Joost van Dijk
2025-Oct-07 12:32 UTC
OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens
Hi, I noticed from the release notes that OpenSSH 10.1p1 now supports ed25519 keys hosted on PKCS#11 tokens. Nice! I tested this on macOS 26 (Tahoe) with OpenSSH installed via Homebrew using an ed25519 key hosted on a PKCS#11 token (a YubiKey 5.7.4). Although this works fine, I ran into an issue generating the corresponding SSH public key file. I am using Yubico?s PKCS#11 module (libykcs11, version 2.7.2 installed with yubico-piv-tool using homebrew), pointed to by $YKCS_P11. When I try to download the public keys from the token, it seems ssh-keygen doesn?t know about ed25519 keys yet: $ ssh-keygen -D $YKCS_P11 -vv debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.72 debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: label <YubiKey PIV #NNNNNNNN> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <NNNNNNNN> flags 0x40d skipping unsupported key type failed to fetch key debug2: pkcs11_fetch_keys: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk debug1: have 1 keys X509_get_pubkey failed failed to fetch key debug2: pkcs11_fetch_certs: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk debug2: pkcs11_fetch_certs: key already included debug1: pkcs11_k11_free: parent 0x1011e9510 ptr 0x1011e93d0 idx 0 debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 2 X509_get_pubkey failed failed to fetch key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xrCZVCZUhVvVNS4jyXtidBxMtMGnMWud3NFBHsa/2bYJqyH/wlYfJKhOKqTLOYoHsqsamai43TamWZnWBXxyS+gCkqaQnFmJ2hzeq0o+joAaYnYPbmkJTcftN315+xiR0IVmIL01/anM5n5Kodq4eGteAYNoqYAXj8MLz1InR0nasrXzIKvh9WM26Lmpl8h3XKVvzjzznqE8L/l+H6925XacAAahw0/5jP854denYULu0JTxYJxt6zSunXQiHVbhbPi6mJVO1LXvn0G1afBYq2r8XM1G9RkUSjDZFhrQOpuT/O88gMPL1G5zJbH5Y+qWhwMDqc13wE+PxpOuVIal Public key for PIV Attestation debug1: pkcs11_k11_free: parent 0x1011e39e0 ptr 0x1011e3140 idx 0 debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 2 debug1: pkcs11_provider_finalize: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 1 valid 1 debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 1 It can only find an RSA key, but not the ed25519 key. Using Yubico tools, I can export the ed25519 public key from the YubiKey: $ cat 9a.pem -----BEGIN PUBLIC KEY----- MCowBQYDK2VwAyEAca9+HUq6ZetwNmzURWp2LMqlWUnsl6VKTcyYVMv5NFs-----END PUBLIC KEY?? But when trying to convert it to OpenSSH format, that fails as well: $ ssh-keygen -i -m PKCS8 -f ./9a.pem > ./id_ed25519.pub do_convert_from_pkcs8: ./9a.pem is not a recognised public key format As a workaround, I can generate the public key file ?by hand?: $ echo -n "ssh-ed25519 " > ./id_ed25519.pub PUBKEY=$(openssl pkey -in 9a.pem -pubin -outform der | tail -c 32 | xxd -p -c0) $ echo 0000000b7373682d65643235353139 00000020 $PUBKEY | xxd -r -p | base64 >> ./id_ed25519.pub $ cat ./id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGvfh1KumXrcDZs1EVqdizKpVlJ7JelSk3MmFTL+TRb Using that public key file, everything works as expected. However, it would be convenient to use ssh-keygen to generate that file. Or is there another way that I overlooked? ? Joost van Dijk