Skip to content

feat: support for external signers in NIOSSHPrivateKey#220

Open
camunro wants to merge 2 commits intoapple:mainfrom
camunro:pr/ssh-agent-hooks
Open

feat: support for external signers in NIOSSHPrivateKey#220
camunro wants to merge 2 commits intoapple:mainfrom
camunro:pr/ssh-agent-hooks

Conversation

@camunro
Copy link
Copy Markdown

@camunro camunro commented Feb 16, 2026

Support for External Signers in NIOSSHPrivateKey

Motivation

This PR enables hardware-backed authentication and remote identity protocols by allowing NIOSSHPrivateKey to delegate signing operations to external providers (e.g., Secure Enclave, TPM, or ssh-agent) without requiring raw private key material to be loaded into memory.

This is a foundational architectural change that enables several high-level features for the Swift ecosystem:

  • SSH Agent Protocol: Provides the necessary hooks for a client to list keys from ssh-agent and delegate the sign request back to the agent. (Add SSH Agent Support #189)
  • Hardware Security (Secure Enclave / TPM): Allows keys stored in the Apple Secure Enclave or a TPM to sign SSH challenges via Biometrics (TouchID/FaceID).
  • PKCS#11 / Smart Cards: Enables integration with physical security tokens and other non-exportable identities.

Modifications

  • New Protocol: Defined NIOSSHExternalSigner, which defines a standardized interface for delegated signing operations.
  • NIOSSHPrivateKey Evolution: Added an .external(NIOSSHExternalSigner) case to NIOSSHPrivateKey for all supported algorithms:
    • Ed25519
    • ECDSA (NIST P-256, P-384, and P-521)
  • Error Handling: Added NIOSSHError.externalSignerFailure to provide clear feedback and diagnostic info when an external delegate fails.
  • Documentation: Updated Docs.docc to provide guidance on implementing external signers for hardware-backed security.
  • Testing: Added NIOSSHExternalSignerTests.swift covering:
    • Mock external signers for all supported curves.
    • Verification that signatures produced by delegates are correctly handled by the SSH state machine.
    • Validation of error propagation when the external signer throws.

Result

NIOSSH now supports public-key authentication where the signing operation is handled by an external delegate. This provides the critical architectural hook required for modern identity-aware SSH implementations (like #189) on both Apple and Linux platforms.

@camunro
feat: support for external signers in NIOSSHPrivateKey
a1346ca 
Motivation:

Enables hardware-backed authentication and remote identity protocols by
allowing NIOSSHPrivateKey to delegate signing operations to external
providers (e.g., Secure Enclave, TPM, or ssh-agent) without requiring
raw private key material in memory.

Modifications:

- Defined NIOSSHExternalSigner protocol for delegated signing.
- Added .external case to NIOSSHPrivateKey for all supported algorithms
  (Ed25519, P-256, P-384, P-521).
- Added NIOSSHError.externalSignerFailure for better error propagation.
- Updated documentation and added comprehensive tests for external
  signing logic.

Result:

NIOSSH now supports public-key authentication where the signing operation
is handled by an external delegate, providing a foundational hook for
ssh-agent and hardware security integrations.
@camunro camunro mentioned this pull request Feb 19, 2026
Open
@Lukasa Lukasa mentioned this pull request Mar 2, 2026
Closed
@rhx rhx mentioned this pull request Mar 7, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@camunro