feat: add exporting/importing of non rsa keys in libp2p-key format (#179)

* feat: add exporting/importing of ed25519 keys in libp2p-key format * feat: add libp2p-key export/import support for rsa and secp keys * chore: dep bumps * chore: update aegir * refactor: import and export base64 strings * refactor: simplify api for now * chore: fix lint * refactor: remove extraneous param * refactor: clean up * fix: review patches
2025-03-15 11:51:07 +00:00 · 2020-08-05 17:14:12 +02:00 · 2020-08-05 17:14:12 +02:00 · 7273739f04
commit 7273739f04
parent 609297be65
16 changed files with 415 additions and 46 deletions
--- a/README.md
+++ b/README.md
@ -262,14 +262,23 @@ Returns `Promise<RsaPrivateKey|Ed25519PrivateKey|Secp256k1PrivateKey>`

 Converts a protobuf serialized private key into its representative object.

-### `crypto.keys.import(pem, password)`
+### `crypto.keys.import(encryptedKey, password)`

- `pem: string`
+- `encryptedKey: string`
 - `password: string`

-Returns `Promise<RsaPrivateKey>`
+Returns `Promise<PrivateKey>`

-Converts a PEM password protected private key into its representative object.
+Converts an exported private key into its representative object. Supported formats are 'pem' (RSA only) and 'libp2p-key'.
+
+### `privateKey.export(password, format)`
+
+- `password: string`
+- `format: string` the format to export to: 'pem' (rsa only), 'libp2p-key'
+
+Returns `string`
+
+Exports the password protected `PrivateKey`. RSA keys will be exported as password protected PEM by default. Ed25519 and Secp256k1 keys will be exported as password protected AES-GCM base64 encoded strings ('libp2p-key' format).

 ### `crypto.randomBytes(number)`

--- a/package.json
+++ b/package.json
@ -6,9 +6,10 @@
  "types": "src/index.d.ts",
  "leadMaintainer": "Jacob Heun <jacobheun@gmail.com>",
  "browser": {
+    "./src/aes/ciphers.js": "./src/aes/ciphers-browser.js",
+    "./src/ciphers/aes-gcm.js": "./src/ciphers/aes-gcm.browser.js",
    "./src/hmac/index.js": "./src/hmac/index-browser.js",
    "./src/keys/ecdh.js": "./src/keys/ecdh-browser.js",
-    "./src/aes/ciphers.js": "./src/aes/ciphers-browser.js",
    "./src/keys/rsa.js": "./src/keys/rsa-browser.js"
  },
  "files": [
@ -43,21 +44,22 @@
    "is-typedarray": "^1.0.0",
    "iso-random-stream": "^1.1.0",
    "keypair": "^1.0.1",
-    "multibase": "^0.7.0",
+    "multibase": "^1.0.1",
+    "multicodec": "^1.0.4",
    "multihashing-async": "^0.8.1",
    "node-forge": "^0.9.1",
    "pem-jwk": "^2.0.0",
-    "protons": "^1.0.1",
+    "protons": "^1.2.1",
    "secp256k1": "^4.0.0",
-    "ursa-optional": "~0.10.1"
+    "uint8arrays": "^1.0.0",
+    "ursa-optional": "^0.10.1"
  },
  "devDependencies": {
-    "@types/chai": "^4.2.11",
+    "@types/chai": "^4.2.12",
    "@types/chai-string": "^1.4.2",
    "@types/dirty-chai": "^2.0.2",
-    "@types/mocha": "^7.0.1",
-    "@types/sinon": "^9.0.0",
-    "aegir": "^22.0.0",
+    "@types/mocha": "^8.0.1",
+    "aegir": "^25.0.0",
    "benchmark": "^2.1.4",
    "chai": "^4.2.0",
    "chai-string": "^1.5.0",
--- a/src/ciphers/aes-gcm.browser.js
+++ b/src/ciphers/aes-gcm.browser.js
@ -0,0 +1,89 @@
+'use strict'
+
+const concat = require('uint8arrays/concat')
+const fromString = require('uint8arrays/from-string')
+
+const webcrypto = require('../webcrypto')
+
+// Based off of code from https://github.com/luke-park/SecureCompatibleEncryptionExamples
+
+/**
+ *
+ * @param {object} [options]
+ * @param {string} [options.algorithm=AES-GCM]
+ * @param {Number} [options.nonceLength=12]
+ * @param {Number} [options.keyLength=16]
+ * @param {string} [options.digest=sha256]
+ * @param {Number} [options.saltLength=16]
+ * @param {Number} [options.iterations=32767]
+ * @returns {*}
+ */
+function create ({
+  algorithm = 'AES-GCM',
+  nonceLength = 12,
+  keyLength = 16,
+  digest = 'SHA-256',
+  saltLength = 16,
+  iterations = 32767
+} = {}) {
+  const crypto = webcrypto.get()
+  keyLength *= 8 // Browser crypto uses bits instead of bytes
+
+  /**
+   * Uses the provided password to derive a pbkdf2 key. The key
+   * will then be used to encrypt the data.
+   *
+   * @param {Uint8Array} data The data to decrypt
+   * @param {string} password A plain password
+   * @returns {Promise<Uint8Array>}
+   */
+  async function encrypt (data, password) { // eslint-disable-line require-await
+    const salt = crypto.getRandomValues(new Uint8Array(saltLength))
+    const nonce = crypto.getRandomValues(new Uint8Array(nonceLength))
+    const aesGcm = { name: algorithm, iv: nonce }
+
+    // Derive a key using PBKDF2.
+    const deriveParams = { name: 'PBKDF2', salt, iterations, hash: { name: digest } }
+    const rawKey = await crypto.subtle.importKey('raw', fromString(password), { name: 'PBKDF2' }, false, ['deriveKey', 'deriveBits'])
+    const cryptoKey = await crypto.subtle.deriveKey(deriveParams, rawKey, { name: algorithm, length: keyLength }, true, ['encrypt'])
+
+    // Encrypt the string.
+    const ciphertext = await crypto.subtle.encrypt(aesGcm, cryptoKey, data)
+    return concat([salt, aesGcm.iv, new Uint8Array(ciphertext)])
+  }
+
+  /**
+   * Uses the provided password to derive a pbkdf2 key. The key
+   * will then be used to decrypt the data. The options used to create
+   * this decryption cipher must be the same as those used to create
+   * the encryption cipher.
+   *
+   * @param {Uint8Array} data The data to decrypt
+   * @param {string} password A plain password
+   * @returns {Promise<Uint8Array>}
+   */
+  async function decrypt (data, password) {
+    const salt = data.slice(0, saltLength)
+    const nonce = data.slice(saltLength, saltLength + nonceLength)
+    const ciphertext = data.slice(saltLength + nonceLength)
+    const aesGcm = { name: algorithm, iv: nonce }
+
+    // Derive the key using PBKDF2.
+    const deriveParams = { name: 'PBKDF2', salt, iterations, hash: { name: digest } }
+    const rawKey = await crypto.subtle.importKey('raw', fromString(password), { name: 'PBKDF2' }, false, ['deriveKey', 'deriveBits'])
+    const cryptoKey = await crypto.subtle.deriveKey(deriveParams, rawKey, { name: algorithm, length: keyLength }, true, ['decrypt'])
+
+    // Decrypt the string.
+    const plaintext = await crypto.subtle.decrypt(aesGcm, cryptoKey, ciphertext)
+    return new Uint8Array(plaintext)
+  }
+
+  return {
+    encrypt,
+    decrypt
+  }
+}
+
+module.exports = {
+  create
+}
--- a/src/ciphers/aes-gcm.js
+++ b/src/ciphers/aes-gcm.js
@ -0,0 +1,120 @@
+'use strict'
+
+const crypto = require('crypto')
+
+// Based off of code from https://github.com/luke-park/SecureCompatibleEncryptionExamples
+
+/**
+ *
+ * @param {object} [options]
+ * @param {Number} [options.algorithmTagLength=16]
+ * @param {Number} [options.nonceLength=12]
+ * @param {Number} [options.keyLength=16]
+ * @param {string} [options.digest=sha256]
+ * @param {Number} [options.saltLength=16]
+ * @param {Number} [options.iterations=32767]
+ * @returns {*}
+ */
+function create ({
+  algorithmTagLength = 16,
+  nonceLength = 12,
+  keyLength = 16,
+  digest = 'sha256',
+  saltLength = 16,
+  iterations = 32767
+} = {}) {
+  const algorithm = 'aes-128-gcm'
+  /**
+   *
+   * @private
+   * @param {Buffer} data
+   * @param {Buffer} key
+   * @returns {Promise<Buffer>}
+   */
+  async function encryptWithKey (data, key) { // eslint-disable-line require-await
+    const nonce = crypto.randomBytes(nonceLength)
+
+    // Create the cipher instance.
+    const cipher = crypto.createCipheriv(algorithm, key, nonce)
+
+    // Encrypt and prepend nonce.
+    const ciphertext = Buffer.concat([cipher.update(data), cipher.final()])
+
+    return Buffer.concat([nonce, ciphertext, cipher.getAuthTag()])
+  }
+
+  /**
+   * Uses the provided password to derive a pbkdf2 key. The key
+   * will then be used to encrypt the data.
+   *
+   * @param {Buffer} data The data to decrypt
+   * @param {string|Buffer} password A plain password
+   * @returns {Promise<Buffer>}
+   */
+  async function encrypt (data, password) { // eslint-disable-line require-await
+    // Generate a 128-bit salt using a CSPRNG.
+    const salt = crypto.randomBytes(saltLength)
+
+    // Derive a key using PBKDF2.
+    const key = crypto.pbkdf2Sync(Buffer.from(password), salt, iterations, keyLength, digest)
+
+    // Encrypt and prepend salt.
+    return Buffer.concat([salt, await encryptWithKey(Buffer.from(data), key)])
+  }
+
+  /**
+   * Decrypts the given cipher text with the provided key. The `key` should
+   * be a cryptographically safe key and not a plaintext password. To use
+   * a plaintext password, use `decrypt`. The options used to create
+   * this decryption cipher must be the same as those used to create
+   * the encryption cipher.
+   *
+   * @private
+   * @param {Buffer} ciphertextAndNonce The data to decrypt
+   * @param {Buffer} key
+   * @returns {Promise<Buffer>}
+   */
+  async function decryptWithKey (ciphertextAndNonce, key) { // eslint-disable-line require-await
+    // Create buffers of nonce, ciphertext and tag.
+    const nonce = ciphertextAndNonce.slice(0, nonceLength)
+    const ciphertext = ciphertextAndNonce.slice(nonceLength, ciphertextAndNonce.length - algorithmTagLength)
+    const tag = ciphertextAndNonce.slice(ciphertext.length + nonceLength)
+
+    // Create the cipher instance.
+    const cipher = crypto.createDecipheriv(algorithm, key, nonce)
+
+    // Decrypt and return result.
+    cipher.setAuthTag(tag)
+    return Buffer.concat([cipher.update(ciphertext), cipher.final()])
+  }
+
+  /**
+   * Uses the provided password to derive a pbkdf2 key. The key
+   * will then be used to decrypt the data. The options used to create
+   * this decryption cipher must be the same as those used to create
+   * the encryption cipher.
+   *
+   * @param {Buffer} data The data to decrypt
+   * @param {string|Buffer} password A plain password
+   */
+  async function decrypt (data, password) { // eslint-disable-line require-await
+    // Create buffers of salt and ciphertextAndNonce.
+    const salt = data.slice(0, saltLength)
+    const ciphertextAndNonce = data.slice(saltLength)
+
+    // Derive the key using PBKDF2.
+    const key = crypto.pbkdf2Sync(Buffer.from(password), salt, iterations, keyLength, digest)
+
+    // Decrypt and return result.
+    return decryptWithKey(ciphertextAndNonce, key)
+  }
+
+  return {
+    encrypt,
+    decrypt
+  }
+}
+
+module.exports = {
+  create
+}
--- a/src/index.d.ts
+++ b/src/index.d.ts
@ -94,6 +94,10 @@ export interface PrivateKey {
   * of the PKCS SubjectPublicKeyInfo.
   */
  id(): Promise<string>;
+  /**
+   * Exports the password protected key in the format specified.
+   */
+  export(password: string, format?: "pkcs-8" | string): Promise<string>;
 }

 export interface Keystretcher {
@ -132,9 +136,6 @@ export namespace keys {
        hash(): Promise<Buffer>;
      }

-      // Type alias for export method
-      export type KeyInfo = any;
-
      class RsaPrivateKey implements PrivateKey {
        constructor(key: any, publicKey: Buffer);
        readonly public: RsaPublicKey;
@ -146,13 +147,7 @@ export namespace keys {
        equals(key: PrivateKey): boolean;
        hash(): Promise<Buffer>;
        id(): Promise<string>;
-        /**
-         * Exports the key into a password protected PEM format
-         *
-         * @param password The password to read the encrypted PEM
-         * @param format Defaults to 'pkcs-8'.
-         */
-        export(password: string, format?: "pkcs-8" | string): KeyInfo;
+        export(password: string, format?: string): Promise<string>;
      }
      function unmarshalRsaPublicKey(buf: Buffer): RsaPublicKey;
      function unmarshalRsaPrivateKey(buf: Buffer): Promise<RsaPrivateKey>;
@ -180,6 +175,7 @@ export namespace keys {
        equals(key: PrivateKey): boolean;
        hash(): Promise<Buffer>;
        id(): Promise<string>;
+        export(password: string, format?: string): Promise<string>;
      }

      function unmarshalEd25519PrivateKey(
@ -212,6 +208,7 @@ export namespace keys {
        equals(key: PrivateKey): boolean;
        hash(): Promise<Buffer>;
        id(): Promise<string>;
+        export(password: string, format?: string): Promise<string>;
      }

      function unmarshalSecp256k1PrivateKey(
@ -234,16 +231,14 @@ export namespace keys {
    bits: number
  ): Promise<PrivateKey>;
  export function generateKeyPair(
-    type: "Ed25519",
-    bits: number
+    type: "Ed25519"
  ): Promise<keys.supportedKeys.ed25519.Ed25519PrivateKey>;
  export function generateKeyPair(
    type: "RSA",
    bits: number
  ): Promise<keys.supportedKeys.rsa.RsaPrivateKey>;
  export function generateKeyPair(
-    type: "secp256k1",
-    bits: number
+    type: "secp256k1"
  ): Promise<keys.supportedKeys.secp256k1.Secp256k1PrivateKey>;

  /**
@ -318,7 +313,7 @@ export namespace keys {
   * @param pem Password protected private key in PEM format.
   * @param password The password used to protect the key.
   */
-  function _import(pem: string, password: string): Promise<supportedKeys.rsa.RsaPrivateKey>;
+  function _import(pem: string, password: string, format?: string): Promise<supportedKeys.rsa.RsaPrivateKey>;
  export { _import as import };
 }

--- a/src/keys/ed25519-class.js
+++ b/src/keys/ed25519-class.js
@ -8,6 +8,7 @@ const errcode = require('err-code')

 const crypto = require('./ed25519')
 const pbm = protobuf(require('./keys.proto'))
+const exporter = require('./exporter')

 class Ed25519PublicKey {
  constructor (key) {
@ -86,6 +87,21 @@ class Ed25519PrivateKey {
    const hash = await this.public.hash()
    return multibase.encode('base58btc', hash).toString().slice(1)
  }
+
+  /**
+   * Exports the key into a password protected `format`
+   *
+   * @param {string} password - The password to encrypt the key
+   * @param {string} [format=libp2p-key] - The format in which to export as
+   * @returns {Promise<Buffer>} The encrypted private key
+   */
+  async export (password, format = 'libp2p-key') { // eslint-disable-line require-await
+    if (format === 'libp2p-key') {
+      return exporter.export(this.bytes, password)
+    } else {
+      throw errcode(new Error(`export format '${format}' is not supported`), 'ERR_INVALID_EXPORT_FORMAT')
+    }
+  }
 }

 function unmarshalEd25519PrivateKey (bytes) {
--- a/src/keys/exporter.js
+++ b/src/keys/exporter.js
@ -0,0 +1,22 @@
+'use strict'
+
+const multibase = require('multibase')
+const ciphers = require('../ciphers/aes-gcm')
+
+module.exports = {
+  /**
+   * Exports the given PrivateKey as a base64 encoded string.
+   * The PrivateKey is encrypted via a password derived PBKDF2 key
+   * leveraging the aes-gcm cipher algorithm.
+   *
+   * @param {Buffer} privateKey The PrivateKey protobuf buffer
+   * @param {string} password
+   * @returns {Promise<string>} A base64 encoded string
+   */
+  export: async function (privateKey, password) {
+    const cipher = ciphers.create()
+    const encryptedKey = await cipher.encrypt(privateKey, password)
+    const base64 = multibase.names.base64
+    return base64.encode(encryptedKey)
+  }
+}
--- a/src/keys/importer.js
+++ b/src/keys/importer.js
@ -0,0 +1,22 @@
+'use strict'
+
+const multibase = require('multibase')
+const ciphers = require('../ciphers/aes-gcm')
+
+module.exports = {
+  /**
+   * Attempts to decrypt a base64 encoded PrivateKey string
+   * with the given password. The privateKey must have been exported
+   * using the same password and underlying cipher (aes-gcm)
+   *
+   * @param {string} privateKey A base64 encoded encrypted key
+   * @param {string} password
+   * @returns {Promise<Buffer>} The private key protobuf buffer
+   */
+  import: async function (privateKey, password) {
+    const base64 = multibase.names.base64
+    const encryptedKey = base64.decode(privateKey)
+    const cipher = ciphers.create()
+    return await cipher.decrypt(encryptedKey, password)
+  }
+}
--- a/src/keys/index.js
+++ b/src/keys/index.js
@ -8,6 +8,8 @@ require('node-forge/lib/pbe')
 const forge = require('node-forge/lib/forge')
 const errcode = require('err-code')

+const importer = require('./importer')
+
 exports = module.exports

 const supportedKeys = {
@ -109,8 +111,21 @@ exports.marshalPrivateKey = (key, type) => {
  return key.bytes
 }

-exports.import = async (pem, password) => { // eslint-disable-line require-await
-  const key = forge.pki.decryptRsaPrivateKey(pem, password)
+/**
+ *
+ * @param {string} encryptedKey
+ * @param {string} password
+ */
+exports.import = async (encryptedKey, password) => { // eslint-disable-line require-await
+  try {
+    const key = await importer.import(encryptedKey, password)
+    return exports.unmarshalPrivateKey(key)
+  } catch (_) {
+    // Ignore and try the old pem decrypt
+  }
+
+  // Only rsa supports pem right now
+  const key = forge.pki.decryptRsaPrivateKey(encryptedKey, password)
  if (key === null) {
    throw errcode(new Error('Cannot read the key, most likely the password is wrong or not a RSA key'), 'ERR_CANNOT_DECRYPT_PEM')
  }
--- a/src/keys/rsa-class.js
+++ b/src/keys/rsa-class.js
@ -5,12 +5,14 @@ const protobuf = require('protons')
 const multibase = require('multibase')
 const errcode = require('err-code')

-const crypto = require('./rsa')
-const pbm = protobuf(require('./keys.proto'))
 require('node-forge/lib/sha512')
 require('node-forge/lib/ed25519')
 const forge = require('node-forge/lib/forge')

+const crypto = require('./rsa')
+const pbm = protobuf(require('./keys.proto'))
+const exporter = require('./exporter')
+
 class RsaPublicKey {
  constructor (key) {
    this._key = key
@ -109,28 +111,26 @@ class RsaPrivateKey {
   * Exports the key into a password protected PEM format
   *
   * @param {string} password - The password to read the encrypted PEM
-   * @param {string} [format] - Defaults to 'pkcs-8'.
+   * @param {string} [format=pkcs-8] - The format in which to export as
   */
  async export (password, format = 'pkcs-8') { // eslint-disable-line require-await
-    let pem = null
-
+    if (format === 'pkcs-8') {
      const buffer = new forge.util.ByteBuffer(this.marshal())
      const asn1 = forge.asn1.fromDer(buffer)
      const privateKey = forge.pki.privateKeyFromAsn1(asn1)

-    if (format === 'pkcs-8') {
      const options = {
        algorithm: 'aes256',
        count: 10000,
        saltSize: 128 / 8,
        prfAlgorithm: 'sha512'
      }
-      pem = forge.pki.encryptRsaPrivateKey(privateKey, password, options)
+      return forge.pki.encryptRsaPrivateKey(privateKey, password, options)
+    } else if (format === 'libp2p-key') {
+      return exporter.export(this.bytes, password)
    } else {
-      throw errcode(new Error(`Unknown export format '${format}'. Must be pkcs-8`), 'ERR_INVALID_EXPORT_FORMAT')
+      throw errcode(new Error(`export format '${format}' is not supported`), 'ERR_INVALID_EXPORT_FORMAT')
    }
-
-    return pem
  }
 }

--- a/src/keys/rsa-utils.js
+++ b/src/keys/rsa-utils.js
@ -8,6 +8,7 @@ const { bigIntegerToUintBase64url, base64urlToBigInteger } = require('./../util'

 // Convert a PKCS#1 in ASN1 DER format to a JWK key
 exports.pkcs1ToJwk = function (bytes) {
+  bytes = Buffer.from(bytes) // convert Uint8Arrays
  const asn1 = forge.asn1.fromDer(bytes.toString('binary'))
  const privateKey = forge.pki.privateKeyFromAsn1(asn1)

--- a/src/keys/secp256k1-class.js
+++ b/src/keys/secp256k1-class.js
@ -2,6 +2,9 @@

 const multibase = require('multibase')
 const sha = require('multihashing-async/src/sha')
+const errcode = require('err-code')
+
+const exporter = require('./exporter')

 module.exports = (keysProtobuf, randomBytes, crypto) => {
  crypto = crypto || require('./secp256k1')(randomBytes)
@ -84,6 +87,21 @@ module.exports = (keysProtobuf, randomBytes, crypto) => {
      const hash = await this.public.hash()
      return multibase.encode('base58btc', hash).toString().slice(1)
    }
+
+    /**
+     * Exports the key into a password protected `format`
+     *
+     * @param {string} password - The password to encrypt the key
+     * @param {string} [format=libp2p-key] - The format in which to export as
+     * @returns {Promise<string>} The encrypted private key
+     */
+    async export (password, format = 'libp2p-key') { // eslint-disable-line require-await
+      if (format === 'libp2p-key') {
+        return exporter.export(this.bytes, password)
+      } else {
+        throw errcode(new Error(`export format '${format}' is not supported`), 'ERR_INVALID_EXPORT_FORMAT')
+      }
+    }
  }

  function unmarshalSecp256k1PrivateKey (bytes) {
--- a/test/browser.js
+++ b/test/browser.js
@ -2,9 +2,11 @@
 'use strict'

 const chai = require('chai')
-const dirtyChai = require('dirty-chai')
+chai.use(require('dirty-chai'))
 const expect = chai.expect
-chai.use(dirtyChai)
+
+const { Buffer } = require('buffer')
+
 const crypto = require('../')
 const webcrypto = require('../src/webcrypto')

--- a/test/keys/ed25519.spec.js
+++ b/test/keys/ed25519.spec.js
@ -85,6 +85,26 @@ describe('ed25519', function () {
    expect(id).to.be.a('string')
  })

+  it('should export a password encrypted libp2p-key', async () => {
+    const key = await crypto.keys.generateKeyPair('Ed25519')
+    const encryptedKey = await key.export('my secret')
+    // Import the key
+    const importedKey = await crypto.keys.import(encryptedKey, 'my secret')
+    expect(key.equals(importedKey)).to.equal(true)
+  })
+
+  it('should fail to import libp2p-key with wrong password', async () => {
+    const key = await crypto.keys.generateKeyPair('Ed25519')
+    const encryptedKey = await key.export('my secret', 'libp2p-key')
+    try {
+      await crypto.keys.import(encryptedKey, 'not my secret')
+    } catch (err) {
+      expect(err).to.exist()
+      return
+    }
+    expect.fail('should have thrown')
+  })
+
  describe('key equals', () => {
    it('equals itself', () => {
      expect(
--- a/test/keys/rsa.spec.js
+++ b/test/keys/rsa.spec.js
@ -135,6 +135,24 @@ describe('RSA', function () {
      expect(key.equals(clone)).to.eql(true)
    })

+    it('should export a password encrypted libp2p-key', async () => {
+      const encryptedKey = await key.export('my secret', 'libp2p-key')
+      // Import the key
+      const importedKey = await crypto.keys.import(encryptedKey, 'my secret')
+      expect(key.equals(importedKey)).to.equal(true)
+    })
+
+    it('should fail to import libp2p-key with wrong password', async () => {
+      const encryptedKey = await key.export('my secret', 'libp2p-key')
+      try {
+        await crypto.keys.import(encryptedKey, 'not my secret')
+      } catch (err) {
+        expect(err).to.exist()
+        return
+      }
+      expect.fail('should have thrown')
+    })
+
    it('needs correct password', async () => {
      const pem = await key.export('another secret')
      try {
--- a/test/keys/secp256k1.spec.js
+++ b/test/keys/secp256k1.spec.js
@ -63,6 +63,26 @@ describe('secp256k1 keys', () => {
    expect(id).to.be.a('string')
  })

+  it('should export a password encrypted libp2p-key', async () => {
+    const key = await crypto.keys.generateKeyPair('secp256k1')
+    const encryptedKey = await key.export('my secret')
+    // Import the key
+    const importedKey = await crypto.keys.import(encryptedKey, 'my secret')
+    expect(key.equals(importedKey)).to.equal(true)
+  })
+
+  it('should fail to import libp2p-key with wrong password', async () => {
+    const key = await crypto.keys.generateKeyPair('secp256k1')
+    const encryptedKey = await key.export('my secret', 'libp2p-key')
+    try {
+      await crypto.keys.import(encryptedKey, 'not my secret')
+    } catch (err) {
+      expect(err).to.exist()
+      return
+    }
+    expect.fail('should have thrown')
+  })
+
  describe('key equals', () => {
    it('equals itself', () => {
      expect(key.equals(key)).to.eql(true)