OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens

Tue Oct 7 23:32:07 AEDT 2025

Hi,

I noticed from the release notes that OpenSSH 10.1p1 now supports ed25519 keys hosted on PKCS#11 tokens. Nice!

I tested this on macOS 26 (Tahoe) with OpenSSH installed via Homebrew using an ed25519 key hosted on a PKCS#11 token (a YubiKey 5.7.4).
Although this works fine, I ran into an issue generating the corresponding SSH public key file.

I am using Yubico’s PKCS#11 module (libykcs11, version 2.7.2 installed with yubico-piv-tool using homebrew), pointed to by $YKCS_P11.
When I try to download the public keys from the token, it seems ssh-keygen doesn’t know about ed25519 keys yet:

$ ssh-keygen -D $YKCS_P11 -vv
debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.72
debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: label <YubiKey PIV #NNNNNNNN> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <NNNNNNNN> flags 0x40d
skipping unsupported key type
failed to fetch key
debug2: pkcs11_fetch_keys: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk
debug1: have 1 keys
X509_get_pubkey failed
failed to fetch key
debug2: pkcs11_fetch_certs: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x1011e9510 ptr 0x1011e93d0 idx 0
debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 2
X509_get_pubkey failed
failed to fetch key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xrCZVCZUhVvVNS4jyXtidBxMtMGnMWud3NFBHsa/2bYJqyH/wlYfJKhOKqTLOYoHsqsamai43TamWZnWBXxyS+gCkqaQnFmJ2hzeq0o+joAaYnYPbmkJTcftN315+xiR0IVmIL01/anM5n5Kodq4eGteAYNoqYAXj8MLz1InR0nasrXzIKvh9WM26Lmpl8h3XKVvzjzznqE8L/l+H6925XacAAahw0/5jP854denYULu0JTxYJxt6zSunXQiHVbhbPi6mJVO1LXvn0G1afBYq2r8XM1G9RkUSjDZFhrQOpuT/O88gMPL1G5zJbH5Y+qWhwMDqc13wE+PxpOuVIal Public key for PIV Attestation
debug1: pkcs11_k11_free: parent 0x1011e39e0 ptr 0x1011e3140 idx 0
debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 2
debug1: pkcs11_provider_finalize: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 1

It can only find an RSA key, but not the ed25519 key.

Using Yubico tools, I can export the ed25519 public key from the YubiKey:

$ cat 9a.pem
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAca9+HUq6ZetwNmzURWp2LMqlWUnsl6VKTcyYVMv5NFs=
-----END PUBLIC KEY——

But when trying to convert it to OpenSSH format, that fails as well:

$ ssh-keygen -i -m PKCS8 -f ./9a.pem > ./id_ed25519.pub
do_convert_from_pkcs8: ./9a.pem is not a recognised public key format

As a workaround, I can generate the public key file “by hand”:

$ echo -n "ssh-ed25519 " > ./id_ed25519.pub
PUBKEY=$(openssl pkey -in 9a.pem -pubin -outform der | tail -c 32 | xxd -p -c0)
$ echo 0000000b7373682d65643235353139 00000020 $PUBKEY | xxd -r -p | base64 >> ./id_ed25519.pub
$ cat ./id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGvfh1KumXrcDZs1EVqdizKpVlJ7JelSk3MmFTL+TRb

Using that public key file, everything works as expected.
However, it would be convenient to use ssh-keygen to generate that file.

Or is there another way that I overlooked?

—
Joost van Dijk