These were explicitly left out of the API since hardware bound keys are a much stronger security assertion if they never leave the key and you can prove that they're actually bound to hardware. They also make things harder because of they won't have an attestation certificate for us to get hints about PIN policy.
Consider documenting that imported keys aren't supported or explicitly handling them. Either way it's unlikely we'll provide an API to import keys.
For KeyAuth, the API to handle imported keys might look like:
type KeyAuth struct {
PIN string
PINPrompt func() (string, error)
// ImportedKeyPINPolicy is required for interacting with other tools that import
// keys that take a PIN.
//
// If a key was generated by this package, this value doesn't need to be set.
ImportedKeyPINPolicy PINPolicy
}
ericchiang
commented
4 years ago
These were explicitly left out of the API since hardware bound keys are a much stronger security assertion if they never leave the key and you can prove that they're actually bound to hardware. They also make things harder because of they won't have an attestation certificate for us to get hints about PIN policy.
Consider documenting that imported keys aren't supported or explicitly handling them. Either way it's unlikely we'll provide an API to import keys.
For KeyAuth, the API to handle imported keys might look like: