fix: SSH key double-base64 encoding — PEM was corrupted during storage

Root cause: frontend btoa() encoded the PEM before sending to Go []byte parameter. Wails already base64-encodes []byte over JSON bridge, so the vault stored base64(base64(pem)) — garbage. Fix: Go method now accepts string, frontend sends raw PEM. Keys must be re-added after this update. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 11:39:24 -04:00 · 2026-03-17 11:39:24 -04:00 · 901d9c257d
commit 901d9c257d
parent 163af456b4
2 changed files with 5 additions and 8 deletions
--- a/frontend/src/components/connections/ConnectionEditDialog.vue
+++ b/frontend/src/components/connections/ConnectionEditDialog.vue
@ -447,14 +447,12 @@ async function saveNewCredential(): Promise<void> {
        "",  // domain — not collected in this form
      ) as Credential;
    } else {
-      // SSH Key: CreateSSHKeyCredential(name, username string, privateKeyPEM []byte, passphrase string)
-      // Wails serialises []byte as base64. We encode the raw PEM string with btoa().
-      const pemBase64 = btoa(newCred.value.privateKeyPEM.trim());
+      // SSH Key: CreateSSHKeyCredential(name, username, privateKeyPEM string, passphrase string)
      created = await Call.ByName(
        `${APP}.CreateSSHKeyCredential`,
        newCred.value.name.trim(),
        newCred.value.username.trim(),
-        pemBase64,
+        newCred.value.privateKeyPEM.trim(),
        newCred.value.passphrase,
      ) as Credential;
    }
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -490,13 +490,12 @@ func (a *WraithApp) CreatePassword(name, username, password, domain string) (*cr
 }

 // CreateSSHKeyCredential imports an SSH private key and creates a Credential
-// record referencing it. privateKeyPEM is the raw PEM bytes (Wails serialises
-// []byte as base64 over the JSON bridge, so the frontend passes btoa(pem)).
-func (a *WraithApp) CreateSSHKeyCredential(name, username string, privateKeyPEM []byte, passphrase string) (*credentials.Credential, error) {
+// record referencing it. privateKeyPEM is the raw PEM string (NOT base64 encoded).
+func (a *WraithApp) CreateSSHKeyCredential(name, username string, privateKeyPEM string, passphrase string) (*credentials.Credential, error) {
 	if a.Credentials == nil {
 		return nil, fmt.Errorf("vault is locked")
 	}
-	return a.Credentials.CreateSSHKeyCredential(name, username, privateKeyPEM, passphrase)
+	return a.Credentials.CreateSSHKeyCredential(name, username, []byte(privateKeyPEM), passphrase)
 }

 // DeleteCredential removes a credential by ID.