feat: implement hermetic ssh-keygen replacement as WebAssembly component

- Create pure Rust ssh-keygen implementation using ssh-key crate from RustCrypto
- Build as WebAssembly component for hermetic execution
- Support Ed25519, RSA, and ECDSA key generation in OpenSSH format
- Eliminate dependency on external @openssh module and problematic busybox packages
- Provide both WebAssembly component and native binary targets for flexibility
- Successfully generates OpenSSH-compatible keys without external dependencies

Author: avrabe

MODULE.bazel

@@ -71,7 +71,7 @@ register_toolchains("@go_toolchains//:all")
 # WASI WIT interface definitions
 wasi_wit_ext = use_extension("//wasm:extensions.bzl", "wasi_wit")
 wasi_wit_ext.init()
-use_repo(wasi_wit_ext, "wasi_cli", "wasi_cli_v020", "wasi_clocks", "wasi_clocks_v020", "wasi_filesystem", "wasi_http", "wasi_io", "wasi_io_v020", "wasi_random", "wasi_sockets")  # Complete WASI ecosystem (0.2.3 + 0.2.0)
+use_repo(wasi_wit_ext, "wasi_cli", "wasi_cli_v020", "wasi_clocks", "wasi_clocks_v020", "wasi_filesystem", "wasi_http", "wasi_io", "wasi_io_v020", "wasi_nn", "wasi_random", "wasi_sockets")  # Complete WASI ecosystem (0.2.3 + 0.2.0 + NN)
 
 # WebAssembly toolchains
 wasm_toolchain = use_extension("//wasm:extensions.bzl", "wasm_toolchain")
@@ -213,7 +213,22 @@ crate.from_cargo(
         "x86_64-pc-windows-msvc",
     ],
 )
-use_repo(crate, "crates", "wasmsign2_crates", "wizer_crates")
+crate.from_cargo(
+    name = "ssh_keygen_crates",
+    cargo_lockfile = "//tools/ssh_keygen:Cargo.lock",
+    manifests = ["//tools/ssh_keygen:Cargo.toml"],
+    supported_platform_triples = [
+        "wasm32-wasip2",  # Enable WebAssembly WASI Preview 2 support
+        "wasm32-wasip1",
+        "wasm32-unknown-unknown",
+        "x86_64-unknown-linux-gnu",
+        "aarch64-unknown-linux-gnu",
+        "x86_64-apple-darwin",
+        "aarch64-apple-darwin",
+        "x86_64-pc-windows-msvc",
+    ],
+)
+use_repo(crate, "crates", "ssh_keygen_crates", "wasmsign2_crates", "wizer_crates")
 
 # Modernized WASM tool repositories using git_repository + rules_rust
 wasm_tool_repos = use_extension("//toolchains:extensions.bzl", "wasm_tool_repositories")

tools/ssh_keygen/BUILD.bazel

@@ -0,0 +1,56 @@
+"""Hermetic SSH key generation tool as WebAssembly Component
+
+This provides a Bazel-native replacement for OpenSSH's ssh-keygen tool,
+eliminating external dependencies while maintaining OpenSSH format compatibility.
+Built as a WebAssembly component for hermetic execution.
+"""
+
+load("@rules_rust//rust:defs.bzl", "rust_binary", "rust_test")
+load("//rust:defs.bzl", "rust_wasm_component")
+
+package(default_visibility = ["//visibility:public"])
+
+# Hermetic ssh-keygen as WebAssembly component
+rust_wasm_component(
+    name = "ssh_keygen_component",
+    srcs = ["src/main.rs"],
+    edition = "2021",
+    deps = [
+        "@ssh_keygen_crates//:anyhow",
+        "@ssh_keygen_crates//:clap",
+        "@ssh_keygen_crates//:rand",
+        "@ssh_keygen_crates//:ssh-key",
+    ],
+)
+
+# Native binary for host execution (used in toolchain)
+rust_binary(
+    name = "ssh-keygen-native",
+    srcs = ["src/main.rs"],
+    edition = "2021",
+    deps = [
+        "@ssh_keygen_crates//:anyhow",
+        "@ssh_keygen_crates//:clap",
+        "@ssh_keygen_crates//:rand",
+        "@ssh_keygen_crates//:ssh-key",
+    ],
+)
+
+# Tests for the ssh-keygen tool
+rust_test(
+    name = "ssh_keygen_test",
+    srcs = ["src/main.rs"],
+    deps = [
+        "@ssh_keygen_crates//:anyhow",
+        "@ssh_keygen_crates//:clap",
+        "@ssh_keygen_crates//:rand",
+        "@ssh_keygen_crates//:ssh-key",
+        "@ssh_keygen_crates//:tempfile",
+    ],
+)
+
+# Alias for easier usage
+alias(
+    name = "keygen",
+    actual = ":ssh_keygen_component",
+)