Using SSH Agent to sign JWT Tokens

I’m using RSA keys to generate JWT tokens. Up until now, we had no problems at all, and it all worked like a charm. Using PS512 as the algorithm. The client (in Perl, using Crypt::JWT) generates a token with it’s private key, adds that to the http Authorization header, and the server takes the JWT token, uses the corresponding public key to validate it.

Now, we want to to use the SSH Agent to generate the signature (because we can’t extract the private key from the SSH Agent). The SSH Agent uses a SHA1 digest of the message and then signs with RSA, which is not supported by JWT, as it would seem.

The question is, then: how can I use the SSH Agent to provide for either a key to give to the JWT library, either a way to use the JWT library to verify a signature generated by the SSH Agent. If at all possible. I’ve tried with RS256 as the algorithm and many others, but obviously it cannot work, since the signature is performed with sha1 as a digest.

That question is specific to how SSH Agent manages its keys and if it provided any possible way to obtain them so it’s mostly out of scope for this community as we focus on the services provided by Auth0 and general questions on authentication and authorization.

For such a specific question I recommend that, if you haven’t done so already, seek a more general forum.

Having said that, here’s some relevant links:

Referencing the Golang ssh agent interface, agent package - golang.org/x/crypto/ssh/agent - Go Packages, the ssh-agent protocol does support an RPC call to the agent to sign data on the caller’s behalf. The caller just needs to provide the corresponding public key to the desired private key.

You can actually get ssh-agent to sign using an algorithm that you specify. Looking at the source at openssh-portable/ssh-agent.c at master · openssh/openssh-portable · GitHub, it actually supports only rsa-sha2-256 and rsa-sha2-512 (SHA1 has been deprecated, it seems).
According to openssh-portable/authfd.h at a98339edbc1fc21342a390f345179a9c3031bef7 · openssh/openssh-portable · GitHub, the correct flag value is 2 for RS256, and 4 for RS512.