fix(se): route 15 decrypt_keypair callsites through SE-safe helpers and refactor rotation to dispatch on TypedSeed for P-256 identities

Author: bordumb

crates/auths-cli/src/commands/agent/mod.rs

@@ -541,6 +541,17 @@ fn unlock_agent(key_alias: &str) -> Result<()> {
 
     let keychain = auths_sdk::keychain::get_platform_keychain()
         .map_err(|e| anyhow!("Failed to get platform keychain: {}", e))?;
+
+    if keychain.is_hardware_backend() {
+        return Err(anyhow!(
+            "Agent-mode signing requires a software-backed key. Key '{}' is hardware-backed \
+             (Secure Enclave) and cannot export raw key material needed by the SSH agent. \
+             Use direct signing instead (which dispatches through the Secure Enclave), \
+             or initialize a separate software-backed identity for agent use.",
+            key_alias
+        ));
+    }
+
     let (_identity_did, _role, encrypted_data) = keychain
         .load_key(&auths_sdk::keychain::KeyAlias::new_unchecked(key_alias))
         .map_err(|e| anyhow!("Failed to load key '{}': {}", key_alias, e))?;

crates/auths-cli/src/commands/auth.rs

@@ -1,15 +1,9 @@
 use anyhow::{Context, Result, anyhow};
 use clap::{Parser, Subcommand};
 
-use auths_crypto::Pkcs8Der;
-use auths_sdk::crypto::decrypt_keypair;
-use auths_sdk::crypto::extract_seed_from_pkcs8;
-use auths_sdk::crypto::provider_bridge;
-use auths_sdk::keychain::KeyStorage;
 use auths_sdk::storage_layout::layout;
 
 use crate::factories::storage::build_auths_context;
-use auths_sdk::workflows::auth::sign_auth_challenge;
 
 use crate::commands::executable::ExecutableCommand;
 use crate::config::CliConfig;
@@ -76,33 +70,22 @@ fn handle_auth_challenge(nonce: &str, domain: &str, ctx: &CliConfig) -> Result<(
     let key_alias = auths_sdk::keychain::KeyAlias::new(&key_alias_str)
         .map_err(|e| anyhow!("Invalid key alias: {e}"))?;
 
-    let (_stored_did, _role, encrypted_key) = auths_ctx
-        .key_storage
-        .load_key(&key_alias)
-        .with_context(|| format!("Failed to load key '{}'", key_alias_str))?;
-
-    let passphrase =
-        passphrase_provider.get_passphrase(&format!("Enter passphrase for '{}':", key_alias))?;
-    let pkcs8_bytes = decrypt_keypair(&encrypted_key, &passphrase)
-        .context("Failed to decrypt key (invalid passphrase?)")?;
-
-    let pkcs8 = Pkcs8Der::new(&pkcs8_bytes[..]);
-    let seed =
-        extract_seed_from_pkcs8(&pkcs8).context("Failed to extract seed from key material")?;
-
-    // Derive public key from the seed instead of resolving via KEL
-    let public_key_bytes = provider_bridge::ed25519_public_key_from_seed_sync(&seed)
-        .context("Failed to derive public key from seed")?;
-    let public_key_hex = hex::encode(public_key_bytes);
-
-    let result = sign_auth_challenge(
-        nonce,
-        domain,
-        &seed,
-        &public_key_hex,
-        controller_did.as_str(),
+    let message = auths_sdk::workflows::auth::build_auth_challenge_message(nonce, domain)
+        .context("Failed to build auth challenge payload")?;
+
+    let (signature_bytes, public_key_bytes, _curve) = auths_sdk::keychain::sign_with_key(
+        auths_ctx.key_storage.as_ref(),
+        &key_alias,
+        passphrase_provider.as_ref(),
+        message.as_bytes(),
     )
-    .context("Failed to sign auth challenge")?;
+    .with_context(|| format!("Failed to sign auth challenge with key '{}'", key_alias))?;
+
+    let result = auths_sdk::workflows::auth::SignedAuthChallenge {
+        signature_hex: hex::encode(&signature_bytes),
+        public_key_hex: hex::encode(&public_key_bytes),
+        did: controller_did.to_string(),
+    };
 
     if is_json_mode() {
         JsonResponse::success(

crates/auths-cli/src/commands/id/identity.rs

@@ -1,6 +1,5 @@
 use anyhow::{Context, Result, anyhow};
 use clap::{ArgAction, Parser, Subcommand};
-use ring::signature::KeyPair;
 use serde::Serialize;
 use serde_json;
 use std::fs;
@@ -593,23 +592,19 @@ pub fn handle_id(
                 .load_all_attestations()
                 .unwrap_or_default();
 
-            // Load the public key from keychain
+            // Load the public key from keychain (handles SE and software keys)
             let keychain = get_platform_keychain()?;
-            let (_, _role, encrypted_key) = keychain
-                .load_key(&KeyAlias::new_unchecked(&alias))
-                .with_context(|| format!("Key '{}' not found in keychain", alias))?;
-
-            // Decrypt to get public key
-            let pass = passphrase_provider
-                .get_passphrase(&format!("Enter passphrase for key '{}':", alias))?;
-            let pkcs8_bytes = auths_sdk::crypto::decrypt_keypair(&encrypted_key, &pass)
-                .context("Failed to decrypt key")?;
-            let keypair = auths_sdk::identity::load_keypair_from_der_or_seed(&pkcs8_bytes)?;
+            let alias_typed = KeyAlias::new_unchecked(&alias);
+            let (public_key_bytes, _curve) = auths_sdk::keychain::extract_public_key_bytes(
+                keychain.as_ref(),
+                &alias_typed,
+                passphrase_provider.as_ref(),
+            )
+            .with_context(|| format!("Failed to extract public key for '{}'", alias))?;
             #[allow(clippy::disallowed_methods)]
-            // INVARIANT: hex::encode of Ed25519 pubkey always produces valid hex
-            let public_key_hex = auths_verifier::PublicKeyHex::new_unchecked(hex::encode(
-                keypair.public_key().as_ref(),
-            ));
+            // INVARIANT: hex::encode of pubkey bytes always produces valid hex
+            let public_key_hex =
+                auths_verifier::PublicKeyHex::new_unchecked(hex::encode(&public_key_bytes));
 
             // Create the bundle
             let bundle = IdentityBundle {

crates/auths-cli/src/commands/org.rs

@@ -1,7 +1,6 @@
 use anyhow::{Context, Result, anyhow};
 use auths_sdk::attestation::create_signed_attestation;
 use auths_sdk::attestation::create_signed_revocation;
-use auths_sdk::crypto::decrypt_keypair;
 use auths_sdk::identity::DidResolver;
 use auths_sdk::identity::initialize_registry_identity;
 use chrono::{DateTime, Utc};
@@ -439,7 +438,7 @@ pub fn handle_org(
                 serde_json::from_str(&payload_str).context("Invalid JSON in payload file")?;
 
             let key_storage = get_platform_keychain()?;
-            let (stored_did, _role, encrypted_key) = key_storage
+            let (stored_did, _role, _encrypted_key) = key_storage
                 .load_key(&signer_alias)
                 .with_context(|| format!("Failed to load signer key '{}'", signer_alias))?;
 
@@ -452,13 +451,6 @@ pub fn handle_org(
                 ));
             }
 
-            let passphrase = passphrase_provider.get_passphrase(&format!(
-                "Enter passphrase for org identity key '{}':",
-                signer_alias
-            ))?;
-            let _pkcs8_bytes = decrypt_keypair(&encrypted_key, &passphrase)
-                .context("Failed to decrypt signer key (invalid passphrase?)")?;
-
             #[allow(clippy::disallowed_methods)]
             // INVARIANT: subject_did accepts both did:key and did:keri
             let subject_device_did = DeviceDID::new_unchecked(subject_did.clone());
@@ -538,17 +530,6 @@ pub fn handle_org(
             let controller_did = managed_identity.controller_did;
             let rid = managed_identity.storage_id;
 
-            let encrypted_key = get_platform_keychain()?
-                .load_key(&signer_alias)
-                .context("Failed to load signer key")?
-                .2;
-            let pass = passphrase_provider.get_passphrase(&format!(
-                "Enter passphrase for identity key '{}':",
-                signer_alias
-            ))?;
-            let _pkcs8_bytes =
-                decrypt_keypair(&encrypted_key, &pass).context("Failed to decrypt identity key")?;
-
             #[allow(clippy::disallowed_methods)] // INVARIANT: accepts both did:key and did:keri
             let subject_device_did = DeviceDID::new_unchecked(subject_did.clone());
 
@@ -965,13 +946,30 @@ pub fn handle_org(
             Ok(())
         }
 
-        OrgSubcommand::Join { code, registry } => handle_join(&code, &registry),
+        OrgSubcommand::Join { code, registry } => {
+            handle_join(&code, &registry, passphrase_provider.as_ref())
+        }
     }
 }
 
 /// Handles the `org join` subcommand by looking up and accepting an invite
 /// via the registry HTTP API.
-fn handle_join(code: &str, registry: &str) -> Result<()> {
+///
+/// Args:
+/// * `code`: Invite code to redeem.
+/// * `registry`: Base URL of the registry HTTP API.
+/// * `passphrase_provider`: Injected provider used to unlock the signing key
+///   when producing the bearer token; respects SE-backed and P-256 keys.
+///
+/// Usage:
+/// ```ignore
+/// handle_join(&code, &registry, ctx.passphrase_provider.as_ref())?;
+/// ```
+fn handle_join(
+    code: &str,
+    registry: &str,
+    passphrase_provider: &dyn auths_sdk::signing::PassphraseProvider,
+) -> Result<()> {
     let rt = tokio::runtime::Runtime::new()?;
     let client = reqwest::Client::new();
     let base = registry.trim_end_matches('/');
@@ -1024,30 +1022,21 @@ fn handle_join(code: &str, registry: &str) -> Result<()> {
 
     let key_storage = get_platform_keychain()?;
     let primary_alias = KeyAlias::new_unchecked("main");
-    let (_stored_did, _role, encrypted_key) = key_storage
-        .load_key(&primary_alias)
-        .context("failed to load signing key — run `auths init` first")?;
-
-    let passphrase =
-        rpassword::prompt_password("Enter passphrase: ").context("failed to read passphrase")?;
-    let pkcs8_bytes = decrypt_keypair(&encrypted_key, &passphrase).context("wrong passphrase")?;
 
-    let pkcs8 = auths_crypto::Pkcs8Der::new(&pkcs8_bytes[..]);
-    let seed = auths_sdk::crypto::extract_seed_from_pkcs8(&pkcs8)
-        .context("failed to extract seed from key material")?;
-
-    // Create a signed bearer payload: { did, timestamp, signature }
     #[allow(clippy::disallowed_methods)] // CLI is the presentation boundary
     let timestamp = Utc::now().to_rfc3339();
     let message = format!("{}\n{}", did, timestamp);
-    let signature = {
-        use ring::signature::Ed25519KeyPair;
-        let kp = Ed25519KeyPair::from_seed_unchecked(seed.as_bytes())
-            .map_err(|e| anyhow!("invalid key: {e}"))?;
-        let sig = kp.sign(message.as_bytes());
-        use base64::Engine;
-        base64::engine::general_purpose::STANDARD.encode(sig.as_ref())
-    };
+
+    let (sig_bytes, _pubkey, _curve) = auths_sdk::keychain::sign_with_key(
+        key_storage.as_ref(),
+        &primary_alias,
+        passphrase_provider,
+        message.as_bytes(),
+    )
+    .context("failed to sign invite bearer token")?;
+
+    use base64::Engine;
+    let signature = base64::engine::general_purpose::STANDARD.encode(&sig_bytes);
 
     let bearer_payload = serde_json::json!({
         "did": did,

crates/auths-core/src/api/ffi.rs

@@ -582,6 +582,12 @@ pub unsafe extern "C" fn ffi_export_private_key_with_passphrase(
         };
         let alias = KeyAlias::new_unchecked(alias_str);
         let export_result = || -> Result<Vec<u8>, AgentError> {
+            if keychain.is_hardware_backend() {
+                return Err(AgentError::BackendUnavailable {
+                    backend: keychain.backend_name(),
+                    reason: "hardware-backed keys (e.g. Secure Enclave) cannot be exported via this FFI path".to_string(),
+                });
+            }
             let (_controller_did, _role, encrypted_bytes) = keychain.load_key(&alias)?;
             // Attempt decryption only to verify passphrase
             let _decrypted_pkcs8 = decrypt_keypair(&encrypted_bytes, pass_str)?;

crates/auths-core/src/api/runtime.rs

@@ -13,7 +13,7 @@ use crate::crypto::provider_bridge;
 use crate::crypto::signer::extract_seed_from_key_bytes;
 use crate::crypto::signer::{decrypt_keypair, encrypt_keypair};
 use crate::error::AgentError;
-use crate::signing::PassphraseProvider;
+use crate::signing::{PassphraseProvider, PrefilledPassphraseProvider};
 use crate::storage::keychain::{KeyAlias, KeyRole, KeyStorage};
 use log::{debug, error, info, warn};
 #[cfg(target_os = "macos")]
@@ -189,6 +189,11 @@ pub fn load_keys_into_agent_with_handle(
         };
 
         let load_result = || -> Result<Zeroizing<Vec<u8>>, AgentError> {
+            if keychain.is_hardware_backend() {
+                return Err(AgentError::HardwareKeyNotExportable {
+                    operation: "agent key load".to_string(),
+                });
+            }
             let (_controller_did, _role, encrypted_pkcs8) = keychain.load_key(&key_alias)?;
             let prompt = format!(
                 "Enter passphrase to unlock key '{}' for agent session:",
@@ -388,6 +393,11 @@ pub fn export_key_openssh_pem(
             "Alias cannot be empty".to_string(),
         ));
     }
+    if keychain.is_hardware_backend() {
+        return Err(AgentError::HardwareKeyNotExportable {
+            operation: "OpenSSH private key export".to_string(),
+        });
+    }
     // 1. Load encrypted key data
     let key_alias = KeyAlias::new_unchecked(alias);
     let (_controller_did, _role, encrypted_pkcs8) = keychain.load_key(&key_alias)?;
@@ -452,22 +462,14 @@ pub fn export_key_openssh_pub(
             "Alias cannot be empty".to_string(),
         ));
     }
-    // 1. Load encrypted key data
+    // 1. Obtain public key bytes (hardware-aware; SE returns pubkey without decryption)
     let key_alias = KeyAlias::new_unchecked(alias);
-    let (_controller_did, _role, encrypted_pkcs8) = keychain.load_key(&key_alias)?;
-
-    // 2. Decrypt key data
-    let pkcs8_bytes = decrypt_keypair(&encrypted_pkcs8, passphrase)?;
-
-    // 3. Extract seed and derive public key via CryptoProvider
-    let (seed, pubkey_bytes, _curve) = crate::crypto::signer::load_seed_and_pubkey(&pkcs8_bytes)
-        .map_err(|e| {
-            AgentError::CryptoError(format!(
-                "Failed to extract key for alias '{}': {}",
-                alias, e
-            ))
-        })?;
-    let _ = seed; // seed not needed for public key export
+    let passphrase_provider = PrefilledPassphraseProvider::new(passphrase);
+    let (pubkey_bytes, _curve) = crate::storage::keychain::extract_public_key_bytes(
+        keychain,
+        &key_alias,
+        &passphrase_provider,
+    )?;
     let ssh_ed25519_pubkey =
         SshEd25519PublicKey::try_from(pubkey_bytes.as_slice()).map_err(|e| {
             AgentError::CryptoError(format!(

crates/auths-core/src/error.rs

@@ -120,6 +120,16 @@ pub enum AgentError {
     /// HSM does not support the requested cryptographic mechanism.
     #[error("HSM does not support mechanism: {0}")]
     HsmUnsupportedMechanism(String),
+
+    /// Operation cannot be completed because the key is hardware-backed (SE/HSM)
+    /// and the operation requires raw key material.
+    #[error(
+        "Operation '{operation}' requires a software-backed key; hardware-backed keys (e.g. Secure Enclave) cannot export raw material"
+    )]
+    HardwareKeyNotExportable {
+        /// Name of the operation that requires raw key material.
+        operation: String,
+    },
 }
 
 impl AuthsErrorInfo for AgentError {
@@ -149,6 +159,7 @@ impl AuthsErrorInfo for AgentError {
             Self::HsmDeviceRemoved => "AUTHS-E3022",
             Self::HsmSessionExpired => "AUTHS-E3023",
             Self::HsmUnsupportedMechanism(_) => "AUTHS-E3024",
+            Self::HardwareKeyNotExportable { .. } => "AUTHS-E3025",
         }
     }
 
@@ -206,6 +217,9 @@ impl AuthsErrorInfo for AgentError {
             Self::HsmUnsupportedMechanism(_) => {
                 Some("Check that your HSM supports Ed25519 (CKM_EDDSA)")
             }
+            Self::HardwareKeyNotExportable { .. } => Some(
+                "Use a software-backed keychain backend for this operation, or re-initialize your identity without Secure Enclave",
+            ),
         }
     }
 }
@@ -276,3 +290,18 @@ impl From<AgentError> for ssh_agent_lib::error::AgentError {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn hardware_key_not_exportable_has_actionable_display() {
+        let err = AgentError::HardwareKeyNotExportable {
+            operation: "pairing".into(),
+        };
+        let msg = err.to_string();
+        assert!(msg.contains("hardware"), "msg={msg}");
+        assert!(msg.contains("pairing"), "msg={msg}");
+    }
+}