Only show the name part of keys

edolstra · edolstra · commit c8a2a3552e3d · 2026-05-20T20:47:51.000+02:00
diff --git a/src/libutil/signature/local-keys.cc b/src/libutil/signature/local-keys.cc
@@ -20,6 +20,12 @@ using AutoEVP_PKEY_CTX = std::unique_ptr<EVP_PKEY_CTX, Deleter<EVP_PKEY_CTX_free
 using AutoEVP_MD_CTX = std::unique_ptr<EVP_MD_CTX, Deleter<EVP_MD_CTX_free>>;
 using AutoBIO = std::unique_ptr<BIO, Deleter<BIO_free>>;
 
+std::string_view keyNamePart(std::string_view s)
+{
+    auto colon = s.find(':');
+    return colon == std::string_view::npos ? std::string_view{} : s.substr(0, colon);
+}
+
 /**
  * Parse a colon-separated string where the second part is Base64-encoded.
  *
@@ -487,8 +493,7 @@ std::unique_ptr<SecretKey> SecretKey::parse(std::string_view s)
             throw Error("secret key is not valid");
 
     } catch (Error & e) {
-        // Don't show the entire key for security.
-        e.addTrace({}, "while decoding key '%s…'", s.substr(0, 32));
+        e.addTrace({}, "while decoding key '%s'", keyNamePart(s));
         throw;
     }
 }
@@ -526,8 +531,7 @@ std::unique_ptr<PublicKey> PublicKey::parse(std::string_view s)
         } else
             throw Error("public key is not valid");
     } catch (Error & e) {
-        // Don't show the entire key for security.
-        e.addTrace({}, "while decoding key '%s'", s);
+        e.addTrace({}, "while decoding key '%s'", keyNamePart(s));
         throw;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,12 @@ using AutoEVP_PKEY_CTX = std::unique_ptr<EVP_PKEY_CTX, Deleter<EVP_PKEY_CTX_free`
`20`	`20`	`using AutoEVP_MD_CTX = std::unique_ptr<EVP_MD_CTX, Deleter<EVP_MD_CTX_free>>;`
`21`	`21`	`using AutoBIO = std::unique_ptr<BIO, Deleter<BIO_free>>;`
`22`	`22`
	`23`	`+std::string_view keyNamePart(std::string_view s)`
	`24`	`+{`
	`25`	`+ auto colon = s.find(':');`
	`26`	`+ return colon == std::string_view::npos ? std::string_view{} : s.substr(0, colon);`
	`27`	`+}`
	`28`	`+`
`23`	`29`	`/**`
`24`	`30`	`* Parse a colon-separated string where the second part is Base64-encoded.`
`25`	`31`	`*`
`@@ -487,8 +493,7 @@ std::unique_ptr<SecretKey> SecretKey::parse(std::string_view s)`
`487`	`493`	`throw Error("secret key is not valid");`
`488`	`494`
`489`	`495`	`} catch (Error & e) {`
`490`		`- // Don't show the entire key for security.`
`491`		`- e.addTrace({}, "while decoding key '%s…'", s.substr(0, 32));`
	`496`	`+ e.addTrace({}, "while decoding key '%s'", keyNamePart(s));`
`492`	`497`	`throw;`
`493`	`498`	`}`
`494`	`499`	`}`
`@@ -526,8 +531,7 @@ std::unique_ptr<PublicKey> PublicKey::parse(std::string_view s)`
`526`	`531`	`} else`
`527`	`532`	`throw Error("public key is not valid");`
`528`	`533`	`} catch (Error & e) {`
`529`		`- // Don't show the entire key for security.`
`530`		`- e.addTrace({}, "while decoding key '%s'", s);`
	`534`	`+ e.addTrace({}, "while decoding key '%s'", keyNamePart(s));`
`531`	`535`	`throw;`
`532`	`536`	`}`
`533`	`537`	`}`