irosh 0.2.0

SSH sessions over Iroh peer-to-peer transport
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

//! Identity key bootstrapping and management.

use std::fmt;
use std::fs;
use std::str::FromStr;

use iroh::SecretKey;
use russh::keys::ssh_key::PrivateKey;
use russh::keys::ssh_key::private::Ed25519Keypair;
use tokio::task;

use crate::config::StateConfig;
use crate::error::{Result, StorageError};

/// Ensures the key storage directory exists.
fn ensure_key_dir(state: &StateConfig) -> Result<()> {
    let path = state.root().join("keys");
    if !path.exists() {
        fs::create_dir_all(&path).map_err(|source| StorageError::DirectoryCreate {
            path: path.clone(),
            source,
        })?;
    }
    Ok(())
}

/// Holds the unified cryptographic identity for both Iroh and SSH layers.
///
/// The same seed material is used to derive both the Iroh node identity and
/// the SSH host/client key used by the library.
pub struct NodeIdentity {
    /// The Iroh networking secret key.
    pub secret_key: SecretKey,
    /// The SSH protocol private key.
    pub ssh_key: PrivateKey,
}

impl fmt::Debug for NodeIdentity {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("NodeIdentity")
            .field("node_id", &self.node_id())
            .field("secret_key", &"<redacted>")
            .field("ssh_key", &"<redacted>")
            .finish()
    }
}

impl NodeIdentity {
    /// Returns the public Node ID for this identity.
    pub fn node_id(&self) -> String {
        self.secret_key.public().to_string()
    }
}

const SECRET_KEY_FILE: &str = "keys/node.secret";

/// Loads the local identity from storage, or generates a new one if none exists.
///
/// This ensures that the Iroh node ID and the SSH host key are derived from the
/// same secret seed for self-authenticating connections.
///
/// # Errors
///
/// Returns an error if the key directory cannot be created, if the persisted
/// secret cannot be read or parsed, or if a generated secret cannot be written.
pub async fn load_or_generate_identity(state: &StateConfig) -> Result<NodeIdentity> {
    let state = state.clone();
    task::spawn_blocking(move || load_or_generate_identity_blocking(&state))
        .await
        .map_err(|source| StorageError::BlockingTaskFailed {
            operation: "loading or generating identity",
            source,
        })?
}

/// Loads the local Iroh secret key from storage.
///
/// Unlike `load_or_generate_identity`, this will NOT generate a new key if it's missing.
///
/// # Errors
///
/// Returns an error if the secret file does not exist or is invalid.
pub fn load_secret_key(state: &StateConfig) -> Result<SecretKey> {
    let path = state.root().join(SECRET_KEY_FILE);
    if !path.exists() {
        return Err(StorageError::FileRead {
            path,
            source: std::io::Error::new(std::io::ErrorKind::NotFound, "node secret not found"),
        }
        .into());
    }

    let raw = fs::read_to_string(&path).map_err(|source| StorageError::FileRead {
        path: path.clone(),
        source,
    })?;
    let key = SecretKey::from_str(raw.trim()).map_err(|e| StorageError::NodeSecretInvalid {
        path: path.clone(),
        details: e.to_string(),
        source: Box::new(e),
    })?;
    Ok(key)
}

fn load_or_generate_identity_blocking(state: &StateConfig) -> Result<NodeIdentity> {
    ensure_key_dir(state)?;

    let path = state.root().join(SECRET_KEY_FILE);

    let secret_key = if path.exists() {
        let raw = fs::read_to_string(&path).map_err(|source| StorageError::FileRead {
            path: path.clone(),
            source,
        })?;
        SecretKey::from_str(raw.trim()).map_err(|e| StorageError::NodeSecretInvalid {
            path: path.clone(),
            details: e.to_string(),
            source: Box::new(e),
        })?
    } else {
        let secret_key = SecretKey::generate(&mut rand::rng());
        let hex = secret_key
            .to_bytes()
            .iter()
            .map(|b| format!("{:02x}", b))
            .collect::<String>();
        fs::write(&path, hex).map_err(|source| StorageError::FileWrite {
            path: path.clone(),
            source,
        })?;
        secret_key
    };

    // Derive SSH key from Iroh secret bytes.
    let seed = secret_key.to_bytes();
    let keypair = Ed25519Keypair::from_seed(&seed);
    let ssh_key = PrivateKey::from(keypair);

    Ok(NodeIdentity {
        secret_key,
        ssh_key,
    })
}
/// Deletes the local secret key from storage.
///
/// This is used to "rotate" the node identity. Returns `true` if a file was deleted,
/// `false` if it didn't exist.
pub fn delete_secret_key(state: &StateConfig) -> Result<bool> {
    let path = state.root().join(SECRET_KEY_FILE);
    if path.exists() {
        std::fs::remove_file(&path).map_err(|source| StorageError::FileWrite {
            path: path.clone(),
            source,
        })?;
        Ok(true)
    } else {
        Ok(false)
    }
}

/// Saves the local Iroh secret key to storage.
pub fn save_secret_key(state: &StateConfig, key: &SecretKey) -> Result<()> {
    ensure_key_dir(state)?;
    let path = state.root().join(SECRET_KEY_FILE);
    let hex = key
        .to_bytes()
        .iter()
        .map(|b| format!("{:02x}", b))
        .collect::<String>();
    fs::write(&path, hex)
        .map_err(|source| StorageError::FileWrite { path, source })
        .map_err(Into::into)
}