From 5de8b5d736af4062f015e94d35636fa3b5f6fb4f Mon Sep 17 00:00:00 2001
From: disqualifier <dev@disqualifier.me>
Date: Mon, 29 Jun 2026 01:39:21 -0400
Subject: [PATCH] fix: OpenSSH private-key fingerprint fallback + clean error
 on missing password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

get_rsa_key_fingerprint(is_private=True) only loaded PEM private keys, so an OpenSSH-format private key raised — unlike decrypt_aes_key_with_rsa, which already had the fallback. mirrored it: on a PEM load failure, an OPENSSH-marked key is loaded via load_ssh_private_key. also normalized the encrypted-key-without-password case: cryptography raises TypeError there, which now becomes a clear ValueError('private key is encrypted but no password was provided') in both methods instead of leaking the raw TypeError.

Signed-off-by: disqualifier <dev@disqualifier.me>
---
 README.md                              |  4 ++--
 pyproject.toml                         |  2 +-
 src/envelope_crypto/envelope_crypto.py | 33 ++++++++++++++++++--------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 8f91801..290a425 100644
--- a/README.md
+++ b/README.md
@@ -11,13 +11,13 @@ and storage-agnostic.
 `requirements.txt`:
 
 ```
-envelope_crypto @ git+ssh://git@git.rethinkstudios.io/rethink-public/envelope_crypto.git@v0.1.1
+envelope_crypto @ git+ssh://git@git.rethinkstudios.io/rethink-public/envelope_crypto.git@v0.1.2
 ```
 
 Direct:
 
 ```bash
-pip install "envelope_crypto @ git+ssh://git@git.rethinkstudios.io/rethink-public/envelope_crypto.git@v0.1.1"
+pip install "envelope_crypto @ git+ssh://git@git.rethinkstudios.io/rethink-public/envelope_crypto.git@v0.1.2"
 ```
 
 Requires `cryptography` (pulled transitively).
diff --git a/pyproject.toml b/pyproject.toml
index dea367e..611f95f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "envelope_crypto"
-version = "0.1.1"
+version = "0.1.2"
 description = "Envelope encryption (RSA-OAEP wrapped AES-256-GCM) for dict records — config-free, storage-agnostic, installable."
 requires-python = ">=3.10"
 dependencies = [
diff --git a/src/envelope_crypto/envelope_crypto.py b/src/envelope_crypto/envelope_crypto.py
index f323526..34ddf1c 100644
--- a/src/envelope_crypto/envelope_crypto.py
+++ b/src/envelope_crypto/envelope_crypto.py
@@ -155,7 +155,10 @@ class EnvelopeCrypto:
 
         for an encrypted private key (is_private=True), pass its `password`; an
         unencrypted key ignores it. fingerprinting always uses the public half, so a
-        private and its public key produce the same fingerprint.
+        private and its public key produce the same fingerprint. PEM and OpenSSH
+        private-key formats are both accepted (mirrors decrypt_aes_key_with_rsa). an
+        encrypted key with no/wrong password raises ValueError with a clear message
+        (cryptography raises TypeError for the missing-password case — normalized here).
         """
         if is_file:
             with open(key_path_or_data, "rb") as key_file:
@@ -168,9 +171,18 @@ class EnvelopeCrypto:
             )
 
         if is_private:
-            private_key = serialization.load_pem_private_key(
-                key_data, password=password.encode() if password else None
-            )
+            pw = password.encode() if password else None
+            try:
+                private_key = serialization.load_pem_private_key(key_data, password=pw)
+            except ValueError as error:
+                if b"BEGIN OPENSSH PRIVATE KEY" in key_data:
+                    private_key = serialization.load_ssh_private_key(key_data, password=pw)
+                else:
+                    raise error
+            except TypeError as error:
+                raise ValueError(
+                    "private key is encrypted but no password was provided"
+                ) from error
             public_key = private_key.public_key()
         else:
             try:
@@ -223,17 +235,18 @@ class EnvelopeCrypto:
         """unwrap an AES key with an RSA private key"""
         with open(rsa_private_key_path, "rb") as key_file:
             key_data = key_file.read()
+        pw = password.encode() if password else None
         try:
-            private_key = serialization.load_pem_private_key(
-                key_data, password=password.encode() if password else None
-            )
+            private_key = serialization.load_pem_private_key(key_data, password=pw)
         except ValueError as error:
             if b"BEGIN OPENSSH PRIVATE KEY" in key_data:
-                private_key = serialization.load_ssh_private_key(
-                    key_data, password=password.encode() if password else None
-                )
+                private_key = serialization.load_ssh_private_key(key_data, password=pw)
             else:
                 raise error
+        except TypeError as error:
+            raise ValueError(
+                "private key is encrypted but no password was provided"
+            ) from error
 
         wrapped = base64.b64decode(encrypted_key_base64)
         aes_key = private_key.decrypt(