ -65,5 +67,8 @@ default = ["custom-protocol"]
 # DO NOT remove this
 custom-protocol = ["tauri/custom-protocol"]
 [dev-dependencies]
 base64 = "0.22.1"
 # [profile.dev.build-override]
 # opt-level = 3
--- a/src-tauri/migrations/20240617142724_credential_split.sql
+++ b/src-tauri/migrations/20240617142724_credential_split.sql
@ -69,9 +69,12 @@ DROP TABLE aws_tmp;
 -- SSH keys are the new hotness
-CREATE TABLE ssh_keys (
+CREATE TABLE ssh_credentials (
-    name TEXT UNIQUE NOT NULL,
+    id BLOB UNIQUE NOT NULL,
    algorithm TEXT NOT NULL,
    comment TEXT NOT NULL,
    public_key BLOB NOT NULL,
    private_key_enc BLOB NOT NULL,
-    nonce BLOB NOT NULL
+    nonce BLOB NOT NULL,
    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
 );
--- a/src-tauri/src/_credentials.rs
+++ b/src-tauri/src/_credentials.rs
@ -1,350 +0,0 @@
 use std::fmt::{self, Formatter};
 use std::time::{SystemTime, UNIX_EPOCH};
 use aws_smithy_types::date_time::{DateTime, Format};
 use argon2::{
    Argon2,
    Algorithm,
    Version,
    ParamsBuilder,
    password_hash::rand_core::{RngCore, OsRng},
 };
 use chacha20poly1305::{
    XChaCha20Poly1305,
    XNonce,
    aead::{
        Aead,
        AeadCore,
        KeyInit,
        Error as AeadError,
        generic_array::GenericArray,
    },
 };
 use serde::{
    Serialize,
    Deserialize,
    Serializer,
    Deserializer,
 };
 use serde::de::{self, Visitor};
 use sqlx::SqlitePool;
 use crate::errors::*;
 #[derive(Clone, Debug)]
 pub enum Session {
    Unlocked{
        base: BaseCredentials,
        session: SessionCredentials,
    },
    Locked(LockedCredentials),
    Empty,
 }
 impl Session {
    pub async fn load(pool: &SqlitePool) -> Result<Self, SetupError> {
        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
            .fetch_optional(pool)
            .await?;
        let row = match res {
            Some(r) => r,
            None => {return Ok(Session::Empty);}
        };
        let salt: [u8; 32] = row.salt
            .try_into()
            .map_err(|_e| SetupError::InvalidRecord)?;
        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
            .ok_or(SetupError::InvalidRecord)?;
        let creds = LockedCredentials {
            access_key_id: row.access_key_id,
            secret_key_enc: row.secret_key_enc,
            salt,
            nonce,
        };
        Ok(Session::Locked(creds))
    }
    pub async fn renew_if_expired(&mut self) -> Result<bool, GetSessionError> {
        match self {
            Session::Unlocked{ref base, ref mut session} => {
                if !session.is_expired() {
                    return Ok(false);
                }
                *session = SessionCredentials::from_base(base).await?;
                Ok(true)
            },
            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
            Session::Empty => Err(GetSessionError::CredentialsEmpty),
        }
    }
    pub fn try_get(
        &self
    ) -> Result<(&BaseCredentials, &SessionCredentials), GetCredentialsError> {
        match self {
            Self::Empty => Err(GetCredentialsError::Empty),
            Self::Locked(_) => Err(GetCredentialsError::Locked),
            Self::Unlocked{ ref base, ref session } => Ok((base, session))
        }
    }
 }
 #[derive(Clone, Debug)]
 pub struct LockedCredentials {
    pub access_key_id: String,
    pub secret_key_enc: Vec<u8>,
    pub salt: [u8; 32],
    pub nonce: XNonce,
 }
 impl LockedCredentials {
    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::Error> {
        sqlx::query(
            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
            VALUES (?, ?, ?, ?, strftime('%s'))"
        )
            .bind(&self.access_key_id)
            .bind(&self.secret_key_enc)
            .bind(&self.salt[..])
            .bind(&self.nonce[..])
            .execute(pool)
            .await?;
        Ok(())
    }
    pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
        let crypto = Crypto::new(passphrase, &self.salt)
            .map_err(|e| CryptoError::Argon2(e))?;
        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
            .map_err(|e| CryptoError::Aead(e))?;
        let secret_access_key = String::from_utf8(decrypted)
            .map_err(|_| UnlockError::InvalidUtf8)?;
        let creds = BaseCredentials::new(
            self.access_key_id.clone(),
            secret_access_key,
        );
        Ok(creds)
    }
 }
 fn default_credentials_version() -> usize { 1 }
 #[derive(Clone, Debug, Serialize, Deserialize)]
 #[serde(rename_all = "PascalCase")]
 pub struct BaseCredentials {
    #[serde(default = "default_credentials_version")]
    pub version: usize,
    pub access_key_id: String,
    pub secret_access_key: String,
 }
 impl BaseCredentials {
    pub fn new(access_key_id: String, secret_access_key: String) -> Self {
        Self {version: 1, access_key_id, secret_access_key}
    }
    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
        let salt = Crypto::salt();
        let crypto = Crypto::new(passphrase, &salt)?;
        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
        let locked = LockedCredentials {
            access_key_id: self.access_key_id.clone(),
            secret_key_enc,
            salt,
            nonce,
        };
        Ok(locked)
    }
 }
 #[derive(Clone, Debug, Serialize, Deserialize)]
 #[serde(rename_all = "PascalCase")]
 pub struct SessionCredentials {
    #[serde(default = "default_credentials_version")]
    pub version: usize,
    pub access_key_id: String,
    pub secret_access_key: String,
    pub session_token: String,
    #[serde(serialize_with = "serialize_expiration")]
    #[serde(deserialize_with = "deserialize_expiration")]
    pub expiration: DateTime,
 }
 impl SessionCredentials {
    pub async fn from_base(base: &BaseCredentials) -> Result<Self, GetSessionError> {
        let req_creds = aws_sdk_sts::Credentials::new(
            &base.access_key_id,
            &base.secret_access_key,
            None, // token
            None, //expiration
            "Creddy", // "provider name" apparently
        );
        let config = aws_config::from_env()
            .credentials_provider(req_creds)
            .load()
            .await;
        let client = aws_sdk_sts::Client::new(&config);
        let resp = client.get_session_token()
            .duration_seconds(43_200)
            .send()
            .await?;
        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
        let access_key_id = aws_session.access_key_id()
            .ok_or(GetSessionError::EmptyResponse)?
            .to_string();
        let secret_access_key = aws_session.secret_access_key()
            .ok_or(GetSessionError::EmptyResponse)?
            .to_string();
        let session_token = aws_session.session_token()
            .ok_or(GetSessionError::EmptyResponse)?
            .to_string();
        let expiration = aws_session.expiration()
            .ok_or(GetSessionError::EmptyResponse)?
            .clone();
        let session_creds = SessionCredentials {
            version: 1,
            access_key_id,
            secret_access_key,
            session_token,
            expiration,
        };
        #[cfg(debug_assertions)]
        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
        Ok(session_creds)
    }
    pub fn is_expired(&self) -> bool {
        let current_ts = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
            .as_secs();
        let expire_ts = self.expiration.secs();
        let remaining = expire_ts - (current_ts as i64);
        remaining < 60
    }
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub enum Credentials {
    Base(BaseCredentials),
    Session(SessionCredentials),
 }
 fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error>
 where S: Serializer
 {
    // this only fails if the d/t is out of range, which it can't be for this format
    let time_str = exp.fmt(Format::DateTime).unwrap();
    serializer.serialize_str(&time_str)
 }
 struct DateTimeVisitor;
 impl<'de> Visitor<'de> for DateTimeVisitor {
    type Value = DateTime;
    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
        write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"")
    }
    fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> {
        DateTime::from_str(v, Format::DateTime)
            .map_err(|_| E::custom(format!("Invalid date/time: {v}")))
    }
 }
 fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
 where D: Deserializer<'de>
 {
    deserializer.deserialize_str(DateTimeVisitor)
 }
 struct Crypto {
    cipher: XChaCha20Poly1305,
 }
 impl Crypto {
    /// Argon2 params rationale:
    ///
    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
    /// This should roughly double the memory usage of the application
    /// while deriving the key.
    ///
    /// p_cost is irrelevant since (at present) there isn't any parallelism
    /// implemented, so we leave it at 1.
    ///
    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
    /// a key on my (somewhat older) CPU. This is probably overkill, but
    /// given that it should only have to happen ~once a day for most 
    /// usage, it should be acceptable.
    #[cfg(not(debug_assertions))]
    const MEM_COST: u32 = 128 * 1024;
    #[cfg(not(debug_assertions))]
    const TIME_COST: u32 = 8;
    /// But since this takes a million years without optimizations,
    /// we turn it way down in debug builds.
    #[cfg(debug_assertions)]
    const MEM_COST: u32 = 48 * 1024;
    #[cfg(debug_assertions)]
    const TIME_COST: u32 = 1;
    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
        let params = ParamsBuilder::new()
            .m_cost(Self::MEM_COST)
            .p_cost(1)
            .t_cost(Self::TIME_COST)
            .build()
            .unwrap(); // only errors if the given params are invalid
        let hasher = Argon2::new(
            Algorithm::Argon2id,
            Version::V0x13,
            params,
        );
        let mut key = [0; 32];
        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
        Ok(Crypto { cipher })
    }
    fn salt() -> [u8; 32] {
        let mut salt = [0; 32];
        OsRng.fill_bytes(&mut salt);
        salt
    }
    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
        let ciphertext = self.cipher.encrypt(&nonce, data)?;
        Ok((nonce, ciphertext))
    }
    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
        self.cipher.decrypt(nonce, data)
    }
 }
--- a/src-tauri/src/app.rs
+++ b/src-tauri/src/app.rs
@ -2,10 +2,6 @@ use std::error::Error;
 use std::time::Duration;
 use once_cell::sync::OnceCell;
 use rfd::{
    MessageDialog,
    MessageLevel,
 };
 use sqlx::{
    SqlitePool,
    sqlite::SqlitePoolOptions,
@ -25,7 +21,7 @@ use crate::{
    config::{self, AppConfig},
    credentials::AppSession,
    ipc,
-    server::Server,
+    srv::{creddy_server, agent},
    errors::*,
    shortcuts,
    state::AppState,
@ -56,6 +52,7 @@ pub fn run() -> tauri::Result<()> {
            ipc::save_credential,
            ipc::delete_credential,
            ipc::list_credentials,
            ipc::sshkey_from_file,
            ipc::get_config,
            ipc::save_config,
            ipc::launch_terminal,
@ -108,7 +105,8 @@ async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
    };
    let app_session = AppSession::load(&pool).await?;
-    Server::start(app.handle().clone())?;
+    creddy_server::serve(app.handle().clone())?;
    agent::serve(app.handle().clone())?;
    config::set_auto_launch(conf.start_on_login)?;
    if let Err(_e) = config::set_auto_launch(conf.start_on_login) {
--- a/src-tauri/src/bin/agent.rs
+++ b/src-tauri/src/bin/agent.rs
@ -1,7 +0,0 @@
 use creddy::server::ssh_agent;
 #[tokio::main]
 async fn main() {
    ssh_agent::run().await;
 }
--- a/src-tauri/src/bin/key.rs
+++ b/src-tauri/src/bin/key.rs
@ -1,13 +0,0 @@
 use ssh_key::private::PrivateKey;
 fn main() {
    // let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
    let p = AsRef::<std::path::Path>::as_ref("/home/joe/.ssh/test");
    let privkey = PrivateKey::read_openssh_file(p)
        .unwrap();
        // .decrypt(passphrase.as_bytes())
        // .unwrap();
    dbg!(String::from_utf8_lossy(&privkey.to_bytes().unwrap()));
 }
--- a/src-tauri/src/cli.rs
+++ b/src-tauri/src/cli.rs
@ -13,7 +13,11 @@ use clap::{
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use crate::errors::*;
-use crate::server::{Request, Response};
+use crate::srv::{
    self,
    Request,
    Response
 };
 use crate::shortcuts::ShortcutAction;
 #[cfg(unix)]
@ -47,6 +51,10 @@ pub fn parser() -> Command<'static> {
                        .action(ArgAction::SetTrue)
                        .help("Use base credentials instead of session credentials")
                )
                .arg(
                    Arg::new("name")
                        .help("If unspecified, use default credentials")
                )
        )
        .subcommand(
            Command::new("exec")
@ -59,6 +67,12 @@ pub fn parser() -> Command<'static> {
                        .action(ArgAction::SetTrue)
                        .help("Use base credentials instead of session credentials")
                )
                .arg(
                    Arg::new("name")
                        .short('n')
                        .long("name")
                        .help("If unspecified, use default credentials")
                )
                .arg(
                    Arg::new("command")
                        .multiple_values(true)
@ -78,8 +92,10 @@ pub fn parser() -> Command<'static> {
 pub fn get(args: &ArgMatches) -> Result<(), CliError> {
-    let base = args.get_one("base").unwrap_or(&false);
+    let name = args.get_one("name").cloned();
-    let output = match make_request(&Request::GetAwsCredentials { base: *base })? {
+    let base = *args.get_one("base").unwrap_or(&false);
    let output = match make_request(&Request::GetAwsCredentials { name, base })? {
        Response::AwsBase(creds) => serde_json::to_string(&creds).unwrap(),
        Response::AwsSession(creds) => serde_json::to_string(&creds).unwrap(),
        r => return Err(RequestError::Unexpected(r).into()),
@ -90,6 +106,7 @@ pub fn get(args: &ArgMatches) -> Result<(), CliError> {
 pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
    let name = args.get_one("name").cloned();
    let base = *args.get_one("base").unwrap_or(&false);
    let mut cmd_line = args.get_many("command")
        .ok_or(ExecError::NoCommand)?;
@ -98,7 +115,7 @@ pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
    let mut cmd = ChildCommand::new(cmd_name);
    cmd.args(cmd_line);
-    match make_request(&Request::GetAwsCredentials { base })? {
+    match make_request(&Request::GetAwsCredentials { name, base })? {
        Response::AwsBase(creds) => {
            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
@ -178,7 +195,8 @@ async fn make_request(req: &Request) -> Result<Response, RequestError> {
 async fn connect() -> Result<NamedPipeClient, std::io::Error> {
    // apparently attempting to connect can fail if there's already a client connected
    loop {
-        match ClientOptions::new().open(r"\\.\pipe\creddy-requests") {
+        let addr = srv::addr("creddy-server");
        match ClientOptions::new().open(&addr) {
            Ok(stream) => return Ok(stream),
            Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => (),
            Err(e) => return Err(e),
@ -190,5 +208,6 @@ async fn connect() -> Result<NamedPipeClient, std::io::Error> {
 #[cfg(unix)]
 async fn connect() -> Result<UnixStream, std::io::Error> {
-    UnixStream::connect("/tmp/creddy.sock").await
+    let path = srv::addr("creddy-server");
    UnixStream::connect(&path).await
 }
--- a/src-tauri/src/clientinfo.rs
+++ b/src-tauri/src/clientinfo.rs
@ -1,6 +1,12 @@
 use std::path::{Path, PathBuf};
-use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
+use sysinfo::{
    System,
    SystemExt,
    Pid,
    PidExt,
    ProcessExt
 };
 use serde::{Serialize, Deserialize};
 use crate::errors::*;
@ -13,23 +19,25 @@ pub struct Client {
 }
-pub fn get_process_parent_info(pid: u32) -> Result<Client, ClientInfoError> {
+pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
    let sys_pid = Pid::from_u32(pid);
    let mut sys = System::new();   
    sys.refresh_process(sys_pid);
-    let proc = sys.process(sys_pid)
+    let mut proc = sys.process(sys_pid)
        .ok_or(ClientInfoError::ProcessNotFound)?;
    if parent {
        let parent_pid_sys = proc.parent()
            .ok_or(ClientInfoError::ParentPidNotFound)?;
        sys.refresh_process(parent_pid_sys);
-    let parent = sys.process(parent_pid_sys)
+        proc = sys.process(parent_pid_sys)
            .ok_or(ClientInfoError::ParentProcessNotFound)?;
    }
-    let exe = match parent.exe() {
+    let exe = match proc.exe() {
        p if p == Path::new("") => None,
        p => Some(PathBuf::from(p)),
    };
-    Ok(Client { pid: parent_pid_sys.as_u32(), exe })
+    Ok(Client { pid: proc.pid().as_u32(), exe })
 }
--- a/src-tauri/src/credentials/fixtures/ssh_credentials.sql
+++ b/src-tauri/src/credentials/fixtures/ssh_credentials.sql
@ -0,0 +1,34 @@
 INSERT INTO ssh_credentials (id, algorithm, comment, public_key, private_key_enc, nonce)
 VALUES
    (
        X'11111111111111111111111111111111',
        'ssh-rsa',
        'hello world',
        X'000000077373682D727361000000030100010000018100C4ABCE6D69400912EBAD527733401E30EBF3DC9433B79C8E343D7AFBE19A9F309934822577D9807346B48D4FB0604D022DA826E5624635E4CE19851AA5D30DFD2007DE99B04AE4C2F00823DFFC3C8DDE62F074831C1F8903067C83DCCD7D9CEE8643C93C5291F6B5047F53646A37C84098934FFDE5882B5DD7696CDDC4421C39E2894768CFD6650CE585E35A3F739B015650AA469ABDEFC6987E55DAFEC7D40B4388654ED3205D18528D881927C42CBE210CCF6F49A90619AD6E6ACBF1768D7EC52FF9CB85BE607B9414961566292016875164C1C1D1FBD4C3569D4424A7F19D043ABCDEE50573DFC4FC7F2C2718AA76528FA226C0DD5530DC705C30901E1BDE88FE5CC35CAE5AB8826D1E7F970DBED0A0F7E9833CFC7323A1F1323528D5CC3C00AEB98165D677CAF64BD69729132264D971B5C491D0AEAF53AAD22D03756B2E43754502E84488117EEBB962CCDF5DF59682C1E9BA472D5AB9B83DB2862E7EA380E8FD20DE9368CABCBBC5C95C233A52DE5DFE5E91CB59019D00B529C70C4305',
        X'DB9B6A3B97FBAE6AC12BDAF9DA57DBEE4DDF6A92DD682958AF147FF5EF64C18255D2A1714D543F2D16BEFD7ED4C419C7A0E9C18754C4CAA251BCFA5AA46508B006CDB08A7C0DB63D8A7FE27F99CCC2F351203B36D2BC3D02302318ECC741574CEF70D956C5CCA41E538F2CA29B20E04778A596B0C3E5CD991A423443B01E3F811E004E2547C5D3DDAEBCFBFB68CDB03D0C16538224BBAA0A80767D64D8F3D2840975DD12B4F648F81B4D4B541CB500BAA99F9808F450A02688D583A924B8AE2B0BE777BC35CE808FD53B5DB8C0838D24A6CE31C3973880CF3174E63E3404F2E77783140A62DDBA06F9CD89ADE448A54FBCBD6C0EC8C0641724CDDEF2A8126EC0D0F5BDF89EB8112366D7EB6D3CE3565DF9E4036EAF3109E50BED5D7BD3558FFF69AD823F6522C5701CE26BCAFCC03D27D87547728A3C700719FF564EAEC961FA209252B113B404D75AD67CA4E40C5DAA36E9B0FB4ECDD6E5F853C81682123E8DF311A3C495F61A2CEE6A2B04C7FD3D0906583B9C724BC0D00D71106B7167983D6A0FBD3EA7361EE063A0B05E5A6B5CD82D0F795820BFC90E4F422E7CE2BDEBEAEE9493F5408F38732EB41741F15632185131CD6160433DD286869DF38679F6797A268EDE8ED0F442C4394FF52EFDE82EBEC5871A087288F7A12964615DA5AA02149FB661B0F76551CD53771B0DD180837A9D52A2BDF4757C4CF56DCD90B968F32B9F9EE5EE09EF5B791DB0366A4E6CCBBF0AF7D9CB5B7760BABAF4DE16BCC971DC95DCBD068A92DB8E8C709C0FBE9E2AB5B770EDFBCC6FB5045B706FB31DDEB6C52647618CD3B222CEF2DFD8D08ABAE6333A2E3C8768B8DB970BFF1777B75AE6DCE54DA7063F76846EFBDB92E55192A031DBA889D9DEDB0BF0FAA2FA6B4A0B0151B6F03D142D6B140EBB874CAF0A44D67AAD121127946DA90A14176EBB7B6C03DD2034987A100855E23F440CF6A404DEE46617B52581C7A248B7393FF56D8652855B23D19C35E1B535E5EC5EE87F3FF455458A740A55CDCB806053D4BCF44CDC2D76A1998418A60E11728BBC69F12C7E52A539E3834362C47A3E1863D265B3A7C2A41FA1953BB0FC64508679BB5F068DAF84C394A1497D564A3D6023B90D9A1C50E30FDC3E1C9B925EB0C19F960E7377B0678D662362129677E4B9AA515D2E4408A17A260D862F3C5D4291841855B91FE6EEA11C8E8EC19449CD9C31E6505BA364A45E7E3B89C5FA1C55708AF521F97440CED0ED0FAF06B7930E6A6F3A2B547E33EF73163D4C2E75B1AFA24BEB3129FFA978BC4EC43D0919ED262C0BE29AB78A87A57EAA55D51BE479A9E4015F9C3F2381745808AECF3783DEF5AB82E37C6EF68B97485CD36F7018B59C37E0EB93EAA32385E5E8CB95A5A3818B70F4CBE6102FC197946AAAAAABAD8B93750031CAC73C3F1B6B2F825B29435F2426B6AFABE35B1F8468E5A1CF73CC78E2FBB639AEFC171B7AD5D1728A536AB384B3F4AE924D5CEFA3F5EE5412094AE97303B8E728C7ACBCD9F9FB7C4FE7893145A55D96B7EDC1DD6257368C03AAC98B4F23D9AF15EF730BFD3FF09C2A11747035C8FD58EF97003503F568090C02A63117F3304989CFBAF20A281A729C8A8A4470524B3FDD2B4183E78BDE58BBB0B58B16D1E81702E58E225F7EED1A8E7F3920870FC9EE44D1433EEB39248A38108000EC1E151A26399A3F36CC41F6D272B3441198E8B56616E9A6C5A16303E562A62B4E6C27D16E9FADAF7E5A4AC7EFBD912883474302D5C9BB7D35C671DDECE68482A9472DAFA56B9AFF4E811A5BE7462FA6A988FED04178786DDB490A2010B8C178BD5601C23BBF5E3B1D13E86BB9980892B9999A6511FE2ECDAC681123745F676C155BB4627EFFAA65B1110B590A7FEE6D3359AED898D73C1B51AC8D534E94731934CCA9514F89E74C2BE5A799D8072C52399A7A647AF8F37F2D536C1B29D64214C490FE00565D912772256BF5E68F888E02FB704017F4D9FDD22E1C007A5FB4FCB51BC7A101DCAA56529231A59ACE14368268B7820C7C2BFBB0F5F78625E442C6EA83C88A9DEE318B2323AF0F3687ACF7B2B791D0B42B0576F0FF73E046DE1A56A5C2CBF6731E8D9485A02E9AD67D7752EBDBF3EBE703A760264363650CB9639B75985A9D00D210FFEBC93894E8E4BEAE7053FB6619BA9A8F0ECC4F822CF27606A6E58A8D5DAF55B519E7729B65A83FB859A3A028477BFBB7C8C01ABBE38EEDAAE11AA10ECC75868A281281792FA8D4EBDCC47DEB03868779A84D992D56612A8F46CAFADF65C5B32CFEA2974ECE34E4EDE9AF0AB4365C55D1A95FE551453BCFA5DF28CAF5AFA025CD5BD1CF86FB19AEB581135BFE2CBAA78643F209DE6A4D58206B0B236ADDD5A9122E8A21630907D0C5F23E86C151B8BFD8EA874DFF37DA7DE49D520DDAB7D074B37A726883211A788684A74D4E13A80CBC7655D8BBFF901CC44EF0A0368A3A69200695E277857AD620F2872D83224405A4DDD1E34AF68B72145AA442278C02DB7453AA8C184893AEBBCD4E15252CB8AF5972C49E047318362322CFAE99C38C5989A76C57E9D997BAACF6E13C19F66FCD618878D218DE7846C3D042E7E631B9AC126935AD6A3E15A659A3C4B9B5E521545A5A9B8A3CDFD21EADC2A5A74DBFA0769D63EC4F758D',
        X'1A44F10CBD2579B378EF1ECE61005DBD0ED6189512B41293'
    ),
    (
        X'22222222222222222222222222222222',
        'ssh-rsa',
        'hello world',
        X'000000077373682D727361000000030100010000018100B021E0FE494231E75D4CFC9CED6DF524122F0E86717710BB066236D1ABF001CB4C7CB58964E998E5385836912300129A1334E549A7EF5E0EC4115D97E099038ACFBBA0AD2FE5D574F7F3FF122A97B59F75D8B62DCD921FF1A5BBFDCB55D77779A41ABD46528AEF8B2C0DA96370FCEC79387EED6AC1C0CED041AE979CBB880BEC6C17917711143F1C4D035548D273773D01E3F643463811B7339D9F4B3FC8D1FECF761C8878C135E2E600D9D230F11A3AD8E0415D1A923A398D108E9043F630A9B7BB1310927CA8A46455096E1A272BA56B6F06FEE5764E3C8AC85EA5DE408AED8EC549BE749FB231C1A2CC95DA0035DB009A9DFB2C622833A54CFCCB9FFB173159065F3335C6DDAFBB52A82CD5C327198C496C2A4404F1A544D82175F915954492A4488954B37C78C1F81B467A05F96CCC26146CDF517AF71674046947B11CE80B0E277B2ABA23915AF11E9A9F9D05717E1F0ED70341F470085569F88D8F5CBB8179605A0BF88537A57893329D15F1F8CA3582BE3612410F06568533F801602F',
        X'AD54C319103CFBA088A4B70AEC743CDED7B0A3EE3DDE370BBD14AA4FA4EACBDD1BBE2FCEF499BB4EC4DDEA9D472F27BBF93453C612BF1689B714C9718212E78C0E1B2133AEB0E7C954413F6EBFC4155CC975A252962AB7C1BBEAE8DA8C6F990B9DE96313F0158AA8DD7896000AE2A4406080B81C37605B3986E463D5DEC01AC0BC4981A74BAF6413DF99119F65A337692885E9C5FBA9B483AA83783823981A0E66105083EB6CDB07AB93714AAF6AAF9A6239D256D8C9C56992AC846CF104E2B1B9DF96D0E67DF2EC9258E914EDFAA5AC36ABE3E9D5D641C92C6188D90D9B083DC3AFA9409B7809718279B52399145FE3173DA8E8A7E5C21715E0B140B22BFF8A0116E102B55C9BCB19B5B4FCCA88FBC5A2844E7E2AEC84ACA303BE8AC9448F93BB35366DFC2E38CEE31C66748847DA11CBB8A31F2CA4DD905362A8C513B6B8E3040EFCEC5BCFEB2E52902F33BF6DFEF911E56A00E51274C1548546DCA62261F94F580DCBAF7357F0C8F5058D2D1D5C91E0AAAB396A305E79350FC0F9879CAFD33316DB77586C36A8246F4D5A14EEC495CFCFA108B70A00008CE64ABC2EBC656DFE760612194B526BC1AE8C08325E3FE76999E6341D6C2BA35BA87CB9FB30A269891A0013E989246E80D5CF7590A66D8494CA79D5E2FD6A8FF7ECA1169379C2D45F4108BA5A796309D4CBDBEE6F45A0F6536B45666E1CF977B26612BC8108FCF32FF0D9296C9C414812C221032B2E5107CFCE1E4FCC2E07C5D31F1A1492732D0ECEB3920E50DFBCAA89561CE52436D23DA40D8678CE901BDC57C3F80233BBAF7AE5CA432547EB51DFBABF5B8BC94C0F6EAE47C94649CECE192D6436D609EE040A3AC059529E7CAAFA45D1B2E331E0E73BAFB1C6E05F71EBF28E222D2B15E724D5EBB3B9C3A709F0F9BCD41C87DF158BDCD3C1FCA86A8D4B57B98F4386AA6956BC3DC6BC2AF6A479560C1598B866935795C29F22CB93072E9D8D4D110AAC2B0F22CD8662354BF5D509750068613C052E88629EFF9488BD1C0B3E6FFD010A5B739F943234AA456F998B4DC7FA7B877961DE1CC744760712337B70971EED7AA4B97121F26298DCFDC2282D721CAB90098585ACFD31EC776EEE2C0211AB711BE94F31ED0D2BA4A9D8EFFC155FC68AB02EA1DC380A1525EF2BD14B55CC71210B54E5F55A8C3C876A6667EFA271095B1280B9ED6FAE9E73601A698FE2732756780BF453F927FD171F497F9C1FA6ADE7DC8187FEDA309E807E2E7895E1763DE1758E50035CE24D54A814745F05446FFD91F8E27770577384BBDC6E11E435658404533D32C461A0DB1CC6AE0847ABB744FB61C524CF9162E3660941CA3DA96F56EA5C036BF5E633C6CA0F033335AB5B623D08A024E87235FF8324B284FB981A9998DD0028A0DE54B4D6BE04C51E8D71DD09B3563C84E5C43826418365FB7912DFABDC5BB25BDE2C558DAC14AEED79F705F34E2D04F17829515C725675571EE1E4BDD21D8EBAA9C6075DE48EF8F2ED7814E20836A2721E46B5C71EE365CFE996A07ADABD84FE5B1E25EF5D9CC66B945084A4207004372AA792BA1BE97B67397635EA7DCC2F99C6AD5C394A8F4C0B7CBC87C38DE52F120993E6DC6BEA27D5B90D90E1C8F7626C860386121E53BE3D4F7B4005A69EB0334E118E70B7207CEDFCEE1EC2A30C789174AAA6531EAAD2E0BED7400CA44911E896E4C82DCA85ADBA92CA01B2CE75924AE81FE286C4CBD8073B7546313A75E52CA1882D8935D2F6058FECEBA4626B4445FCED2E9986632F9F5597C7BBD44F375027727D51B0033B87D23395EEC26EE06378B247B0C1469286F868828C942FCE2BF1BFFDC07CAEC1E214D37ADE737A7DFF082972C6E8411591BEE4B54BED231A7F856C022B26887ADD115A252807D3C58DCD8FB5D7D71DC3766C288438DB3D9D98FC8A22FEC92A7E6E3855ACD36BBEA79C5F98C7ABD9CCECB37C18C3315E5CC7B3BFF699FD201419F8EA402E422EFE62A25D4A76B2CCA0F6D43313BA7DF6537619FD2AE8ACF55B17F709961228076DBBB3592B6B7A1C3C271D54C06403902B0384492AE486E931DD63F68E739769E174D97EA46E7D780D03529EA21B418E0A68E44ED15AB9471B5F139E29EA25C7AE881E216A2863D6E908790002B0B1CC23B1DB3266CEACA2771BD661941AEDEE196316E8D8D7CE361C23E7C1BFFBFD0467329E948CD936B54C7313DC053F96BAFD139500ACB0CCDCA7C0AFBFEC02CFD31FECF4193C1E13F8E59378959BE3360C3B57BD325E5D87CA3D9CE08EFD00980200004D01EE4C6D4450C545A82BE0E1A527AE3432AD6500AF6C8B4400095D9CA7DAA0AA956DC8CD6A4336B876988128119997DB4847AFEFDF2CB8E3F88D5B66CC1E5A32229F79324063584C95C775C5D8D3B05956F0BC8432B9FB28D006247F1DF22C431515BDB4234C91B10CA20B5C05924CAAF82094C8C49123776F1C7170218FEC6C1D2D94F242277765EB9A6C48BE8751D92FFC4C3314155C7685940CA07BB70722D0B65585BC50253A9A6F793CD7A3269657B234C72EC8F2DD4F3B61A7260B3028FFB2B866A311E027C3D8D56592AB4795AA22452CBE37AEE68D7952EE473BB67CE6839E0F5DAA7C9B09F26CBF99CF5BF1181A41B683B9EA939A1823C3733B1EE8066614D3A692C99E5F9EA22231',
        X'B9DF74AE34E4E7E17EA2EABECE5FD85B14ADB53EDB5BF27C'
    ),
    (
        X'33333333333333333333333333333333',
        'ssh-ed25519',
        'hello world',
        X'0000000B7373682D6564323535313900000020BBB05846908A7F4819CA69BE50E94658FD6F51D24FFECED678566D43E1DD6BF2',
        X'7E3719254AB02100F159D971C17322CF51ECB60AC9E2CDA511EDFD88E75D9828A5A308F1F6A7D6919ED080FD0E6D3FAB64583A946334EE8870006AB7EDC57E6D7BCD145485D1F2A06D946B4DB69591467F289A5CD3BBF922FAAF5B54275F56CF81CC450DE4C8C0F24078C395BA02E8C646731FA6A50480392B13784FD2A85D094DDB8E73C56120936C02C3F94E910C23787FC307369239E264600BBE799EA851CE16FD653BE71D024AA73A582AACC390DD1F341C095788ECE6F4CC37D045A2BFFEC9F14AEBE73E43C6E78E00A9645C6A46D03F2847355DBCD33DA09C76148089A0FC1B3793AB5DA577B879D25EF7B8A8661387F19F392522CFD2886F6FEB65584841',
        x'58E67EEE49A11FFDD9D32F63ED99053008091B415F87F1BA'
    ),
    (
        X'44444444444444444444444444444444',
        'ssh-ed25519',
        'hello world',
        X'0000000B7373682D65643235353139000000200491C64AD1D7E9C20D989937677C32EBE5FB35BCBA77422550A8FAA54C023923',
        X'6BA994C263935729D807579173B377323F6353A88F660143EA92DE1E1A92F00682B8A1FAD838F0D211BD69855E8E34AE84D5A7B3C23F23A822B2AFF6E861BC81D89AFDDEB0DED063C84644B3EFEF2612DA1DA9C3C12EDAEFCBEA3542EA0ED1903FC1922E5F56E19FAD8CC75A2A30D64C83BF27ADE00E66BCCFE1CA67E95A00819F7BF91DDD22C4A1FB419E91B5D61544175D8D69EB5B416E6547DFD55CD386B62293B778322FB840D1F4DBBDCE2364A6FE4A7B090425031E7DB347314CEBD9BA09F85CC45CF3B4D02FE78B7F365D5C7E95331AA7A6F91A619E8A8663B77A31BAF639652D72B4FD11C8D430C8A1C5542C69DF4ACA74BAB7608B7E9ADD15BAF4674AFB',
        X'46F31DCF22250039168D80F26D50C129C9AFDA166682C89A'
    );
--- a/src-tauri/src/credentials/fixtures/ssh_ed25519_enc
+++ b/src-tauri/src/credentials/fixtures/ssh_ed25519_enc
@ -0,0 +1,8 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAWtYanP1
 TBKT8lBL4IzKpYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZ
 N2d8Muvl+zW8undCJVCo+qVMAjkjAAAAkI021XFPzB9VnO8uGAQ8f3bwP/ki5fDVuWD7Fc
 crN+yfT8Ugjhc7IL2dIt/xj9iJIa9fJDw0pg1Y8issqp9C8HVhasyWpf2iwJIalUHTOekn
 WdoxA+/OQBstRBKSv43sI801+9OC8dXCMNM2QzpiGNs0QxdLJpcJQhHEvqq/yDIODF0p7M
 h3e9eYGVPOR0CjlQ==
 -----END OPENSSH PRIVATE KEY-----
--- a/src-tauri/src/credentials/fixtures/ssh_ed25519_enc.pub
+++ b/src-tauri/src/credentials/fixtures/ssh_ed25519_enc.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZN2d8Muvl+zW8undCJVCo+qVMAjkj hello world
--- a/src-tauri/src/credentials/fixtures/ssh_ed25519_plain
+++ b/src-tauri/src/credentials/fixtures/ssh_ed25519_plain
@ -0,0 +1,7 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
 QyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI
 BwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g
 AAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9
 b1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=
 -----END OPENSSH PRIVATE KEY-----
--- a/src-tauri/src/credentials/fixtures/ssh_ed25519_plain.json
+++ b/src-tauri/src/credentials/fixtures/ssh_ed25519_plain.json
@ -0,0 +1 @@
 {"algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}
--- a/src-tauri/src/credentials/fixtures/ssh_ed25519_plain.pub
+++ b/src-tauri/src/credentials/fixtures/ssh_ed25519_plain.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world
--- a/src-tauri/src/credentials/fixtures/ssh_rsa_enc
+++ b/src-tauri/src/credentials/fixtures/ssh_rsa_enc
@ -0,0 +1,39 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAanK91R1
 FN66oOcvNyslkhAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx
 511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZ
 fgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5
 OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciH
 jBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyK
 yF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1c
 MnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsO
 J3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42Ek
 EPBlaFM/gBYC8AAAWQf6woBjAp1r47e3HsH4DyTDNF+u98eyCXLb86Lf8G9IFzOACMx4Bh
 auNdB2dZ/Re2FZ6bdzb+h9snQf0PY4y4zJ7bmJ5VbRcYAM/XnVcKP+Q2254te15DLAsKXA
 rzGVdEB8vshTloEHZTBVGiWRSFvn/rzPTNRhw5X/OMX21EAFR2yFXFHSxKwuPTWRCTTan3
 PA7BqJX8k6XtzwafPo9as0ui3jds/aL9VBlxlQB3x5uWfo7Kw73qReDzaIS94VVsm667tI
 KIN/0/e3mDpfXmWLH2Xc7BLZcs5eSHztwakYDPc5VzFTdAfb4juVdVmiLUs0ttj+aXnJo9
 6p/kX5ISSs5gzAaL2yGmPjNeeEXgV38ysYnNUB0fIoceuda54oM8kYAeZnQGpgV0Rh6ku+
 KNWajrJF22cH6QQ61VO4ymoDrw+oxyTog/M5n7IhCROGAJOQV4CRYKELHwMIt6niiihDfI
 +YbIs7Qs0ap4mHeVKbLS3WsSK7mZI70yCeLzT+ilNaqW28RLHxAEM86lRfuH1vmABKdy8D
 3e1K0WivbY5zmGvFGP1DIl3NXr6M7ZaFg5bgohssOXzMucAOR9mZpzMg20jF4SOt7IC9SU
 pWg+OIIP7pVfS2FjATMrh25xgeqD2BcDSoJWEH4xrlviyBS1wVA9W35npHiJSQptppn8cj
 EhwuS916OMhWOsXHPssqHFA+DrLByCZKcORD/mFPpsnI4/3TvA4PL6pqv2Kup0YBDqkyko
 wIyZQMjr4DjR6xYR3W0Mjzn2UG0Grn96QGrjnj1l/LAXAw00NeYktI4m5YX4wIIdhP/RT8
 RL9d4SE0YicneoDPtcLaaa4TTIvcbHJsP8aUP723reUzyxvw9Bdo9wC2bzE1xlOhm/WCmF
 0SNvEl6H/kivTjQkI2HQuGVq037eIAB5rToT6cVD3TiNmN6UuOX7Ec+8kw4JPGgLA/l+AB
 w3gCsyK7MyZoeWNw2+b1utkjMcqG0bjju0yTdjSho6KazGtoBQ4P+Jx9KIwiJT13Nr1WMz
 KBW98YojZCfCxPeNx6RPsp6PzM673R9DVRNXSs3yYhEZDXJEHCS7jDptR8r8uScogIIUEx
 YShJU0/WSVHgHZ4Ef2S7MDX1RLU4WGoUtbwxnTEQ26iNLjskYzV9/O88PajJSc2Wcz5vES
 I4BFROg2px+ViLlWqiegXIZc5NnN2HSJQ7ucTObSL0+oT5SzQiRfHy2TLa4w+c5hgO1VNx
 Xmq0doKjMW9DmU2ygwzFgnaQp9S8NlIIA/4mKkAODbCgWFqXz99gMgfL+dnUhwo4WHN3lU
 D/uVxRxwTKWWNp39z/p5hBYLKpqJbDCp+ysM9VpyllAkjk9aDihUq5dQVzpA1iTFH2DdbM
 TrclBWaXr9QQiH+F73mZvJPhP2//gT9qped6XumkSpuNXFrXoZ/P49xKgQ/51rg8Ri5ZJ7
 cIiofoppfat5ex20oBqAnumrM0JrhUrVxzhSd5tPPH5JGeZYml3sK1rM4pV7K7bnugXg9f
 C6HVxe/l2klAOvg0U9yJAvR35mS0+F0dpwvjRrFS/+JxG6RzzAAunDJHjADNne5FhKFNLB
 WRzsXHTCT+wGp497Nq8uS/0sgZAMHsy2KMK6n5h8V6kHL9t5VgsD18g0neu9ytwYrjvAuM
 AoDdwpuUkCJVNOiMHumxPvivGRNhSHwW7fTDHX+yI6/j1i/Wl1unjCxNgNCbgCMRCg1+dN
 wRw/wqs4mQyGf70AUA5JIVx/W7gAxlt3YWCFHfTRiK5A/BHa0qs+RPMzVlIJhAx0TGAOze
 BBJIg2kH26rWLV2aosOx8FFH/rZVj6gyYLw0JlsoTCva383SkifvlfiLY3DxfU+bwvJ9p0
 bnzyMMiKRuZb16OucNli84FIAuI=
 -----END OPENSSH PRIVATE KEY-----
--- a/src-tauri/src/credentials/fixtures/ssh_rsa_enc.pub
+++ b/src-tauri/src/credentials/fixtures/ssh_rsa_enc.pub
@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZfgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciHjBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyKyF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1cMnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsOJ3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42EkEPBlaFM/gBYC8= hello world
--- a/src-tauri/src/credentials/fixtures/ssh_rsa_plain
+++ b/src-tauri/src/credentials/fixtures/ssh_rsa_plain
@ -0,0 +1,38 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAxKvObWlACRLrrVJ3M0AeMOvz3JQzt5yOND16++GanzCZNIIld9mA
 c0a0jU+wYE0CLagm5WJGNeTOGYUapdMN/SAH3pmwSuTC8Agj3/w8jd5i8HSDHB+JAwZ8g9
 zNfZzuhkPJPFKR9rUEf1NkajfIQJiTT/3liCtd12ls3cRCHDniiUdoz9ZlDOWF41o/c5sB
 VlCqRpq978aYflXa/sfUC0OIZU7TIF0YUo2IGSfELL4hDM9vSakGGa1uasvxdo1+xS/5y4
 W+YHuUFJYVZikgFodRZMHB0fvUw1adRCSn8Z0EOrze5QVz38T8fywnGKp2Uo+iJsDdVTDc
 cFwwkB4b3oj+XMNcrlq4gm0ef5cNvtCg9+mDPPxzI6HxMjUo1cw8AK65gWXWd8r2S9aXKR
 MiZNlxtcSR0K6vU6rSLQN1ay5DdUUC6ESIEX7ruWLM3131loLB6bpHLVq5uD2yhi5+o4Do
 /SDek2jKvLvFyVwjOlLeXf5ekctZAZ0AtSnHDEMFAAAFgMFqGjPBahozAAAAB3NzaC1yc2
 EAAAGBAMSrzm1pQAkS661SdzNAHjDr89yUM7ecjjQ9evvhmp8wmTSCJXfZgHNGtI1PsGBN
 Ai2oJuViRjXkzhmFGqXTDf0gB96ZsErkwvAII9/8PI3eYvB0gxwfiQMGfIPczX2c7oZDyT
 xSkfa1BH9TZGo3yECYk0/95YgrXddpbN3EQhw54olHaM/WZQzlheNaP3ObAVZQqkaave/G
 mH5V2v7H1AtDiGVO0yBdGFKNiBknxCy+IQzPb0mpBhmtbmrL8XaNfsUv+cuFvmB7lBSWFW
 YpIBaHUWTBwdH71MNWnUQkp/GdBDq83uUFc9/E/H8sJxiqdlKPoibA3VUw3HBcMJAeG96I
 /lzDXK5auIJtHn+XDb7QoPfpgzz8cyOh8TI1KNXMPACuuYFl1nfK9kvWlykTImTZcbXEkd
 Cur1Oq0i0DdWsuQ3VFAuhEiBF+67lizN9d9ZaCwem6Ry1aubg9soYufqOA6P0g3pNoyry7
 xclcIzpS3l3+XpHLWQGdALUpxwxDBQAAAAMBAAEAAAGABsfTnKMR0Z5E4Ntkf7BYuiAQbs
 zvQYfUwUlTWabMEWv4BD7ucsTdcFwCMpMKRi+xgQh4mtT6DbafQnL72ba+lzkI/Gw5D0P2
 0pa9QeYs4klGCPtDX+9YZnHNTjCJJykHcjqZEAravHI+PvONlTnqHgwEnC/pP3obSKd6WO
 UA0H9QZ6I+I1hFcJ3jMVT1thMkhyjNzhRcsw0aSdTE8Z7LGT5RUAjZL5b2FTaK+C8OTOqb
 MhlewV/h9XWsxmLUpt0277I8ShvjJbJg6TEPJh6D7FRTU+tY4rjGK12DP9lVq6M7Md4ULV
 JW3aW350xVV2p9031HLDUfWs7dqZ5ufoD3EopOVZGvfGAE3C4aHvJB5D6K7wG7ptWsPgte
 EcCz84DpsoJ7KICTs8QoXt5bl68qnW3YvzCcqZc7DjLdKNh/wzjdMdzx8AMS4yBF2ceOSE
 I7Og9UZZtmGzZ0g4Dhg3jMUyWBA++sUayJUqg0izzA/htt+tVd9ABMkJOufcCpnuPRAAAA
 wCdCy66KXCLx5HCMIsd2/TdbGAZnuirYCn9ee3T5xhJyZjmwIfmZEXUuENKq8e+vYldwey
 EjdnevM+OCTc8xo77yowgYRBzguDa2R9UH3bg9cWZIpQGzXmnL35Dux4nZPUKs69WMht92
 bpRh9roPs2M5tSAcSpmfohFYhMwRxqVooSeSg+kGE4dCXnVqK1tURExnqKy8CkoDW4fhbH
 HNmPsBnbdTNtfAlg8MO1v1Hk+/+6mpNhiJ7bKF4au9lm+QHgAAAMEA11frEHqordrzlTRg
 kmqGq9qaORev2g/7n719DlXb2HjGfy5gK9iUCxsgGN6GiFF0mUD7hMY6UMIVfsC/Rm07aE
 700u7OJAm8AcnFkEANlZ3ucWltnumVtxyMBlKq7PxkcIG5X+nJ6N8oVw3zZTsjaYCMe1s1
 806oE5D3GZk10pnfVIrY9DFZBtT3+mBpF2uQZk0ZSwh8Hh9xGFGxsm6blkgpcip7v+26PR
 hqA88WlXAPMnvFpXthr0mny+cy7Q59AAAAwQDpzWi1Prhi3JtVolyac/ygvzje4lhuz5ei
 3pC7b1cepdFoQCS33tixwfzqKCp6RfHrtrKzZMqREaX5sor1Hha7S+Vo+KLtZWkFUONTHR
 987wmXIu8ziRWKBeuk6g9OSXI5w8hyLwn4XLEeVri4fAUIUwpi4B0Eazp4P/9AUf1188xz
 a4ACWXDYkUFoLQo9J07HWDhKbEKFZVlIznyfmLVXc8JEzwrPThW+viGK1AFi9FxeLB4QmK
 PkAC2GY5AmhSkAAAALaGVsbG8gd29ybGQ=
 -----END OPENSSH PRIVATE KEY-----
--- a/src-tauri/src/credentials/fixtures/ssh_rsa_plain.pub
+++ b/src-tauri/src/credentials/fixtures/ssh_rsa_plain.pub
@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEq85taUAJEuutUnczQB4w6/PclDO3nI40PXr74ZqfMJk0giV32YBzRrSNT7BgTQItqCblYkY15M4ZhRql0w39IAfembBK5MLwCCPf/DyN3mLwdIMcH4kDBnyD3M19nO6GQ8k8UpH2tQR/U2RqN8hAmJNP/eWIK13XaWzdxEIcOeKJR2jP1mUM5YXjWj9zmwFWUKpGmr3vxph+Vdr+x9QLQ4hlTtMgXRhSjYgZJ8QsviEMz29JqQYZrW5qy/F2jX7FL/nLhb5ge5QUlhVmKSAWh1FkwcHR+9TDVp1EJKfxnQQ6vN7lBXPfxPx/LCcYqnZSj6ImwN1VMNxwXDCQHhveiP5cw1yuWriCbR5/lw2+0KD36YM8/HMjofEyNSjVzDwArrmBZdZ3yvZL1pcpEyJk2XG1xJHQrq9TqtItA3VrLkN1RQLoRIgRfuu5YszfXfWWgsHpukctWrm4PbKGLn6jgOj9IN6TaMq8u8XJXCM6Ut5d/l6Ry1kBnQC1KccMQwU= hello world
--- a/src-tauri/src/credentials/mod.rs
+++ b/src-tauri/src/credentials/mod.rs
@ -14,14 +14,17 @@ use crate::errors::*;
 mod aws;
 pub use aws::{AwsBaseCredential, AwsSessionCredential};
 mod crypto;
 pub use crypto::Crypto;
 mod record;
 pub use record::CredentialRecord;
 mod session;
 pub use session::AppSession;
-mod crypto;
+mod ssh;
-pub use crypto::Crypto;
+pub use ssh::SshKey;
 #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)]
@ -29,6 +32,7 @@ pub use crypto::Crypto;
 pub enum Credential {
    AwsBase(AwsBaseCredential),
    AwsSession(AwsSessionCredential),
    Ssh(SshKey),
 }
--- a/src-tauri/src/credentials/record.rs
+++ b/src-tauri/src/credentials/record.rs
@ -21,10 +21,12 @@ use super::{
    Credential,
    Crypto,
    PersistentCredential,
    SshKey,
 };
 #[derive(Debug, Clone, FromRow)]
 #[allow(dead_code)]
 struct CredentialRow {
    id: Uuid,
    name: String,
@ -48,6 +50,7 @@ impl CredentialRecord {
    pub async fn save(&self, crypto: &Crypto, pool: &SqlitePool) -> Result<(), SaveCredentialsError> {
        let type_name = match &self.credential {
            Credential::AwsBase(_) => AwsBaseCredential::type_name(),
            Credential::Ssh(_) => SshKey::type_name(),
            _ => return Err(SaveCredentialsError::NotPersistent),
        };
@ -82,6 +85,7 @@ impl CredentialRecord {
        // save credential details to child table
        match &self.credential {
            Credential::AwsBase(b) => b.save_details(&self.id, crypto, &mut txn).await,
            Credential::Ssh(s) => s.save_details(&self.id, crypto, &mut txn).await,
            _ => Err(SaveCredentialsError::NotPersistent),
        }?;
@ -108,9 +112,19 @@ impl CredentialRecord {
        Ok(Self::from_parts(row, credential))
    }
-    pub async fn load(id: &Uuid, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
+    // pub async fn load(id: &Uuid, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
-        let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE id = ?")
+    //     let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE id = ?")
-            .bind(id)
+    //         .bind(id)
    //         .fetch_optional(pool)
    //         .await?
    //         .ok_or(LoadCredentialsError::NoCredentials)?;
    //     Self::load_credential(row, crypto, pool).await
    // }
    pub async fn load_by_name(name: &str, crypto: &Crypto, pool: &SqlitePool) -> Result<Self, LoadCredentialsError> {
        let row: CredentialRow = sqlx::query_as("SELECT * FROM credentials WHERE name = ?")
            .bind(name)
            .fetch_optional(pool)
            .await?
            .ok_or(LoadCredentialsError::NoCredentials)?;
@ -147,6 +161,11 @@ impl CredentialRecord {
                .ok_or(LoadCredentialsError::InvalidData)?;
            records.push(Self::from_parts(parent, credential));
        }
        for (id, credential) in SshKey::list(crypto, pool).await? {
            let parent = parent_map.remove(&id)
                .ok_or(LoadCredentialsError::InvalidData)?;
            records.push(Self::from_parts(parent, credential));
        }
        Ok(records)
    }
@ -260,7 +279,7 @@ mod tests {
    #[sqlx::test]
-    async fn test_save_load(pool: SqlitePool) {
+    async fn test_save_load_aws(pool: SqlitePool) {
        let crypt = Crypto::random();
        let mut record = aws_record();
        record.id = random_uuid();
--- a/src-tauri/src/credentials/session.rs
+++ b/src-tauri/src/credentials/session.rs
@ -97,24 +97,4 @@ impl AppSession {
            Self::Unlocked {crypto, ..} => Ok(crypto),
        }
    }
    pub fn try_encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), GetCredentialsError> {
        let crypto = match self {
            Self::Empty => return Err(GetCredentialsError::Empty),
            Self::Locked {..} => return Err(GetCredentialsError::Locked),
            Self::Unlocked {crypto, ..} => crypto,
        };
        let res = crypto.encrypt(data)?;
        Ok(res)
    }
    pub fn try_decrypt(&self, nonce: XNonce, data: &[u8]) -> Result<Vec<u8>, GetCredentialsError> {
        let crypto = match self {
            Self::Empty => return Err(GetCredentialsError::Empty),
            Self::Locked {..} => return Err(GetCredentialsError::Locked),
            Self::Unlocked {crypto, ..} => crypto,
        };
        let res = crypto.decrypt(&nonce, data)?;
        Ok(res)
    }
 }
--- a/src-tauri/src/credentials/ssh.rs
+++ b/src-tauri/src/credentials/ssh.rs
@ -0,0 +1,424 @@
 use std::fmt::{self, Formatter};
 use chacha20poly1305::XNonce;
 use serde::{
    Deserialize,
    Deserializer,
    Serialize,
    Serializer,
 };
 use serde::ser::{
    Error as SerError,
    SerializeStruct,
 };
 use serde::de::{self, Visitor};
 use sqlx::{
    FromRow,
    Sqlite,
    SqlitePool,
    Transaction,
    types::Uuid,
 };
 use ssh_agent_lib::proto::message::Identity;
 use ssh_key::{
    Algorithm,
    LineEnding,
    private::PrivateKey,
    public::PublicKey,
 };
 use tokio_stream::StreamExt;
 use crate::errors::*;
 use super::{
    Credential,
    Crypto,
    PersistentCredential,
 };
 #[derive(Debug, Clone, FromRow)]
 pub struct SshRow {
    id: Uuid,
    algorithm: String,
    comment: String,
    public_key: Vec<u8>,
    private_key_enc: Vec<u8>,
    nonce: Vec<u8>,
 }
 #[derive(Debug, Clone, Eq, PartialEq, Deserialize)]
 pub struct SshKey {
    #[serde(deserialize_with = "deserialize_algorithm")]
    pub algorithm: Algorithm,
    pub comment: String,
    #[serde(deserialize_with = "deserialize_pubkey")]
    pub public_key: PublicKey,
    #[serde(deserialize_with = "deserialize_privkey")]
    pub private_key: PrivateKey,
 }
 impl SshKey {
    pub fn from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
        let mut privkey = PrivateKey::read_openssh_file(path.as_ref())?;
        if privkey.is_encrypted() {
            privkey = privkey.decrypt(passphrase)
                .map_err(|_| LoadSshKeyError::InvalidPassphrase)?;
        }
        Ok(SshKey {
            algorithm: privkey.algorithm(),
            comment: privkey.comment().into(),
            public_key: privkey.public_key().clone(),
            private_key: privkey,
        })
    }
    pub async fn name_from_pubkey(pubkey: &[u8], pool: &SqlitePool) -> Result<String, LoadCredentialsError> {
        let row = sqlx::query!(
            "SELECT c.name
            FROM credentials c
            JOIN ssh_credentials s 
                ON s.id = c.id
            WHERE s.public_key = ?",
            pubkey
        ).fetch_optional(pool)
            .await?
            .ok_or(LoadCredentialsError::NoCredentials)?;
        Ok(row.name)
    }
    pub async fn list_identities(pool: &SqlitePool) -> Result<Vec<Identity>, LoadCredentialsError> {
        let mut rows = sqlx::query!(
            "SELECT public_key, comment FROM ssh_credentials"
        ).fetch(pool);
        let mut identities = Vec::new();
        while let Some(row) = rows.try_next().await? {
            identities.push(Identity {
                pubkey_blob: row.public_key,
                comment: row.comment,
            });
        }
        Ok(identities)
    }
 }
 impl PersistentCredential for SshKey {
    type Row = SshRow;
    fn type_name() -> &'static str { "ssh" }
    fn into_credential(self) -> Credential { Credential::Ssh(self) }
    fn row_id(row: &SshRow) -> Uuid { row.id }
    fn from_row(row: SshRow, crypto: &Crypto) -> Result<Self, LoadCredentialsError> {
        let nonce = XNonce::clone_from_slice(&row.nonce);
        let privkey_bytes = crypto.decrypt(&nonce, &row.private_key_enc)?;
        let algorithm = Algorithm::new(&row.algorithm)
            .map_err(|_| LoadCredentialsError::InvalidData)?;
        let public_key = PublicKey::from_bytes(&row.public_key)
            .map_err(|_| LoadCredentialsError::InvalidData)?;
        let private_key = PrivateKey::from_bytes(&privkey_bytes)
            .map_err(|_| LoadCredentialsError::InvalidData)?;
        Ok(SshKey {
            algorithm,
            comment: row.comment,
            public_key,
            private_key,
        })
    }
    async fn save_details(&self, id: &Uuid, crypto: &Crypto, txn: &mut Transaction<'_, Sqlite>) -> Result<(), SaveCredentialsError> {
        let alg = self.algorithm.as_str();
        let pubkey_bytes = self.public_key.to_bytes()?;
        let privkey_bytes = self.private_key.to_bytes()?;
        let (nonce, ciphertext) = crypto.encrypt(privkey_bytes.as_ref())?;
        let nonce_bytes = nonce.as_slice();
        sqlx::query!(
            "INSERT OR REPLACE INTO ssh_credentials (
                id,
                algorithm,
                comment,
                public_key,
                private_key_enc,
                nonce
            )
            VALUES (?, ?, ?, ?, ?, ?)",
            id, alg, self.comment, pubkey_bytes, ciphertext, nonce_bytes,
        ).execute(&mut **txn).await?;
        Ok(())
    }
 }
 impl Serialize for SshKey {
    fn serialize<S: Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
        let mut key = s.serialize_struct("SshKey", 5)?;
        key.serialize_field("algorithm", self.algorithm.as_str())?;
        key.serialize_field("comment", &self.comment)?;
        let pubkey_str = self.public_key.to_openssh()
            .map_err(|e| S::Error::custom(format!("Failed to encode SSH public key: {e}")))?;
        key.serialize_field("public_key", &pubkey_str)?;
        let privkey_str = self.private_key.to_openssh(LineEnding::LF)
            .map_err(|e| S::Error::custom(format!("Failed to encode SSH private key: {e}")))?;
        key.serialize_field::<str>("private_key", privkey_str.as_ref())?;
        key.end()
    }
 }
 struct PubkeyVisitor;
 impl<'de> Visitor<'de> for PubkeyVisitor {
    type Value = PublicKey;
    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
        write!(formatter, "an OpenSSH-encoded public key, e.g. `ssh-rsa ...`")
    }
    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
        PublicKey::from_openssh(v)
            .map_err(|e| E::custom(format!("{e}")))
    }
 }
 fn deserialize_pubkey<'de, D>(deserializer: D) -> Result<PublicKey, D::Error>
    where D: Deserializer<'de>
 {
    deserializer.deserialize_str(PubkeyVisitor)
 }
 struct PrivkeyVisitor;
 impl<'de> Visitor<'de> for PrivkeyVisitor {
    type Value = PrivateKey;
    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
        write!(formatter, "an OpenSSH-encoded private key")
    }
    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
        PrivateKey::from_openssh(v)
            .map_err(|e| E::custom(format!("{e}")))
    }
 }
 fn deserialize_privkey<'de, D>(deserializer: D) -> Result<PrivateKey, D::Error>
    where D: Deserializer<'de>
 {
    deserializer.deserialize_str(PrivkeyVisitor)
 }
 struct AlgorithmVisitor;
 impl<'de> Visitor<'de> for AlgorithmVisitor {
    type Value = Algorithm;
    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
        write!(formatter, "an SSH key algorithm identifier, e.g. `ssh-rsa`")
    }
    fn visit_str<E: de::Error>(self, v: &str) -> Result<Self::Value, E> {
        Algorithm::new(v)
            .map_err(|e| E::custom(format!("{e}")))
    }
 }
 fn deserialize_algorithm<'de, D>(deserializer: D) -> Result<Algorithm, D::Error>
    where D: Deserializer<'de>
 {
    deserializer.deserialize_str(AlgorithmVisitor)
 }
 #[cfg(test)]
 mod tests {
    use std::fs::{self, File};
    use ssh_key::Fingerprint;
    use sqlx::types::uuid::uuid;
    use super::*;
    fn path(name: &str) -> String {
        format!("./src/credentials/fixtures/{name}")
    }
    fn random_uuid() -> Uuid {
        let bytes = Crypto::salt();
        Uuid::from_slice(&bytes[..16]).unwrap()
    }
    fn rsa_plain() -> SshKey {
        SshKey::from_file(&path("ssh_rsa_plain"), "")
            .expect("Failed to load SSH key")
    }
    fn rsa_enc() -> SshKey {
        SshKey::from_file(
            &path("ssh_rsa_enc"),
            "correct horse battery staple"
        ).expect("Failed to load SSH key")
    }
    fn ed25519_plain() -> SshKey {
        SshKey::from_file(&path("ssh_ed25519_plain"), "")
            .expect("Failed to load SSH key")
    }
    fn ed25519_enc() -> SshKey {
        SshKey::from_file(
            &path("ssh_ed25519_enc"),
            "correct horse battery staple"
        ).expect("Failed to load SSH key")
    }
    #[test]
    fn test_from_file_rsa_plain() {
        let k = rsa_plain();
        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
        assert_eq!(&k.comment, "hello world");
        assert_eq!(
            k.public_key.fingerprint(Default::default()),
            k.private_key.fingerprint(Default::default()),
        );
        assert_eq!(
            k.private_key.fingerprint(Default::default()).as_bytes(),
            [90,162,92,235,160,164,88,179,144,234,84,135,1,249,9,206,
            201,172,233,129,82,11,145,191,186,144,209,43,81,119,197,18],
        );
    }
    #[test]
    fn test_from_file_rsa_enc() {
        let k = rsa_enc();
        assert_eq!(k.algorithm.as_str(), "ssh-rsa");
        assert_eq!(&k.comment, "hello world");
        assert_eq!(
            k.public_key.fingerprint(Default::default()),
            k.private_key.fingerprint(Default::default()),
        );
        assert_eq!(
            k.private_key.fingerprint(Default::default()).as_bytes(),
            [254,147,219,185,96,234,125,190,195,128,37,243,214,193,8,162,
            34,237,126,199,241,91,195,251,232,84,144,120,25,63,224,157],
        );
    }
    #[test]
    fn test_from_file_ed25519_plain() {
        let k = ed25519_plain();
        assert_eq!(k.algorithm.as_str(),"ssh-ed25519");
        assert_eq!(&k.comment, "hello world");
        assert_eq!(
            k.public_key.fingerprint(Default::default()),
            k.private_key.fingerprint(Default::default()),
        );
        assert_eq!(
            k.private_key.fingerprint(Default::default()).as_bytes(),
            [29,30,193,72,239,167,35,89,1,206,126,186,123,112,78,187,
            240,59,1,15,107,189,72,30,44,64,114,216,32,195,22,201],
        );
    }
    #[test]
    fn test_from_file_ed25519_enc() {
        let k = ed25519_enc();
        assert_eq!(k.algorithm.as_str(), "ssh-ed25519");
        assert_eq!(&k.comment, "hello world");
        assert_eq!(
            k.public_key.fingerprint(Default::default()),
            k.private_key.fingerprint(Default::default()),
        );
        assert_eq!(
            k.private_key.fingerprint(Default::default()).as_bytes(),
            [87,233,161,170,18,47,245,116,30,177,120,211,248,54,65,255,
            41,45,113,107,182,221,189,167,110,9,245,254,44,6,118,141],
        );
    }
    #[test]
    fn test_serialize() {
        let expected = fs::read_to_string(path("ssh_ed25519_plain.json")).unwrap();
        let k = ed25519_plain();
        let computed = serde_json::to_string(&k)
            .expect("Failed to serialize SshKey");
        assert_eq!(expected, computed);
    }
    #[test]
    fn test_deserialize() {
        let expected = ed25519_plain();
        let json_file = File::open(path("ssh_ed25519_plain.json")).unwrap();
        let computed = serde_json::from_reader(json_file)
            .expect("Failed to deserialize json file");
        assert_eq!(expected, computed);
    }
    #[sqlx::test]
    async fn test_save_db(pool: SqlitePool) {
        let crypto = Crypto::random();
        let k = rsa_plain();
        let mut txn = pool.begin().await.unwrap();
        k.save_details(&random_uuid(), &crypto, &mut txn).await
            .expect("Failed to save SSH key to database");
        txn.commit().await.expect("Failed to finalize transaction");
    }
    #[sqlx::test(fixtures("ssh_credentials"))]
    async fn test_load_db(pool: SqlitePool) {
        let crypto = Crypto::fixed();
        let id = uuid!("11111111-1111-1111-1111-111111111111");
        let k = SshKey::load(&id, &crypto, &pool).await
            .expect("Failed to load SSH key from database");
    }
    #[sqlx::test]
    async fn test_save_load_db(pool: SqlitePool) {
        let crypto = Crypto::random();
        let id = uuid!("7bc994dd-113a-4841-bcf7-b47c2fffdd25");
        let known = ed25519_plain();
        let mut txn = pool.begin().await.unwrap();
        known.save_details(&id, &crypto, &mut txn).await.unwrap();
        txn.commit().await.unwrap();
        let loaded = SshKey::load(&id, &crypto, &pool).await.unwrap();
        assert_eq!(known.algorithm, loaded.algorithm);
        assert_eq!(known.comment, loaded.comment);
        // comment gets stripped by saving as bytes, so we just compare raw key data
        assert_eq!(known.public_key.key_data(), loaded.public_key.key_data());
        assert_eq!(known.private_key, loaded.private_key);
    }
 }
--- a/src-tauri/src/errors.rs
+++ b/src-tauri/src/errors.rs
@ -191,6 +191,10 @@ pub enum HandlerError {
    NoMainWindow,
    #[error("Request was denied")]
    Denied,
    #[error(transparent)]
    SshAgent(#[from] ssh_agent_lib::error::AgentError),
    #[error(transparent)]
    SshKey(#[from] ssh_key::Error),
 }
@ -277,6 +281,8 @@ pub enum SaveCredentialsError {
    NotPersistent,
    #[error("A credential with that name already exists")]
    Duplicate,
    #[error("Failed to save credentials: {0}")]
    Encode(#[from] ssh_key::Error),
    // rekeying is fundamentally a save operation,
    // but involves loading in order to re-save
    #[error(transparent)]
@ -332,6 +338,8 @@ pub enum ClientInfoError {
    #[cfg(windows)]
    #[error("Could not determine PID of connected client")]
    WindowsError(#[from] windows::core::Error),
    #[error("Could not determine PID of connected client")]
    PidNotFound,
    #[error(transparent)]
    Io(#[from] std::io::Error),
 }
@ -358,7 +366,7 @@ pub enum RequestError {
    #[error("Error response from server: {0}")]
    Server(ServerError),
    #[error("Unexpected response from server")]
-    Unexpected(crate::server::Response),
+    Unexpected(crate::srv::Response),
    #[error("The server did not respond with valid JSON")]
    InvalidJson(#[from] serde_json::Error),
    #[error("Error reading/writing stream: {0}")]
@ -410,6 +418,17 @@ pub enum LaunchTerminalError {
 }
 #[derive(Debug, ThisError, AsRefStr)]
 pub enum LoadSshKeyError {
    #[error("Passphrase is invalid")]
    InvalidPassphrase,
    #[error("Could not parse SSH private key data")]
    InvalidData(#[from] ssh_key::Error),
    #[error(transparent)]
    Io(#[from] std::io::Error),
 }
 // =========================
 // Serialize implementations
 // =========================
@ -436,6 +455,7 @@ impl_serialize_basic!(WindowError);
 impl_serialize_basic!(LockError);
 impl_serialize_basic!(SaveCredentialsError);
 impl_serialize_basic!(LoadCredentialsError);
 impl_serialize_basic!(LoadSshKeyError);
 impl Serialize for HandlerError {
--- a/src-tauri/src/ipc.rs
+++ b/src-tauri/src/ipc.rs
@ -5,7 +5,8 @@ use tauri::{AppHandle, State};
 use crate::config::AppConfig;
 use crate::credentials::{
    AppSession,
-    CredentialRecord
+    CredentialRecord,
    SshKey,
 };
 use crate::errors::*;
 use crate::clientinfo::Client;
@ -17,6 +18,7 @@ use crate::terminal;
 pub struct AwsRequestNotification {
    pub id: u64,
    pub client: Client,
    pub name: Option<String>,
    pub base: bool,
 }
@ -37,8 +39,8 @@ pub enum RequestNotification {
 }
 impl RequestNotification {
-    pub fn new_aws(id: u64, client: Client, base: bool) -> Self {
+    pub fn new_aws(id: u64, client: Client, name: Option<String>, base: bool) -> Self {
-        Self::Aws(AwsRequestNotification {id, client, base})
+        Self::Aws(AwsRequestNotification {id, client, name, base})
    }
    pub fn new_ssh(id: u64, client: Client, key_name: String) -> Self {
@ -134,6 +136,12 @@ pub async fn list_credentials(app_state: State<'_, AppState>) -> Result<Vec<Cred
 }
 #[tauri::command]
 pub async fn sshkey_from_file(path: &str, passphrase: &str) -> Result<SshKey, LoadSshKeyError> {
    SshKey::from_file(path, passphrase)
 }
 #[tauri::command]
 pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
    let config = app_state.config.read().await;
--- a/src-tauri/src/kv.rs
+++ b/src-tauri/src/kv.rs
@ -44,12 +44,12 @@ pub async fn load_bytes(pool: &SqlitePool, name: &str) -> Result<Option<Vec<u8>>
 }
-pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
+// pub async fn delete(pool: &SqlitePool, name: &str) -> Result<(), sqlx::Error> {
-    sqlx::query!("DELETE FROM kv WHERE name = ?", name)
+//     sqlx::query!("DELETE FROM kv WHERE name = ?", name)
-        .execute(pool)
+//         .execute(pool)
-        .await?;
+//         .await?;
-    Ok(())
+//     Ok(())
-}
+// }
 pub async fn delete_multi(pool: &SqlitePool, names: &[&str]) -> Result<(), sqlx::Error> {    
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@ -7,7 +7,7 @@ mod clientinfo;
 mod ipc;
 mod kv;
 mod state;
-pub mod server;
+mod srv;
 mod shortcuts;
 mod terminal;
 mod tray;
--- a/src-tauri/src/server/server_unix.rs
+++ b/src-tauri/src/server/server_unix.rs
@ -1,58 +0,0 @@
 use std::io::ErrorKind;
 use tokio::net::{UnixListener, UnixStream};
 use tauri::{
    AppHandle,
    async_runtime as rt,
 };
 use crate::errors::*;
 pub type Stream = UnixStream;
 pub struct Server {
    listener: UnixListener,
    app_handle: AppHandle,
 }
 impl Server {
    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
        match std::fs::remove_file("/tmp/creddy.sock") {
            Ok(_) => (),
            Err(e) if e.kind() == ErrorKind::NotFound => (),
            Err(e) => return Err(e),
        }
        let listener = UnixListener::bind("/tmp/creddy.sock")?;
        let srv = Server { listener, app_handle };
        rt::spawn(srv.serve());
        Ok(())
    }
    async fn serve(self) {
        loop {
            self.try_serve()
                .await
                .error_print_prefix("Error accepting request: ");
        }
    }
    async fn try_serve(&self) -> Result<(), HandlerError> {
        let (stream, _addr) = self.listener.accept().await?;
        let new_handle = self.app_handle.clone();
        let client_pid = get_client_pid(&stream)?;
        rt::spawn(async move {
            super::handle(stream, new_handle, client_pid)
                .await
                .error_print_prefix("Error responding to request: ");
        });
        Ok(())
    }
 }
 fn get_client_pid(stream: &UnixStream) -> std::io::Result<u32> {
    let cred = stream.peer_cred()?;
    Ok(cred.pid().unwrap() as u32)
 }
--- a/src-tauri/src/server/server_win.rs
+++ b/src-tauri/src/server/server_win.rs
@ -1,74 +0,0 @@
 use tokio::net::windows::named_pipe::{
    NamedPipeServer,
    ServerOptions,
 };
 use tauri::{AppHandle, Manager};
 use windows::Win32:: {
    Foundation::HANDLE,
    System::Pipes::GetNamedPipeClientProcessId,
 };
 use std::os::windows::io::AsRawHandle;
 use tauri::async_runtime as rt;
 use crate::errors::*;
 // used by parent module
 pub type Stream = NamedPipeServer;
 pub struct Server {
    listener: NamedPipeServer,
    app_handle: AppHandle,
 }
 impl Server {
    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
        let listener = ServerOptions::new()
            .first_pipe_instance(true)
            .create(r"\\.\pipe\creddy-requests")?;
        let srv = Server {listener, app_handle};
        rt::spawn(srv.serve());
        Ok(())
    }
    async fn serve(mut self) {
        loop {
            if let Err(e) = self.try_serve().await {
                eprintln!("Error accepting connection: {e}");
            }
        }
    }
    async fn try_serve(&mut self) -> Result<(), HandlerError> {
        // connect() just waits for a client to connect, it doesn't return anything
        self.listener.connect().await?;
        // create a new pipe instance to listen for the next client, and swap it in
        let new_listener = ServerOptions::new().create(r"\\.\pipe\creddy-requests")?;
        let stream = std::mem::replace(&mut self.listener, new_listener);
        let new_handle = self.app_handle.clone();
        let client_pid = get_client_pid(&stream)?;
        rt::spawn(async move {
            super::handle(stream, new_handle, client_pid)
                .await
                .error_print_prefix("Error responding to request: ");
        });
        Ok(())
    }
 }
 fn get_client_pid(pipe: &NamedPipeServer) -> Result<u32, ClientInfoError> {
    let raw_handle = pipe.as_raw_handle();
    let mut pid = 0u32;
    let handle = HANDLE(raw_handle as _);
    unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
    Ok(pid)
 }
--- a/src-tauri/src/server/ssh_agent.rs
+++ b/src-tauri/src/server/ssh_agent.rs
@ -1,77 +0,0 @@
 use signature::Signer;
 use ssh_agent_lib::agent::{Agent, Session};
 use ssh_agent_lib::proto::message::Message;
 use ssh_key::public::PublicKey;
 use ssh_key::private::PrivateKey;
 use tokio::net::UnixListener;
 struct SshAgent;
 impl std::default::Default for SshAgent {
    fn default() -> Self {
        SshAgent {}
    }
 }
 #[ssh_agent_lib::async_trait]
 impl Session for SshAgent {
    async fn handle(&mut self, message: Message) -> Result<Message, Box<dyn std::error::Error>> {
        println!("Received message");
        match message {
            Message::RequestIdentities => {
                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519.pub");
                let pubkey = PublicKey::read_openssh_file(&p).unwrap();
                let id = ssh_agent_lib::proto::message::Identity {
                    pubkey_blob: pubkey.to_bytes().unwrap(),
                    comment: pubkey.comment().to_owned(),
                };
                Ok(Message::IdentitiesAnswer(vec![id]))
            },
            Message::SignRequest(req) => {
                println!("Received sign request");
                let mut req_bytes = vec![13];
                encode_string(&mut req_bytes, &req.pubkey_blob);
                encode_string(&mut req_bytes, &req.data);
                req_bytes.extend(req.flags.to_be_bytes());
                std::fs::File::create("/tmp/signreq").unwrap().write(&req_bytes).unwrap();
                let p = std::path::PathBuf::from("/home/joe/.ssh/id_ed25519");
                let passphrase = std::env::var("PRIVKEY_PASSPHRASE").unwrap();
                let privkey = PrivateKey::read_openssh_file(&p)
                    .unwrap()
                    .decrypt(passphrase.as_bytes())
                    .unwrap();
                let sig = Signer::sign(&privkey, &req.data);
                use std::io::Write;
                std::fs::File::create("/tmp/sig").unwrap().write(sig.as_bytes()).unwrap();
                let mut payload = Vec::with_capacity(128);
                encode_string(&mut payload, "ssh-ed25519".as_bytes());
                encode_string(&mut payload, sig.as_bytes());
                println!("Payload length: {}", payload.len());
                std::fs::File::create("/tmp/payload").unwrap().write(&payload).unwrap();
                Ok(Message::SignResponse(payload))
            },
            _ => Ok(Message::Failure),
        }
    }
 }
 fn encode_string(buf: &mut Vec<u8>, s: &[u8]) {
    let len = s.len() as u32;
    buf.extend(len.to_be_bytes());
    buf.extend(s);
 }
 pub async fn run() {
    let socket = "/tmp/creddy-agent.sock";
    let _ = std::fs::remove_file(socket);
    let listener = UnixListener::bind(socket).unwrap();
    SshAgent.listen(listener).await.unwrap();
 }
--- a/src-tauri/src/srv/agent.rs
+++ b/src-tauri/src/srv/agent.rs
@ -0,0 +1,121 @@
 use futures::SinkExt;
 use signature::Signer;
 use ssh_agent_lib::agent::MessageCodec;
 use ssh_agent_lib::proto::message::{
    Message,
    SignRequest,
 };
 use tauri::{AppHandle, Manager};
 use tokio_stream::StreamExt;
 use tokio::sync::oneshot;
 use tokio_util::codec::Framed;
 use crate::clientinfo;
 use crate::errors::*;
 use crate::ipc::{Approval, RequestNotification};
 use crate::state::AppState;
 use super::{CloseWaiter, Stream};
 pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
    super::serve("creddy-agent", app_handle, handle)
 }
 async fn handle(
    stream: Stream,
    app_handle: AppHandle,
    client_pid: u32
 ) -> Result<(), HandlerError> {
    let mut adapter = Framed::new(stream, MessageCodec);
    while let Some(message) = adapter.try_next().await? {
        match message {
            Message::RequestIdentities => {
                let resp = list_identities(app_handle.clone()).await?;
                adapter.send(resp).await?;
            },
            Message::SignRequest(req) => {
                // CloseWaiter could corrupt the framing, but this doesn't matter
                // since we don't plan to pull any more frames out of the stream
                let waiter = CloseWaiter { stream: adapter.get_mut() };
                let resp = sign_request(req, app_handle.clone(), client_pid, waiter).await?;
                adapter.send(resp).await?;
                break;
            },
            _ => adapter.send(Message::Failure).await?,
        };
    }
    Ok(())
 }
 async fn list_identities(app_handle: AppHandle) -> Result<Message, HandlerError> {
    let state = app_handle.state::<AppState>();
    let identities = state.list_ssh_identities().await?;
    Ok(Message::IdentitiesAnswer(identities))
 }
 async fn sign_request(
    req: SignRequest,
    app_handle: AppHandle,
    client_pid: u32,
    mut waiter: CloseWaiter<'_>,
 ) -> Result<Message, HandlerError> {
    let state = app_handle.state::<AppState>();
        let rehide_ms = {
        let config = state.config.read().await;
        config.rehide_ms
    };
    let client = clientinfo::get_client(client_pid, false)?;
    let lease = state.acquire_visibility_lease(rehide_ms).await
        .map_err(|_e| HandlerError::NoMainWindow)?;
    let (chan_send, chan_recv) = oneshot::channel();
    let request_id = state.register_request(chan_send).await;
    let proceed = async {
        let key_name = state.ssh_name_from_pubkey(&req.pubkey_blob).await?;
        let notification = RequestNotification::new_ssh(request_id, client, key_name.clone());
        app_handle.emit("credential-request", &notification)?;
        let response = tokio::select! {
            r = chan_recv => r?,
            _ = waiter.wait_for_close() => {
                app_handle.emit("request-cancelled", request_id)?;
                return Err(HandlerError::Abandoned);
            },
        };
        if let Approval::Denied = response.approval {
            return Ok(Message::Failure);
        }
        let key = state.sshkey_by_name(&key_name).await?;
        let sig = Signer::sign(&key.private_key, &req.data);
        let key_type = key.algorithm.as_str().as_bytes();
        let payload_len = key_type.len() + sig.as_bytes().len() + 8;
        let mut payload = Vec::with_capacity(payload_len);
        encode_string(&mut payload, key.algorithm.as_str().as_bytes());
        encode_string(&mut payload, sig.as_bytes());
        Ok(Message::SignResponse(payload))
    };
    let res = proceed.await;
    if let Err(_) = &res {
        state.unregister_request(request_id).await;
    }
    lease.release();
    res
 }
 fn encode_string(buf: &mut Vec<u8>, s: &[u8]) {
    let len = s.len() as u32;
    buf.extend(len.to_be_bytes());
    buf.extend(s);
 }
--- a/src-tauri/src/srv/creddy_server.rs
+++ b/src-tauri/src/srv/creddy_server.rs
@ -1,74 +1,30 @@
 use tauri::{AppHandle, Manager};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::sync::oneshot;
 use serde::{Serialize, Deserialize};
 use tauri::{AppHandle, Manager};
 use crate::errors::*;
 use crate::clientinfo::{self, Client};
-use crate::credentials::{
+use crate::errors::*;
    AwsBaseCredential,
    AwsSessionCredential,
 };
 use crate::ipc::{Approval, RequestNotification};
 use crate::state::AppState;
 use crate::shortcuts::{self, ShortcutAction};
-
+use crate::state::AppState;
-#[cfg(windows)]
+use super::{
-mod server_win;
+    CloseWaiter,
-#[cfg(windows)]
+    Request,
-pub use server_win::Server;
+    Response,
-#[cfg(windows)]
+    Stream,
-use server_win::Stream;
+};
 #[cfg(unix)]
 mod server_unix;
 #[cfg(unix)]
 pub use server_unix::Server;
 #[cfg(unix)]
 use server_unix::Stream;
 pub mod ssh_agent;
-#[derive(Serialize, Deserialize)]
+pub fn serve(app_handle: AppHandle) -> std::io::Result<()> {
-pub enum Request {
+    super::serve("creddy-server", app_handle, handle)
    GetAwsCredentials{ 
        base: bool,
    },
    InvokeShortcut(ShortcutAction),
 }
-#[derive(Debug, Serialize, Deserialize)]
+async fn handle(
-pub enum Response {
+    mut stream: Stream,
-    AwsBase(AwsBaseCredential),
+    app_handle: AppHandle,
-    AwsSession(AwsSessionCredential),
+    client_pid: u32
-    Empty,
+) -> Result<(), HandlerError> {
 }
 struct CloseWaiter<'s> {
    stream: &'s mut Stream,
 }
 impl<'s> CloseWaiter<'s> {
    async fn wait_for_close(&mut self) -> std::io::Result<()> {
        let mut buf = [0u8; 8];
        loop {
            match self.stream.read(&mut buf).await {
                Ok(0) => break Ok(()),
                Ok(_) => (),
                Err(e) => break Err(e),
            }
        }
    }
 }
 async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> Result<(), HandlerError> 
 {
    // read from stream until delimiter is reached
    let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
    let mut n = 0;
@ -77,20 +33,23 @@ async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> R
        if let Some(&b'\n') = buf.last() {
            break;
        }
-        else if n >= 1024 {
+        // sanity check, no request should ever be within a mile of 1MB
        else if n >= (1024 * 1024) {
            return Err(HandlerError::RequestTooLarge);
        }
    }
-    let client = clientinfo::get_process_parent_info(client_pid)?;
+    let client = clientinfo::get_client(client_pid, true)?;
    let waiter = CloseWaiter { stream: &mut stream };
    let req: Request = serde_json::from_slice(&buf)?;
    let res = match req {
-        Request::GetAwsCredentials{ base } => get_aws_credentials(
+        Request::GetAwsCredentials { name, base } => get_aws_credentials(
-            base, client, app_handle, waiter
+            name, base, client, app_handle, waiter
        ).await,
        Request::InvokeShortcut(action) => invoke_shortcut(action).await,
        Request::GetSshSignature(_) => return Err(HandlerError::Denied),
    };
    // doesn't make sense to send the error to the client if the client has already left
@ -111,6 +70,7 @@ async fn invoke_shortcut(action: ShortcutAction) -> Result<Response, HandlerErro
 async fn get_aws_credentials(
    name: Option<String>,
    base: bool,
    client: Client,
    app_handle: AppHandle,
@ -131,7 +91,9 @@ async fn get_aws_credentials(
    // but ? returns immediately, and we want to unregister the request before returning
    // so we bundle it all up in an async block and return a Result so we can handle errors
    let proceed = async {
-        let notification = RequestNotification::new_aws(request_id, client, base);
+        let notification = RequestNotification::new_aws(
            request_id, client, name.clone(), base
        );
        app_handle.emit("credential-request", &notification)?;
        let response = tokio::select! {
@ -145,11 +107,11 @@ async fn get_aws_credentials(
        match response.approval {
            Approval::Approved => {
                if response.base {
-                    let creds = state.get_aws_default().await?;
+                    let creds = state.get_aws_base(name).await?;
                    Ok(Response::AwsBase(creds))
                }
                else {
-                    let creds = state.get_aws_default_session().await?;
+                    let creds = state.get_aws_session(name).await?;
                    Ok(Response::AwsSession(creds.clone()))
                }
            },
@ -162,7 +124,7 @@ async fn get_aws_credentials(
        Err(e) => {
            state.unregister_request(request_id).await;
            Err(e)
-        }
+        },
    };
    lease.release();
--- a/src-tauri/src/srv/mod.rs
+++ b/src-tauri/src/srv/mod.rs
@ -0,0 +1,170 @@
 use std::future::Future;
 use tauri::{
    AppHandle,
    async_runtime as rt,
 };
 use tokio::io::AsyncReadExt;
 use serde::{Serialize, Deserialize};
 use ssh_agent_lib::proto::message::SignRequest;
 use crate::credentials::{AwsBaseCredential, AwsSessionCredential};
 use crate::errors::*;
 use crate::shortcuts::ShortcutAction;
 pub mod creddy_server;
 pub mod agent;
 use platform::Stream;
 pub use platform::addr;
 #[derive(Debug, Serialize, Deserialize)]
 pub enum Request {
    GetAwsCredentials { 
        name: Option<String>,
        base: bool,
    },
    GetSshSignature(SignRequest),
    InvokeShortcut(ShortcutAction),
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub enum Response {
    AwsBase(AwsBaseCredential),
    AwsSession(AwsSessionCredential),
    Empty,
 }
 struct CloseWaiter<'s> {
    stream: &'s mut Stream,
 }
 impl<'s> CloseWaiter<'s> {
    async fn wait_for_close(&mut self) -> std::io::Result<()> {
        let mut buf = [0u8; 8];
        loop {
            match self.stream.read(&mut buf).await {
                Ok(0) => break Ok(()),
                Ok(_) => (),
                Err(e) => break Err(e),
            }
        }
    }
 }
 fn serve<H, F>(sock_name: &str, app_handle: AppHandle, handler: H) -> std::io::Result<()>
    where H: Copy + Send + Fn(Stream, AppHandle, u32) -> F + 'static,
          F: Send + Future<Output = Result<(), HandlerError>>,
 {
    let (mut listener, addr) = platform::bind(sock_name)?;
    rt::spawn(async move {
        loop {
            let (stream, client_pid) = match platform::accept(&mut listener, &addr).await {
                Ok((s, c)) => (s, c),
                Err(e) => {
                    eprintln!("Error accepting request: {e}");
                    continue;
                },
            };
            let new_handle = app_handle.clone();
            rt::spawn(async move {
                handler(stream, new_handle, client_pid)
                    .await
                    .error_print_prefix("Error responding to request: ");
            });
        }
    });
    Ok(())
 }
 #[cfg(unix)]
 mod platform {
    use std::io::ErrorKind;
    use std::path::PathBuf;
    use tokio::net::{UnixListener, UnixStream};
    use super::*;
    pub type Stream = UnixStream;
    pub fn bind(sock_name: &str) -> std::io::Result<(UnixListener, PathBuf)> {
        let path = addr(sock_name);
        match std::fs::remove_file(&path) {
            Ok(_) => (),
            Err(e) if e.kind() == ErrorKind::NotFound => (),
            Err(e) => return Err(e),
        }
        let listener = UnixListener::bind(&path)?;
        Ok((listener, path))
    }
    pub async fn accept(listener: &mut UnixListener, _addr: &PathBuf) -> Result<(UnixStream, u32), HandlerError> {
        let (stream, _addr) = listener.accept().await?;
        let pid = stream.peer_cred()?
            .pid()
            .ok_or(ClientInfoError::PidNotFound)?
            as u32;
        Ok((stream, pid))
    }
    pub fn addr(sock_name: &str) -> PathBuf {
        let mut path = dirs::runtime_dir()
            .unwrap_or_else(|| PathBuf::from("/tmp"));
        path.push(format!("{sock_name}.sock"));
        path
    }
 }
 #[cfg(windows)]
 mod platform {
    use std::os::windows::io::AsRawHandle;
    use tokio::net::windows::named_pipe::{
        NamedPipeServer,
        ServerOptions,
    };
    use windows::Win32::{
        Foundation::HANDLE,
        System::Pipes::GetNamedPipeClientProcessId,
    };
    use super::*;
    pub type Stream = NamedPipeServer;
    pub fn bind(sock_name: &str) -> std::io::Result<(String, NamedPipeServer)> {
        let addr = addr(sock_name);
        let listener = ServerOptions::new()
            .first_pipe_instance(true)
            .create(&addr)?;
        Ok((listener, addr))
    }
    pub async fn accept(listener: &mut NamedPipeServer, addr: &String) -> Result<(NamedPipeServer, u32), HandlerError> {
        // connect() just waits for a client to connect, it doesn't return anything
        listener.connect().await?;
        // unlike Unix sockets, a Windows NamedPipeServer *becomes* the open stream
        // once a client connects. If we want to keep listening, we have to construct
        // a new server and swap it in.
        let new_listener = ServerOptions::new().create(addr)?;
        let stream = std::mem::replace(listener, new_listener);
        let raw_handle = stream.as_raw_handle();
        let mut pid = 0u32;
        let handle = HANDLE(raw_handle as _);
        unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
        Ok((stream, pid))
    }
    pub fn addr(sock_name: &str) -> String {
        format!(r"\\.\pipe\{sock_name}")
    }
 }
--- a/src-tauri/src/state.rs
+++ b/src-tauri/src/state.rs
@ -7,6 +7,7 @@ use tokio::{
    sync::{RwLock, RwLockReadGuard},
    sync::oneshot::{self, Sender},
 };
 use ssh_agent_lib::proto::message::Identity;
 use sqlx::SqlitePool;
 use sqlx::types::Uuid;
 use tauri::{
@ -18,6 +19,7 @@ use crate::app;
 use crate::credentials::{
    AppSession,
    AwsSessionCredential,
    SshKey,
 };
 use crate::{config, config::AppConfig};
 use crate::credentials::{
@ -165,6 +167,10 @@ impl AppState {
        Ok(list)
    }
    pub async fn list_ssh_identities(&self) -> Result<Vec<Identity>, GetCredentialsError> {
        Ok(SshKey::list_identities(&self.pool).await?)
    }
    pub async fn set_passphrase(&self, passphrase: &str) -> Result<(), SaveCredentialsError> {
        let mut cur_session = self.app_session.write().await;
        if let AppSession::Locked {..} = *cur_session {
@ -264,21 +270,23 @@ impl AppState {
        Ok(())
    }
-    pub async fn get_aws_default(&self) -> Result<AwsBaseCredential, GetCredentialsError> {
+    pub async fn get_aws_base(&self, name: Option<String>) -> Result<AwsBaseCredential, GetCredentialsError> {
        let app_session = self.app_session.read().await;
        let crypto = app_session.try_get_crypto()?;
-        let record = CredentialRecord::load_default("aws", crypto, &self.pool).await?;
+        let creds = match name {
-        let creds = match record.credential {
+            Some(n) => AwsBaseCredential::load_by_name(&n, crypto, &self.pool).await?,
-            Credential::AwsBase(b) => Ok(b),
+            None => AwsBaseCredential::load_default(crypto, &self.pool).await?,
-            _ => Err(LoadCredentialsError::NoCredentials)
+        };
        }?;
        Ok(creds)
    }
-    pub async fn get_aws_default_session(&self) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
+    pub async fn get_aws_session(&self, name: Option<String>) -> Result<RwLockReadGuard<'_, AwsSessionCredential>, GetCredentialsError> {
        let app_session = self.app_session.read().await;
        let crypto = app_session.try_get_crypto()?;
-        let record = CredentialRecord::load_default("aws", crypto, &self.pool).await?;
+        let record = match name {
            Some(n) => CredentialRecord::load_by_name(&n, crypto, &self.pool).await?,
            None => CredentialRecord::load_default("aws", crypto, &self.pool).await?,
        };
        let base = match &record.credential {
            Credential::AwsBase(b) => Ok(b),
            _ => Err(LoadCredentialsError::NoCredentials)
@ -302,6 +310,18 @@ impl AppState {
        Ok(s)
    }
    pub async fn ssh_name_from_pubkey(&self, pubkey: &[u8]) -> Result<String, GetCredentialsError> {
        let k = SshKey::name_from_pubkey(pubkey, &self.pool).await?;
        Ok(k)
    }
    pub async fn sshkey_by_name(&self, name: &str) -> Result<SshKey, GetCredentialsError> {
        let app_session = self.app_session.read().await;
        let crypto = app_session.try_get_crypto()?;
        let k = SshKey::load_by_name(name, crypto, &self.pool).await?;
        Ok(k)
    }
    pub async fn signal_activity(&self) {
        let mut last_activity = self.last_activity.write().await;
        *last_activity = OffsetDateTime::now_utc();
--- a/src-tauri/src/terminal.rs
+++ b/src-tauri/src/terminal.rs
@ -63,12 +63,12 @@ async fn do_launch(app: &AppHandle, use_base: bool) -> Result<(), LaunchTerminal
    // (i.e. lies about unlocking) we could end up here with a locked session
    // this will result in an error popup to the user (see main hotkey handler)
    if use_base {
-        let base_creds = state.get_aws_default().await?;
+        let base_creds = state.get_aws_base(None).await?;
        cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id);
        cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key);
    }
    else {
-        let session_creds = state.get_aws_default_session().await?;
+        let session_creds = state.get_aws_session(None).await?;
        cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id);
        cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key);
        cmd.env("AWS_SESSION_TOKEN", &session_creds.session_token);
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@ -50,7 +50,7 @@
    }
  },
  "productName": "creddy",
-  "version": "0.4.9",
+  "version": "0.5.0",
  "identifier": "creddy",
  "plugins": {},
  "app": {
--- a/src/lib/errors.js
+++ b/src/lib/errors.js
@ -6,3 +6,12 @@ export function getRootCause(error) {
        return error;
    }
 }
 export function fullMessage(error) {
    let msg = error?.msg ? error.msg : error;
    if (error.source) {
        msg = `${msg}: ${fullMessage(error.source)}`;
    }
    return msg
 }
--- a/src/ui/ErrorAlert.svelte
+++ b/src/ui/ErrorAlert.svelte
@ -2,6 +2,9 @@
    import { onMount } from 'svelte';
    import { slide } from 'svelte/transition';
    import { fullMessage } from '../lib/errors.js';
    let extraClasses = "";
    export {extraClasses as class};
    export let slideDuration = 150;
@ -78,7 +81,7 @@
    <div transition:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
        <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
        <span>
-            <slot {error}>{error.msg || error}</slot>
+            <slot {error}>{fullMessage(error)}</slot>
        </span>
        {#if $$slots.buttons}
--- a/src/ui/FileInput.svelte
+++ b/src/ui/FileInput.svelte
@ -0,0 +1,53 @@
 <script>
    // import { listen } from '@tauri-apps/api/event';
    import { open } from '@tauri-apps/plugin-dialog';
    import { sep } from '@tauri-apps/api/path';
    import { createEventDispatcher } from 'svelte';
    import Icon from './Icon.svelte';
    export let value = {};
    export let params = {};
    let displayValue = value?.name || '';
    const dispatch = createEventDispatcher();
    async function chooseFile() {
        let file = await open(params);
        if (file) {
            value = file;
            displayValue = file.name;
            dispatch('update', value);
        }
    }
    function handleInput(evt) {
        const segments = evt.target.value.split(sep());
        const name = segments[segments.length - 1];
        value = {name, path: evt.target.value};
    }
    // some day, figure out drag-and-drop
    // let drag = null;
    // listen('tauri://drag', e => drag = e);
    // listen('tauri://drop', e => console.log(e));
    // listen('tauri://drag-cancelled', e => console.log(e));
    // listen('tauri://drop-over', e => console.log(e));
 </script>
 <div class="relative flex join has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
    <button type="button" class="btn btn-neutral join-item" on:click={chooseFile}>
        Choose file
    </button>
    <input 
        type="text"
        class="join-item grow input input-bordered border-l-0 bg-transparent focus:outline-none"
        value={displayValue}
        on:input={handleInput}
        on:change={() => dispatch('update', value)}
        on:focus on:blur
    >
 </div>
--- a/src/ui/PassphraseInput.svelte
+++ b/src/ui/PassphraseInput.svelte
@ -8,6 +8,11 @@
    export {classes as class};
    let show = false;
    let input;
    export function focus() {
        input.focus();
    }
 </script>
@ -19,13 +24,14 @@
 </style>
-<div class="join w-full">
+<div class="join w-full has-[:focus]:outline outline-2 outline-offset-2 outline-base-content/20">
    <input
        bind:this={input}
        type={show ? 'text' : 'password'}
        {value} {placeholder} {autofocus}
        on:input={e => value = e.target.value}
        on:input on:change on:focus on:blur
-        class="input input-bordered flex-grow join-item placeholder:text-gray-500 {classes}"
+        class="input input-bordered flex-grow join-item placeholder:text-gray-500 focus:outline-none {classes}"
    />
    <button
--- a/src/views/Home.svelte
+++ b/src/views/Home.svelte
@ -36,37 +36,41 @@
 <div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
    <div class="grid grid-cols-2 gap-6">
-        <Link target="ManageCredentials">
+        <button
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-colors">
+            on:click={() => navigate('ManageCredentials')}
            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-primary hover:bg-base-200 transition-transform active:scale-[.98] transition-transform"
        >
            <Icon name="key" class="size-12 stroke-1 stroke-primary" />
            <h3 class="text-lg font-bold">Credentials</h3>
-                <p class="text-sm">Add, remove, and change defaults credentials.</p>
+            <p class="text-sm">Add, remove, and change default credentials.</p>
-            </div>
+        </button>
        </Link>
-        <Link target={launchTerminal}>
+        <button 
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors">
+            on:click={launchTerminal}
            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-secondary hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
        >
            <Icon name="command-line" class="size-12 stroke-1 stroke-secondary" />
            <h3 class="text-lg font-bold">Terminal</h3>
            <p class="text-sm">Launch a terminal pre-configured with AWS credentials.</p>
-            </div>
+        </button>
        </Link>
-        <Link target={lock}>
+        <button 
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors">
+            on:click={lock}
            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-warning hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
        >
            <Icon name="shield-check" class="size-12 stroke-1 stroke-warning" />
            <h3 class="text-lg font-bold">Lock</h3>
            <p class="text-sm">Lock Creddy.</p>
-            </div>
+        </button>
        </Link>
-        <Link target={() => invoke('exit')}>
+        <button 
-            <div class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors">
+            on:click={() => invoke('exit')}
            class="flex flex-col items-center gap-4 h-full max-w-56 rounded-box p-4 border border-accent hover:bg-base-200 transition-colors active:scale-[.98] transition-transform"
        >
            <Icon name="arrow-right-start-on-rectangle" class="size-12 stroke-1 stroke-accent" />
            <h3 class="text-lg font-bold">Exit</h3>
            <p class="text-sm">Close Creddy.</p>
-            </div>
+        </button>
        </Link>
    </div>
 </div>
--- a/src/views/ManageCredentials.svelte
+++ b/src/views/ManageCredentials.svelte
@ -5,12 +5,18 @@
    import { invoke } from '@tauri-apps/api/core';
    import AwsCredential from './credentials/AwsCredential.svelte';
    import ConfirmDelete from './credentials/ConfirmDelete.svelte';
    import SshKey from './credentials/SshKey.svelte';
    // import NewSshKey from './credentials/NewSshKey.svelte';
    // import EditSshKey from './credentials/EditSshKey.svelte';
    import Icon from '../ui/Icon.svelte';
    import Nav from '../ui/Nav.svelte';
    let show = false;
-    let records = []
+    let records = null
    $: awsRecords = (records || []).filter(r => r.credential.type === 'AwsBase');
    $: sshRecords = (records || []).filter(r => r.credential.type === 'Ssh');
    let defaults = writable({});
    async function loadCreds() {
        records = await invoke('list_credentials');
@ -24,11 +30,33 @@
            id: crypto.randomUUID(),
            name: null,
            is_default: false,
-            credential: {type: 'AwsBase', AccessKeyId: null, SecretAccessKey: null},
+            credential: {type: 'AwsBase', AccessKeyId: '', SecretAccessKey: ''},
            isNew: true,
        });
        records = records;
    }
    function newSsh() {
        records.push({
            id: crypto.randomUUID(),
            name: null,
            is_default: false,
            credential: {type: 'Ssh', algorithm: '', comment: '', private_key: '', public_key: '',},
            isNew: true,
        });
        records = records;
    }
    let confirmDelete;
    function handleDelete(evt) {
        const record = evt.detail;
        if (record.isNew) {
            records = records.filter(r => r.id !== record.id);
        }
        else {
            confirmDelete.confirm(record);
        }
    }
 </script>
@ -36,20 +64,25 @@
    <h1 slot="title" class="text-2xl font-bold">Credentials</h1>
 </Nav>
-<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-4 justify-center">
+<div class="max-w-xl mx-auto mb-12 flex flex-col gap-y-12 justify-center">
    <div class="flex flex-col gap-y-4">
        <div class="divider">
            <h2 class="text-xl font-bold">AWS Access Keys</h2>
        </div>
-    {#if records.length > 0}
+        {#if awsRecords.length > 0}
-        {#each records as record (record.id)}
+            {#each awsRecords as record (record.id)}
-            <AwsCredential {record} {defaults} on:update={loadCreds} />
+                <AwsCredential
                    {record} {defaults}
                    on:update={loadCreds}
                    on:delete={handleDelete}
                />
            {/each}
            <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
                <Icon name="plus-circle-mini" class="size-5" />
                Add
            </button>
-    {:else}
+        {:else if records !== null}
            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
                <div>You have no saved AWS credentials.</div>
                <button class="btn btn-primary btn-wide mx-auto" on:click={newAws}>
@ -58,5 +91,32 @@
                </button>
            </div>
        {/if}
    </div>
    <div class="flex flex-col gap-y-4">
        <div class="divider">
            <h2 class="text-xl font-bold">SSH Keys</h2>
        </div>
        {#if sshRecords.length > 0}
            {#each sshRecords as record (record.id)}
                <SshKey {record} on:save={loadCreds} on:delete={handleDelete} />
            {/each}
            <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
                <Icon name="plus-circle-mini" class="size-5" />
                Add
            </button>
        {:else if records !== null}
            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
                <div>You have no saved SSH keys.</div>
                <button class="btn btn-primary btn-wide mx-auto" on:click={newSsh}>
                    <Icon name="plus-circle-mini" class="size-5" />
                    Add
                </button>
            </div>
        {/if}
    </div>
 </div>
 <ConfirmDelete bind:this={confirmDelete} on:confirm={loadCreds} />
--- a/src/views/Unlock.svelte
+++ b/src/views/Unlock.svelte
@ -34,6 +34,9 @@
        }
    }
    let input;
    onMount(() => input.focus());
 </script>
@ -52,7 +55,11 @@
        <ErrorAlert bind:this="{alert}" />
        <!-- svelte-ignore a11y-autofocus -->
-        <PassphraseInput autofocus="true" bind:value={passphrase} placeholder="correct horse battery staple" />
+        <PassphraseInput
            bind:this={input}
            bind:value={passphrase}
            placeholder="correct horse battery staple"
        />
    </label>
    <button type="submit" class="btn btn-primary">
--- a/src/views/approve/CollectResponse.svelte
+++ b/src/views/approve/CollectResponse.svelte
@ -42,7 +42,17 @@
 {/if}
 <div class="space-y-1 mb-4">
-    <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
+    <h2 class="text-xl font-bold">
        {#if $appState.currentRequest.type === 'Aws'}
            {#if $appState.currentRequest.name}
                {appName ? `"${appName}"` : 'An appplication'} would like to access your AWS access key "{$appState.currentRequest.name}".
            {:else}
                {appName ? `"${appName}"` : 'An appplication'} would like to access your default AWS access key
            {/if}
        {:else if $appState.currentRequest.type === 'Ssh'}
            {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
        {/if}
    </h2>
    <div class="grid grid-cols-[auto_1fr] gap-x-3">
        <div class="text-right">Path:</div>
@ -56,7 +66,11 @@
        <!-- Don't display the option to approve with session credentials if base was specifically requested -->
        {#if !$appState.currentRequest?.base}
            <h3 class="font-semibold">
                {#if $appState.currentRequest.type === 'Aws'}
                    Approve with session credentials
                {:else}
                    Approve
                {/if}
            </h3>
            <Link target={() => setResponse('Approved', false)} hotkey="Enter" shift={true}>
                <button class="w-full btn btn-success">
@ -65,6 +79,7 @@
            </Link>
        {/if}
        {#if $appState.currentRequest.type === 'Aws'}
            <h3 class="font-semibold">
                <span class="mr-2">
                    {#if $appState.currentRequest?.base}
@ -79,6 +94,7 @@
                    <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
                </button>
            </Link>
        {/if}
        <h3 class="font-semibold">
            <span class="mr-2">Deny</span>
--- a/src/views/credentials/AwsCredential.svelte
+++ b/src/views/credentials/AwsCredential.svelte
@ -16,7 +16,6 @@
    let showDetails = record.isNew ? true : false;
    let localName = name;
    let local = JSON.parse(JSON.stringify(record));
    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
@ -32,38 +31,19 @@
        showDetails = false;
    }
    let deleteModal;
    function conditionalDelete() {
        if (!record.isNew) {
            deleteModal.showModal();
        }
        else {
            deleteCredential();
        }
    }
    async function deleteCredential() {
        try {
            if (!record.isNew) {
                await invoke('delete_credential', {id: record.id});
            }
            dispatch('update');
        }
        catch (e) {
            showDetails = true;
            // wait for showDetails to take effect and the alert to be rendered
            window.setTimeout(() => alert.setError(e), 0);
        }
    }
 </script>
-<div 
+<div class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}">
    transition:slide|local={{duration: record.isNew ? 300 : 0}}
    class="rounded-box space-y-4 bg-base-200 {record.is_default ? 'border border-accent' : ''}"
 >
    <div class="flex items-center px-6 py-4 gap-x-4">
-        <h3 class="text-lg font-bold">{record.name || ''}</h3>
+        <h3 class="text-lg font-bold">
            {#if !record?.isNew && showDetails}
                <input type="text" class="input input-bordered bg-transparent" bind:value={local.name}>
            {:else}
                {record.name || ''}
            {/if}
        </h3>
        {#if record.is_default}
            <span class="badge badge-accent">Default</span>
@ -80,7 +60,7 @@
            <button
                type="button"
                class="btn btn-outline btn-error join-item"
-                on:click={conditionalDelete}
+                on:click={() => dispatch('delete', record)}
            >
                <Icon name="trash" class="size-6" />
            </button>
@ -136,20 +116,4 @@
            </div>
        </form>
    {/if}
    <dialog bind:this={deleteModal} class="modal">
        <div class="modal-box">
            <h3 class="text-lg font-bold">Delete AWS credential "{record.name}"?</h3>
            <div class="modal-action">
                <form method="dialog" class="flex gap-x-4">
                    <button class="btn btn-outline">Cancel</button>
                    <button 
                        autofocus
                        class="btn btn-error"
                        on:click={deleteCredential}
                    >Delete</button>
                </form>
            </div>
        </div>
    </dialog>
 </div>
--- a/src/views/credentials/ConfirmDelete.svelte
+++ b/src/views/credentials/ConfirmDelete.svelte
@ -0,0 +1,62 @@
 <script>
    import { invoke } from '@tauri-apps/api/core';
    import { createEventDispatcher } from 'svelte';
    import ErrorAlert from '../../ui/ErrorAlert.svelte';
    let record;
    let modal;
    let alert;
    const dispatch = createEventDispatcher();
    export function confirm(r) {
        record = r;
        modal.showModal();
    }
    async function deleteCredential() {
        await invoke('delete_credential', {id: record.id})
        // closing the modal is dependent on the previous step succeeding
        modal.close();
        dispatch('confirm');
    }
    function credentialDescription(record) {
        if (record.credential.type === 'AwsBase') {
            return 'AWS credential';
        }
        if (record.credential.type === 'Ssh') {
            return 'SSH key';
        }
    }
 </script>
 <dialog bind:this={modal} class="modal">
    <div class="modal-box space-y-6">
        <ErrorAlert bind:this={alert} />
        <h3 class="text-lg font-bold">
            {#if record}
                Delete {credentialDescription(record)} "{record.name}"?
            {/if}
        </h3>
        <div class="modal-action">
            <form method="dialog" class="flex gap-x-4">
                <button
                    class="btn btn-outline"
                    on:click={() => alert.setError(null)}
                >
                    Cancel
                </button>
                <button
                    autofocus
                    class="btn btn-error"
                    on:click|preventDefault={() => alert.run(deleteCredential)}
                >
                    Delete
                </button>
            </form>
        </div>
    </div>
 </dialog>
--- a/src/views/credentials/EditSshKey.svelte
+++ b/src/views/credentials/EditSshKey.svelte
@ -0,0 +1,85 @@
 <script>
    import { invoke } from '@tauri-apps/api/core';
    import { createEventDispatcher } from 'svelte';
    import { fade } from 'svelte/transition';
    import ErrorAlert from '../../ui/ErrorAlert.svelte';
    export let local;
    export let isModified;
    const dispatch = createEventDispatcher();
    let alert;
    async function saveCredential() {
        await invoke('save_credential', {record: local});
        dispatch('save', local);
        showDetails = false;
    }
    async function copyText(evt) {
        const tooltip = event.currentTarget;
        await navigator.clipboard.writeText(tooltip.dataset.copyText);
        const prevText = tooltip.dataset.tip;
        tooltip.dataset.tip = 'Copied!';
        window.setTimeout(() => tooltip.dataset.tip = prevText, 2000);
    }
 </script>
 <style>
    .grid {
        grid-template-columns: auto minmax(0, 1fr);
    }
 </style>
 <form class="space-y-4" on:submit|preventDefault={() => alert.run(saveCredential)}>
    <ErrorAlert bind:this={alert} />
    <div class="grid items-baseline gap-4">
        <span class="justify-self-end">Comment</span>
        <input
            type="text"
            class="input input-bordered bg-transparent"
            bind:value={local.credential.comment}
        >
        <span class="justify-self-end">Public key</span>
        <div
            class="tooltip tooltip-right"
            data-tip="Click to copy"
            data-copy-text={local.credential.public_key}
            on:click={copyText}
        >
            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono break-all">
                {local.credential.public_key}
            </div>
        </div>
        <span class="justify-self-end">Private key</span>
        <div
            class="tooltip tooltip-right"
            data-tip="Click to copy"
            data-copy-text={local.credential.private_key}
            on:click={copyText}
        >
            <div class="cursor-pointer text-left textarea textarea-bordered bg-transparent font-mono whitespace-pre overflow-x-auto">
                {local.credential.private_key}
            </div>
        </div>
    </div>
    <div class="flex justify-end">
        {#if isModified}
            <button
                transition:fade={{duration: 100}}
                type="submit"
                class="btn btn-primary"
            >
                Save
            </button>
        {/if}
    </div>
 </form>
--- a/src/views/credentials/NewSshKey.svelte
+++ b/src/views/credentials/NewSshKey.svelte
@ -0,0 +1,80 @@
 <script>
    import { createEventDispatcher } from 'svelte';
    import { invoke } from '@tauri-apps/api/core';
    import { homeDir } from '@tauri-apps/api/path';
    import { fade } from 'svelte/transition';
    import ErrorAlert from '../../ui/ErrorAlert.svelte';
    import FileInput from '../../ui/FileInput.svelte';
    import PassphraseInput from '../../ui/PassphraseInput.svelte';
    import Spinner from '../../ui/Spinner.svelte';
    export let record;
    let name;
    let file;
    let passphrase = '';
    let showDetails = true;
    const dispatch = createEventDispatcher();
    let defaultPath = null;
    homeDir().then(d => defaultPath = `${d}/.ssh`);
    let alert;
    let saving = false;
    async function saveCredential() {
        saving = true;
        try {
            let key = await invoke('sshkey_from_file', {path: file.path, passphrase});
            const payload = {
                id: record.id,
                name,
                is_default: false, // ssh keys don't care about defaults
                credential: {type: 'Ssh', ...key},
            };
            await invoke('save_credential', {record: payload});
            dispatch('save', payload);
        }
        finally {
            saving = false;
        }
    }
 </script>
 <form class="space-y-4" on:submit|preventDefault={alert.run(saveCredential)}>
    <ErrorAlert bind:this={alert} />
    <div class="grid grid-cols-[auto_1fr] items-center gap-4">
        <span class="justify-self-end">Name</span>
        <input
            type="text"
            class="input input-bordered bg-transparent"
            bind:value={name}
        >
        <span class="justify-self-end">File</span>
        <FileInput params={{defaultPath}} bind:value={file} on:update={() => name = file.name} />
        <span class="justify-self-end">Passphrase</span>
        <PassphraseInput class="bg-transparent" bind:value={passphrase} />
    </div>
    <div class="flex justify-end">
        {#if file?.path}
            <button
                transition:fade={{duration: 100}}
                type="submit"
                class="btn btn-primary"
            >
                {#if saving}
                    <Spinner class="size-5 min-w-16" thickness="12" />
                {:else}
                    <span class="min-w-16">Save</span>
                {/if}
            </button>
        {/if}
    </div>
 </form>
--- a/src/views/credentials/SshKey.svelte
+++ b/src/views/credentials/SshKey.svelte
@ -0,0 +1,71 @@
 <script>
    import { createEventDispatcher } from 'svelte';
    import { slide } from 'svelte/transition';
    import NewSshKey from './NewSshKey.svelte';
    import EditSshKey from './EditSshKey.svelte';
    import Icon from '../../ui/Icon.svelte';
    export let record;
    const dispatch = createEventDispatcher();
    function copy(obj) {
        return JSON.parse(JSON.stringify(obj));
    }
    let local = copy(record);
    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
    let showDetails = record?.isNew;
    function handleSave(evt) {
        local = copy(evt.detail);
        showDetails = false;
    }
 </script>
 <div class="rounded-box space-y-4 bg-base-200">
    <div class="flex items-center px-6 py-4 gap-x-4">
        {#if !record.isNew}
            {#if showDetails}
                <input 
                    type="text"
                    class="input input-bordered bg-transparent text-lg font-bold"
                    bind:value={local.name}
                >
            {:else}
                <h3 class="text-lg font-bold">
                    {record.name}
                </h3>
            {/if}
        {/if}
        <div class="join ml-auto">
            <button
                type="button"
                class="btn btn-outline join-item"
                on:click={() => showDetails = !showDetails}
            >
                <Icon name="pencil" class="size-6" />
            </button>
            <button
                type="button"
                class="btn btn-outline btn-error join-item"
                on:click={() => dispatch('delete', record)}
            >
                <Icon name="trash" class="size-6" />
            </button>
        </div>
    </div>
    {#if record && showDetails}
        <div transition:slide|local={{duration: 200}} class="px-6 pb-4 space-y-4">
            {#if record.isNew}
                <NewSshKey {record} on:save on:save={handleSave} />
            {:else}
                <EditSshKey bind:local={local} {isModified} on:save />
            {/if}
        </div>
    {/if}
 </div>
Author	SHA1	Message	Date
Joseph Montanaro	ae93a57aab	v0.5.0	2024-07-03 14:56:35 -04:00
Joseph Montanaro	9fd355b68e	finish SSH key support	2024-07-03 14:54:10 -04:00
Joseph Montanaro	00089d7efb	fix compiler warnings	2024-07-03 06:47:25 -04:00
Joseph Montanaro	0124f77f7b	initial working implementation of ssh agent	2024-07-03 06:33:58 -04:00
Joseph Montanaro	6711ce2c43	finish manage ui for ssh keys	2024-07-02 09:57:02 -04:00
Joseph Montanaro	a3a11897c2	persistence for ssh keys	2024-07-01 13:27:20 -04:00
Joseph Montanaro	5e6542d08e	initial ssh key model and creation ui	2024-07-01 06:38:46 -04:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASRxkrR1+nCDZiZN2d8Muvl+zW8undCJVCo+qVMAjkj hello world`
		`@ -0,0 +1 @@`
							{"algorithm":"ssh-ed25519","comment":"hello world","public_key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world","private_key":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8gAAAJAwEcgHMBHI\nBwAAAAtzc2gtZWQyNTUxOQAAACC7sFhGkIp/SBnKab5Q6UZY/W9R0k/+ztZ4Vm1D4d1r8g\nAAAEB9VXgjePmpl6Q3Y1t2a4DZhsdRf+183vWAJWAonDOneLuwWEaQin9IGcppvlDpRlj9\nb1HST/7O1nhWbUPh3WvyAAAAC2hlbGxvIHdvcmxkAQI=\n-----END OPENSSH PRIVATE KEY-----\n"}
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuwWEaQin9IGcppvlDpRlj9b1HST/7O1nhWbUPh3Wvy hello world`
		`@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwIeD+SUIx511M/JztbfUkEi8OhnF3ELsGYjbRq/ABy0x8tYlk6ZjlOFg2kSMAEpoTNOVJp+9eDsQRXZfgmQOKz7ugrS/l1XT38/8SKpe1n3XYti3Nkh/xpbv9y1XXd3mkGr1GUorviywNqWNw/Ox5OH7tasHAztBBrpecu4gL7GwXkXcRFD8cTQNVSNJzdz0B4/ZDRjgRtzOdn0s/yNH+z3YciHjBNeLmANnSMPEaOtjgQV0akjo5jRCOkEP2MKm3uxMQknyopGRVCW4aJyula28G/uV2TjyKyF6l3kCK7Y7FSb50n7IxwaLMldoANdsAmp37LGIoM6VM/Muf+xcxWQZfMzXG3a+7Uqgs1cMnGYxJbCpEBPGlRNghdfkVlUSSpEiJVLN8eMH4G0Z6BflszCYUbN9RevcWdARpR7Ec6AsOJ3squiORWvEemp+dBXF+Hw7XA0H0cAhVafiNj1y7gXlgWgv4hTeleJMynRXx+Mo1gr42EkEPBlaFM/gBYC8= hello world
		`@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEq85taUAJEuutUnczQB4w6/PclDO3nI40PXr74ZqfMJk0giV32YBzRrSNT7BgTQItqCblYkY15M4ZhRql0w39IAfembBK5MLwCCPf/DyN3mLwdIMcH4kDBnyD3M19nO6GQ8k8UpH2tQR/U2RqN8hAmJNP/eWIK13XaWzdxEIcOeKJR2jP1mUM5YXjWj9zmwFWUKpGmr3vxph+Vdr+x9QLQ4hlTtMgXRhSjYgZJ8QsviEMz29JqQYZrW5qy/F2jX7FL/nLhb5ge5QUlhVmKSAWh1FkwcHR+9TDVp1EJKfxnQQ6vN7lBXPfxPx/LCcYqnZSj6ImwN1VMNxwXDCQHhveiP5cw1yuWriCbR5/lw2+0KD36YM8/HMjofEyNSjVzDwArrmBZdZ3yvZL1pcpEyJk2XG1xJHQrq9TqtItA3VrLkN1RQLoRIgRfuu5YszfXfWWgsHpukctWrm4PbKGLn6jgOj9IN6TaMq8u8XJXCM6Ut5d/l6Ry1kBnQC1KccMQwU= hello world