Support -sk versions of ed25519 keys.

[soupglasses]

When attempting to use ssh-to-age with an ed25519-sk based key, it will result in the following error:

skipped key: got [email protected] key type, but only ed25519 keys are supported

[soupglasses]

Using [email protected] as the start of the key instead of ssh-ed25519-sk results in a different error:

failed to convert '[email protected] (... snip ...)': failed to parse ssh public key: illegal base64 data at input byte 4

[Mic92]

Maybe the keytype needs to be added here:

ssh-to-age/convert.go

Line 108 in 9610d46

if pk.Type() != ssh.KeyAlgoED25519 {

Here are the supported algorithm: https://pkg.go.dev/golang.org/x/crypto/ssh#pkg-constants

Note that I don't think this can work in combination with sops, which I think does not have support for yubikeys yet.

[soupglasses]

Well sops takes in the generated public/private age keys that ssh-to-age creates. So the input to generate it would not matter if it was a ssh-ed25519-sk key or a ssh-ed25519 key, as both should build down to age keys that sops can use?

[Mic92]

Correct for the public key but if the private key is stored on a yubikey than you cannot decrypt sops files with it afterwards since sops is not using the ssh agent for it's crypto operations but rather expects a age private key (that can not be generated with ssh-to-age)

[soupglasses]

Yeah. I think having the solution for this case be https://github.com/str4d/age-plugin-yubikey or simply GPG based secrets would be easier to support with yubikeys as a whole. Even if the ssh key is using the correct key-type to support ssh-to-age.

[Mic92]

Those plugins are not supported yet: getsops/sops#1103
I have not checked how age implements yet so I cannot tell yet what sops needs to do (it also uses the age library interface for decrypting)

[BrokenStandards]

I checked, all age's code handling plugins is in age/cmd. Plugin interface is still marked as internal.
Sops probably can't really do anything without being hacky atm, like stealing the interfaces from cmds/plugins or outright calling age cmds.

If you want to take a look I would start at age/cmd/age/parse.go. parseRecipient and parseIdentity are the dispatcher functions. The plugin takes/is passed a client ui (so it can do things like pin entry and whatever) and cmd creates a pluginTerminalUI to handle that.

I'm not familiar enough with sops to know if that is actually a problem. But a cursory look suggest it is. Only pgp seems to handle password prompts. Azkv explicitly mentions not having support for it until they figure out how to handle it.
So I guess no standard input method has been developed. I imagine they would want to pass in their own clientUI or a wrapper around pinentry one day in the future. But regardless I doubt anything is coming until plugin is not internal

[soupglasses]

Yeah i agree using Yubikey's pgp functionality is the way to go here. Instead of trying to translate a -sk key to age, when pgp functionality (with ed25519 support) is already built into to the Yubikey.