When running step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 (where id_ed25519 is a ed25519 key loaded into the ssh-agent) step-kms-plugin fails with
However, RSA keys work, and so does going through step directly with raw ed25519 keyfiles.
I have created a containerized reproduce that demonstrates the problem:
Here's the full reproduce
Run with `docker build --tag step-kms-repro . && docker run step-kms-repro`
```
FROM smallstep/step-kms-plugin:0.11.3
USER root
RUN apk add --no-cache openssh-client
RUN printf secret>pw
RUN step ca init --name test --dns localhost --deployment-type=standalone --address localhost:9000 --provisioner admin-ssh --provisioner-password-file pw --password-file pw --no-db
RUN ssh-keygen -t ed25519 -C id_ed25519 -f id_ed25519 -N ""
RUN ssh-keygen -t rsa -C id_rsa -f id_rsa -N ""
ENTRYPOINT ["/usr/bin/env", "bash", "-c"]
CMD [" \
eval $(ssh-agent); \
ssh-add id_ed25519; \
ssh-add id_rsa; \
step crypto key format --out=id_ed25519.pem --pem --no-password --insecure id_ed25519; \
step crypto key format --out=id_rsa.pem --pem --no-password --insecure id_rsa; \
echo;\
echo 'Signing with id_ed25519.pem directly (succeeds):'; \
step ca token system:admin --offline --provisioner admin-ssh --key=id_ed25519.pem --provisioner-password-file pw --password-file pw; \
echo;\
echo 'Signing with id_rsa through ssh-agent (succeeds):'; \
step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_rsa --key=sshagentkms:id_rsa --provisioner-password-file pw --password-file pw; \
echo;\
echo 'Signing with id_ed25519 through ssh-agent (fails):'; \
step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 --provisioner-password-file pw --password-file pw \
"]
```
Output
```
Agent pid 8
Identity added: id_ed25519 (id_ed25519)
Identity added: id_rsa (id_rsa)
Your key has been saved in id_ed25519.pem.
Your key has been saved in id_rsa.pem.
Signing with id_ed25519.pem directly (succeeds):
✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30]
eyJhbGciOiJFZERTQSIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImJkNjZhODJlZjBlZTg0ZTljZjdjOTczNjRjNDAxOTYxYzRhNzVkMGIzNzRmN2ZhZDUzMGJhZjBiNDgyNzdhZjQiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.XHOpg8nN9fzH5ObZ5nGddC7s06fbMeILyvdlYg4WOdb_QzgapDej8LIoZRWyxD0RcpmYneNZpJfQqxVoZbtxDw
Signing with id_rsa through ssh-agent (succeeds):
✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30]
eyJhbGciOiJSUzI1NiIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImNlMTgxNjhlYWFlNGIxY2Y4MDkyZGU4ZWYzMTMxOGFmMTlmMGFkY2VkMTdiN2NmNzY3NDRjZGQyMjQwOTVlYTIiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.my9ZvesURDCxH8U4aXareg00qcIbOmz4MZ2K3VKSQ-P0v_Eiz2N7am3J6ojnKyOVaSBa3l7nPA5V52EFAw3WNu256Nh7VODRqvihT9EfLtukEbVWntt4Tmhszx9IaNFgi3UjevYqOX1LcSXCod62HQ8OM363j2VgU2AoiehGE2wpHsRRO0k-OwPc7r2x3M4aJb9SlWs9aLa6_RnKh6mynd8jscjCPUkcf3QiSNuww1kHD-AWa1aQszaPCa-7-R7FfTVwXE68u7FVIf0MKrbCgIMpp9heZxz1eBhL8Ll7w6OHHHuG-NCgUJGet48c_bucOdV4PO7p0hck3jTybpg5NbQXkYNyD_ATqfwFq9vs_B67RPkhND2DIzMfQOw9G8yaIPsBoqC_8gu-HAAaVEGAjbcDzKn4VkbUm2p9CNrwkNT1_OPbqhVM3F-ea21VoW8E5zY65zvNrcimOiZmq1UutJZclJfUrq0andeSDKk9gyUI6_2Rfdeh0HTzJupjLbVX
Signing with id_ed25519 through ssh-agent (fails):
✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30]
error creating JWT signer: go-jose/go-jose: unknown/unsupported algorithm
```
The use-case is for an automated setup of a PKI where trust is established by providing an SSH pubkey which is converted and added as a JWK provisioner.
When running
step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519
(whereid_ed25519
is a ed25519 key loaded into the ssh-agent) step-kms-plugin fails withHowever, RSA keys work, and so does going through
step
directly with raw ed25519 keyfiles.I have created a containerized reproduce that demonstrates the problem:
Here's the full reproduce
Run with `docker build --tag step-kms-repro . && docker run step-kms-repro` ``` FROM smallstep/step-kms-plugin:0.11.3 USER root RUN apk add --no-cache openssh-client RUN printf secret>pw RUN step ca init --name test --dns localhost --deployment-type=standalone --address localhost:9000 --provisioner admin-ssh --provisioner-password-file pw --password-file pw --no-db RUN ssh-keygen -t ed25519 -C id_ed25519 -f id_ed25519 -N "" RUN ssh-keygen -t rsa -C id_rsa -f id_rsa -N "" ENTRYPOINT ["/usr/bin/env", "bash", "-c"] CMD [" \ eval $(ssh-agent); \ ssh-add id_ed25519; \ ssh-add id_rsa; \ step crypto key format --out=id_ed25519.pem --pem --no-password --insecure id_ed25519; \ step crypto key format --out=id_rsa.pem --pem --no-password --insecure id_rsa; \ echo;\ echo 'Signing with id_ed25519.pem directly (succeeds):'; \ step ca token system:admin --offline --provisioner admin-ssh --key=id_ed25519.pem --provisioner-password-file pw --password-file pw; \ echo;\ echo 'Signing with id_rsa through ssh-agent (succeeds):'; \ step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_rsa --key=sshagentkms:id_rsa --provisioner-password-file pw --password-file pw; \ echo;\ echo 'Signing with id_ed25519 through ssh-agent (fails):'; \ step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 --provisioner-password-file pw --password-file pw \ "] ```Output
``` Agent pid 8 Identity added: id_ed25519 (id_ed25519) Identity added: id_rsa (id_rsa) Your key has been saved in id_ed25519.pem. Your key has been saved in id_rsa.pem. Signing with id_ed25519.pem directly (succeeds): ✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30] eyJhbGciOiJFZERTQSIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImJkNjZhODJlZjBlZTg0ZTljZjdjOTczNjRjNDAxOTYxYzRhNzVkMGIzNzRmN2ZhZDUzMGJhZjBiNDgyNzdhZjQiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.XHOpg8nN9fzH5ObZ5nGddC7s06fbMeILyvdlYg4WOdb_QzgapDej8LIoZRWyxD0RcpmYneNZpJfQqxVoZbtxDw Signing with id_rsa through ssh-agent (succeeds): ✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30] eyJhbGciOiJSUzI1NiIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImNlMTgxNjhlYWFlNGIxY2Y4MDkyZGU4ZWYzMTMxOGFmMTlmMGFkY2VkMTdiN2NmNzY3NDRjZGQyMjQwOTVlYTIiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.my9ZvesURDCxH8U4aXareg00qcIbOmz4MZ2K3VKSQ-P0v_Eiz2N7am3J6ojnKyOVaSBa3l7nPA5V52EFAw3WNu256Nh7VODRqvihT9EfLtukEbVWntt4Tmhszx9IaNFgi3UjevYqOX1LcSXCod62HQ8OM363j2VgU2AoiehGE2wpHsRRO0k-OwPc7r2x3M4aJb9SlWs9aLa6_RnKh6mynd8jscjCPUkcf3QiSNuww1kHD-AWa1aQszaPCa-7-R7FfTVwXE68u7FVIf0MKrbCgIMpp9heZxz1eBhL8Ll7w6OHHHuG-NCgUJGet48c_bucOdV4PO7p0hck3jTybpg5NbQXkYNyD_ATqfwFq9vs_B67RPkhND2DIzMfQOw9G8yaIPsBoqC_8gu-HAAaVEGAjbcDzKn4VkbUm2p9CNrwkNT1_OPbqhVM3F-ea21VoW8E5zY65zvNrcimOiZmq1UutJZclJfUrq0andeSDKk9gyUI6_2Rfdeh0HTzJupjLbVX Signing with id_ed25519 through ssh-agent (fails): ✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30] error creating JWT signer: go-jose/go-jose: unknown/unsupported algorithm ```The use-case is for an automated setup of a PKI where trust is established by providing an SSH pubkey which is converted and added as a JWK provisioner.