gabyhelp
commented
1 week ago Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Open bmh10 opened 1 week ago
gabyhelp
commented
1 week ago Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Proposal Details
Support for sk-* key types on the server-side was added in 2019: https://github.com/golang/crypto/commit/86a70503ff7e82ffc18c7b0de83db35da4791e6a
While working on a FIDO2 for SSH project I noticed that the library supports parsing sk-ecdsa-sha2-nistp256@openssh.com and sk-ed25519@openssh.com public keys, but seems to have no corresponding support for parsing private keys for these key types (i.e. in https://github.com/golang/crypto/blob/7cfb9161e8d828fd6d9f34560e78460435b63503/ssh/keys.go#L1488).
Perhaps this is because sk-* private keys are not true private keys but just contain a key handle which references the private key on the security key (as mentioned in https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html). However, I believe we should still be able to parse the private key and extract the key handle + the public key part.
Just curious if there's any reason support was not added for this already?