feat: add support for SSH key fingerprint normalization and compatibility

webapp/src/lib/api.ts

@@ -971,10 +971,13 @@ export async function createCipher(
       country: await encryptTextValue(draft.identCountry, enc, mac),
     };
   } else if (type === 5) {
+    const encryptedFingerprint = await encryptTextValue(draft.sshFingerprint, enc, mac);
     payload.sshKey = {
       privateKey: await encryptTextValue(draft.sshPrivateKey, enc, mac),
       publicKey: await encryptTextValue(draft.sshPublicKey, enc, mac),
-      fingerprint: await encryptTextValue(draft.sshFingerprint, enc, mac),
+      keyFingerprint: encryptedFingerprint,
+      // Keep legacy alias for backward compatibility with previously exported/edited items.
+      fingerprint: encryptedFingerprint,
     };
   } else if (type === 2) {
     payload.secureNote = { type: 0 };
@@ -1063,10 +1066,13 @@ export async function updateCipher(
       country: await encryptTextValue(draft.identCountry, keys.enc, keys.mac),
     };
   } else if (type === 5) {
+    const encryptedFingerprint = await encryptTextValue(draft.sshFingerprint, keys.enc, keys.mac);
     payload.sshKey = {
       privateKey: await encryptTextValue(draft.sshPrivateKey, keys.enc, keys.mac),
       publicKey: await encryptTextValue(draft.sshPublicKey, keys.enc, keys.mac),
-      fingerprint: await encryptTextValue(draft.sshFingerprint, keys.enc, keys.mac),
+      keyFingerprint: encryptedFingerprint,
+      // Keep legacy alias for backward compatibility with previously exported/edited items.
+      fingerprint: encryptedFingerprint,
     };
   } else if (type === 2) {
     payload.secureNote = { type: 0 };

webapp/src/lib/export-formats.ts

@@ -257,7 +257,9 @@ function mapCipherEncrypted(cipher: Cipher): Record<string, unknown> {
     ? {
         privateKey: cipher.sshKey.privateKey ?? null,
         publicKey: cipher.sshKey.publicKey ?? null,
-        fingerprint: cipher.sshKey.fingerprint ?? null,
+        keyFingerprint: cipher.sshKey.keyFingerprint ?? cipher.sshKey.fingerprint ?? null,
+        // Keep legacy alias for compatibility with older importers.
+        fingerprint: cipher.sshKey.keyFingerprint ?? cipher.sshKey.fingerprint ?? null,
       }
     : null;
 
@@ -304,7 +306,22 @@ async function mapCipherPlain(cipher: Cipher, userEnc: Uint8Array, userMac: Uint
 
   out.card = cipher.card ? await deepDecryptUnknown(cipher.card, keyParts.enc, keyParts.mac) : null;
   out.identity = cipher.identity ? await deepDecryptUnknown(cipher.identity, keyParts.enc, keyParts.mac) : null;
-  out.sshKey = cipher.sshKey ? await deepDecryptUnknown(cipher.sshKey, keyParts.enc, keyParts.mac) : null;
+  if (cipher.sshKey) {
+    const fingerprint = await decryptMaybe(
+      cipher.sshKey.keyFingerprint ?? cipher.sshKey.fingerprint ?? null,
+      keyParts.enc,
+      keyParts.mac
+    );
+    out.sshKey = {
+      privateKey: await decryptMaybe(cipher.sshKey.privateKey ?? null, keyParts.enc, keyParts.mac),
+      publicKey: await decryptMaybe(cipher.sshKey.publicKey ?? null, keyParts.enc, keyParts.mac),
+      keyFingerprint: fingerprint,
+      // Keep legacy alias for compatibility with older importers.
+      fingerprint,
+    };
+  } else {
+    out.sshKey = null;
+  }
   out.secureNote = cipher.secureNote
     ? {
         type: normalizeNumber((cipher.secureNote as { type?: unknown }).type, 0),

webapp/src/lib/types.ts

@@ -112,6 +112,7 @@ export interface CipherIdentity {
 export interface CipherSshKey {
   privateKey?: string | null;
   publicKey?: string | null;
+  keyFingerprint?: string | null;
   fingerprint?: string | null;
   decPrivateKey?: string;
   decPublicKey?: string;