Skip to content

proposal: x/crypto/ssh: support parsing sk-* private keys #69904

New issue
New issue
Open
Open
proposal: x/crypto/ssh: support parsing sk-* private keys#69904
Labels
ProposalProposal-CryptoProposal related to crypto packages or other security issues
Milestone
 
Proposal
@bmh10

Description

@bmh10
bmh10
opened on Oct 16, 2024

Proposal Details

Support for sk-* key types on the server-side was added in 2019: golang/crypto@86a7050

While working on a FIDO2 for SSH project I noticed that the library supports parsing sk-ecdsa-sha2-nistp256@openssh.com and sk-ed25519@openssh.com public keys, but seems to have no corresponding support for parsing private keys for these key types (i.e. in https://github.com/golang/crypto/blob/7cfb9161e8d828fd6d9f34560e78460435b63503/ssh/keys.go#L1488).

Perhaps this is because sk-* private keys are not true private keys but just contain a key handle which references the private key on the security key (as mentioned in https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html). However, I believe we should still be able to parse the private key and extract the key handle + the public key part.

Just curious if there's any reason support was not added for this already?

Metadata

Metadata

Assignees

No one assigned

    Labels

    ProposalProposal-CryptoProposal related to crypto packages or other security issues

    Type

    No type

    Projects

    Proposals

    Status

    Incoming

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions