feat(pki): add support for SK key types in signature handling

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-02-04 12:20:42 +09:00 · 2025-07-30 23:00:53 +05:30
parent 22c1b6970c
commit bb85492d4f
4 changed files with 26 additions and 0 deletions
--- a/src/pki.c
+++ b/src/pki.c
@@ -506,6 +506,7 @@ static enum ssh_digest_e key_type_to_hash(enum ssh_keytypes_e type)
        return SSH_DIGEST_SHA512;
    case SSH_KEYTYPE_ECDSA_P256_CERT01:
    case SSH_KEYTYPE_ECDSA_P256:
+    case SSH_KEYTYPE_SK_ECDSA:
        return SSH_DIGEST_SHA256;
    case SSH_KEYTYPE_ECDSA_P384_CERT01:
    case SSH_KEYTYPE_ECDSA_P384:
@@ -515,6 +516,7 @@ static enum ssh_digest_e key_type_to_hash(enum ssh_keytypes_e type)
        return SSH_DIGEST_SHA512;
    case SSH_KEYTYPE_ED25519_CERT01:
    case SSH_KEYTYPE_ED25519:
+    case SSH_KEYTYPE_SK_ED25519:
        return SSH_DIGEST_AUTO;
    case SSH_KEYTYPE_RSA1:
    case SSH_KEYTYPE_DSS:        /* deprecated */
@@ -2508,6 +2510,15 @@ int ssh_pki_export_signature_blob(const ssh_signature sig,
        return SSH_ERROR;
    }

+    if (is_sk_key_type(sig->type)) {
+        /* Add flags and counter for SK keys */
+        rc = ssh_buffer_pack(buf, "bd", sig->sk_flags, sig->sk_counter);
+        if (rc < 0) {
+            SSH_BUFFER_FREE(buf);
+            return SSH_ERROR;
+        }
+    }
+
    str = ssh_string_new(ssh_buffer_get_len(buf));
    if (str == NULL) {
        SSH_BUFFER_FREE(buf);
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -2158,6 +2158,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
            sig_blob = pki_ecdsa_signature_to_blob(sig);
            break;
 #endif /* HAVE_OPENSSL_ECC */
+        case SSH_KEYTYPE_SK_ECDSA:
+        case SSH_KEYTYPE_SK_ED25519:
+            /* For SK keys, signature data is already in raw_sig */
+            sig_blob = ssh_string_copy(sig->raw_sig);
+            break;
        default:
        case SSH_KEYTYPE_UNKNOWN:
            SSH_LOG(SSH_LOG_TRACE, "Unknown signature key type: %s", sig->type_c);
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1809,6 +1809,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
        break;
    }
 #endif
+    case SSH_KEYTYPE_SK_ECDSA:
+    case SSH_KEYTYPE_SK_ED25519:
+        /* For SK keys, signature data is already in raw_sig */
+        sig_blob = ssh_string_copy(sig->raw_sig);
+        break;
    case SSH_KEYTYPE_RSA1:
    case SSH_KEYTYPE_UNKNOWN:
    default:
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -1215,6 +1215,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
        case SSH_KEYTYPE_ED25519:
            sig_blob = pki_ed25519_signature_to_blob(sig);
            break;
+        case SSH_KEYTYPE_SK_ECDSA:
+        case SSH_KEYTYPE_SK_ED25519:
+            /* For SK keys, signature data is already in raw_sig */
+            sig_blob = ssh_string_copy(sig->raw_sig);
+            break;
        default:
            SSH_LOG(SSH_LOG_TRACE, "Unknown signature key type: %s",
                    sig->type_c);