Add support for PKIX-SSH & RFC 6187 X.509 certificate format #50
Description
Pivy-agent currently supports SSH authentication using keys from PIV smartcards, exposing raw public keys via the agent protocol. This works well with standard OpenSSH, but is incompatible with PKIX-SSH, which requires clients to provide full X.509 certificates using the x509v3-* key types defined in RFC 6187.
This is a request to add support for exposing X.509 certificates in pivy-agent. The cert would be read from the same PIV slot as the key (e.g., 9a), and returned alongside the public key in a format usable by PKIX-SSH. Signing would continue to use the existing smartcard-backed key.
This would allow pivy-agent to interoperate cleanly with PKIX-SSH, which provides X.509-based SSH login, DN-based authorization, and centralized certificate validation—goals that align naturally with Pivy's focus on PIV, HSM-backed keys, and smartcard-based identity.
Pivy also offers a much better user experience than the standard OpenSSH agent model inherited by PKIX-SSH, particularly around hotplug handling and PIN management. Integrating cert exposure would round out its support for modern SSH workflows that rely on certificates and PKI.