From bb85492d4f6b81b8e9cdb280ca55f36ec1cc8b8b Mon Sep 17 00:00:00 2001
From: Praneeth Sarode <praneethsarode@gmail.com>
Date: Wed, 30 Jul 2025 23:00:53 +0530
Subject: [PATCH] feat(pki): add support for SK key types in signature handling

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 src/pki.c            | 11 +++++++++++
 src/pki_crypto.c     |  5 +++++
 src/pki_gcrypt.c     |  5 +++++
 src/pki_mbedcrypto.c |  5 +++++
 4 files changed, 26 insertions(+)

diff --git a/src/pki.c b/src/pki.c
index 663bb736..9725072e 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -506,6 +506,7 @@ static enum ssh_digest_e key_type_to_hash(enum ssh_keytypes_e type)
         return SSH_DIGEST_SHA512;
     case SSH_KEYTYPE_ECDSA_P256_CERT01:
     case SSH_KEYTYPE_ECDSA_P256:
+    case SSH_KEYTYPE_SK_ECDSA:
         return SSH_DIGEST_SHA256;
     case SSH_KEYTYPE_ECDSA_P384_CERT01:
     case SSH_KEYTYPE_ECDSA_P384:
@@ -515,6 +516,7 @@ static enum ssh_digest_e key_type_to_hash(enum ssh_keytypes_e type)
         return SSH_DIGEST_SHA512;
     case SSH_KEYTYPE_ED25519_CERT01:
     case SSH_KEYTYPE_ED25519:
+    case SSH_KEYTYPE_SK_ED25519:
         return SSH_DIGEST_AUTO;
     case SSH_KEYTYPE_RSA1:
     case SSH_KEYTYPE_DSS:        /* deprecated */
@@ -2508,6 +2510,15 @@ int ssh_pki_export_signature_blob(const ssh_signature sig,
         return SSH_ERROR;
     }
 
+    if (is_sk_key_type(sig->type)) {
+        /* Add flags and counter for SK keys */
+        rc = ssh_buffer_pack(buf, "bd", sig->sk_flags, sig->sk_counter);
+        if (rc < 0) {
+            SSH_BUFFER_FREE(buf);
+            return SSH_ERROR;
+        }
+    }
+
     str = ssh_string_new(ssh_buffer_get_len(buf));
     if (str == NULL) {
         SSH_BUFFER_FREE(buf);
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index c5ca28cf..32ad611b 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -2158,6 +2158,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
             sig_blob = pki_ecdsa_signature_to_blob(sig);
             break;
 #endif /* HAVE_OPENSSL_ECC */
+        case SSH_KEYTYPE_SK_ECDSA:
+        case SSH_KEYTYPE_SK_ED25519:
+            /* For SK keys, signature data is already in raw_sig */
+            sig_blob = ssh_string_copy(sig->raw_sig);
+            break;
         default:
         case SSH_KEYTYPE_UNKNOWN:
             SSH_LOG(SSH_LOG_TRACE, "Unknown signature key type: %s", sig->type_c);
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 445a75b2..1d31af06 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1809,6 +1809,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
         break;
     }
 #endif
+    case SSH_KEYTYPE_SK_ECDSA:
+    case SSH_KEYTYPE_SK_ED25519:
+        /* For SK keys, signature data is already in raw_sig */
+        sig_blob = ssh_string_copy(sig->raw_sig);
+        break;
     case SSH_KEYTYPE_RSA1:
     case SSH_KEYTYPE_UNKNOWN:
     default:
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index 22646a0d..cc5fb9c4 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -1215,6 +1215,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
         case SSH_KEYTYPE_ED25519:
             sig_blob = pki_ed25519_signature_to_blob(sig);
             break;
+        case SSH_KEYTYPE_SK_ECDSA:
+        case SSH_KEYTYPE_SK_ED25519:
+            /* For SK keys, signature data is already in raw_sig */
+            sig_blob = ssh_string_copy(sig->raw_sig);
+            break;
         default:
             SSH_LOG(SSH_LOG_TRACE, "Unknown signature key type: %s",
                     sig->type_c);