demo for storing SSH certificates on a FIDO security key using largeBlobs

Makefile.largeBlobs

# LargeBlog demo: storing an SSH certificate on a FIDO security key

HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)"
# uses the first key listed
# note: this is probably specific to an M1 mac

# check if largeBlobs are supported on your key
# Use for instance a YubiKey with 5.5+ firmware
check:
	fido2-token -I ${HID} | grep largeBlobs

# CA

id_ca id_ca.pub:
	ssh-keygen -t ecdsa -f id_ca 

# Generate a eesident SSH key
id_ecdsa id_ecdsa.pub:
	ssh-keygen -t ecdsa-sk -f ./id_ecdsa -O resident -N ""

rk: id_ecdsa
	#fido2-token -L -r ${HID} 
	fido2-token -L -k ssh: ${HID} 
	# ykman fido credentials list

# SSH cert

id_ecdsa-cert.pub: id_ca id_ecdsa.pub
	ssh-keygen -s ./id_ca -I [email protected] id_ecdsa.pub 
	fido2-token -S -b -n ssh: id_ecdsa-cert.pub ${HID} 

# large blobs

list:
	fido2-token -L -b ${HID}

out.blob: id_ecdsa-cert.pub
	fido2-token -G -b -n ssh: out.blob ${HID} 

show: out.blob
	ssh-keygen -f out.blob -L

# cleanup

clean: delete
	-rm id_ca id_ca.pub id_ecdsa id_ecdsa-cert.pub id_ecdsa.pub out.blob

delete:
	fido2-token -D -b -n ssh: ${HID}
	fido2-token -D -i $(shell fido2-token -Lk ssh: ${HID} | cut -d' ' -f2) ${HID}

Example run:

$ make -f Makefile.largeBlobs show clean 
ssh-keygen -t ecdsa -f id_ca 
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_ca
Your public key has been saved in id_ca.pub
The key fingerprint is:
SHA256:ZzCh9Ch52WeqwEaL0U0rrir0ugflh6o1j02hxBJvxbc [email protected]
The key's randomart image is:
+---[ECDSA 256]---+
|      o .        |
|   o = B .       |
|. . O O = o      |
| + O * . *       |
|. O O E S o      |
| * * + . o       |
|. O o .          |
|.+ O             |
|=o= o            |
+----[SHA256]-----+
ssh-keygen -t ecdsa-sk -f ./id_ecdsa -O resident -N ""
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Your identification has been saved in ./id_ecdsa
Your public key has been saved in ./id_ecdsa.pub
The key fingerprint is:
SHA256:/IzaEt1LnmZLqUpVFiVmqZiYmeVHVNWMvSEYGdwMV/I [email protected]
The key's randomart image is:
+-[ECDSA-SK 256]--+
|       ..oX%=*.  |
|      . .o=+=o=  |
|     B + .o  .Eo |
|    = +.oo    .  |
|       oS.       |
|      ...+o.     |
|      ...o=o     |
|     ..o o*      |
|      oooo..     |
+----[SHA256]-----+
ssh-keygen -s ./id_ca -I [email protected] id_ecdsa.pub 
Signed user key id_ecdsa-cert.pub: id "[email protected]" serial 0 valid forever
fido2-token -S -b -n ssh: id_ecdsa-cert.pub "ioreg://1234567890" 
fido2-token -G -b -n ssh: out.blob "ioreg://1234567890" 
ssh-keygen -f out.blob -L
out.blob:
        Type: [email protected] user certificate
        Public key: ECDSA-SK-CERT SHA256:/IzaEt1LnmZLqUpVFiVmqZiYmeVHVNWMvSEYGdwMV/I
        Signing CA: ECDSA SHA256:ZzCh9Ch52WeqwEaL0U0rrir0ugflh6o1j02hxBJvxbc (using ecdsa-sha2-nistp256)
        Key ID: "[email protected]"
        Serial: 0
        Valid: forever
        Principals: (none)
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
fido2-token -D -b -n ssh: "ioreg://1234567890"
fido2-token -D -i mXvCB6S5femKhqZPO9h3lr6Z3HZ6ys/Fq6amY+r0uu7P5wsXzm6Zj3K+ELaD0m7k "ioreg://1234567890"
rm id_ca id_ca.pub id_ecdsa id_ecdsa-cert.pub id_ecdsa.pub out.blob