Add OpenPGP Card example

[wiktor-k]

I've added a more elaborate example of an SSH agent. Actually this is a code that I'm planning to use (semi-)daily.

It has a couple of limitations, first of all it supports ed25519 keys only but I think it's a good idea to show how agents can be built and also serves as a validation of our API.

[jcspencer]

Looks good!

Always a big fan of adding more examples!

Perhaps you could use zeroize for safely dealing with PIN data in memory? Perhaps also in combination with a simple TTL cache like retainer to evict them after some time?

These are only nits of course! This LGTM as is :^)

---

On another note, I've started work on two examples I'll add in next week:

• Using the yubikey.rs crate to show how this may work with a PIV card.
• A simple implementation of session binding to show how an agent could store contraints alongside keys and enforce them

[wiktor-k]

🤔 Hmm... retainer looks interesting. I think we could use that for implementing the Lifetime key constraint... I'll see how complex it'd be to add this. Zeroize looks like a lower hanging fruit :)

I was previously thinking about wrapping it in tpm-box which would only decrypt the PIN when needed but didn't want to pack too much into one example.

On another note, I've started work on two examples I'll add in next week:

This sounds very nice 🤩 looking forward to your PRs!

[wiktor-k]

Okay, I've added the lifetime constraint support and... it's pretty cool... I can do:

SSH_AUTH_SOCK=/run/user/1000/openpgp-card-agent.sock ssh-add -t 120 -s 0006:15422467

And it caches my PIN only for 120 seconds (2 minutes). Additionally since the constrained key structure is quite simple I could parametrize it so that the regular call uses no expiration. Really, really cool! Thanks @jcspencer for all ideas! 👏

Btw it made me think whether we should use SecretString or something similar for PINs. Currently all these structures derive Debug which would dump pins in logs which may, or may not, be problematic. WDYT folks? (CC'ing @baloo)