[PM-5731] feat: implement credential creation

2026-01-08 03:23:23 +00:00 · 2024-01-25 16:29:26 +01:00
parent 44b2443554
commit 32c43afae2
8 changed files with 160 additions and 30 deletions
--- a/src/Core/Abstractions/ICryptoFunctionService.cs
+++ b/src/Core/Abstractions/ICryptoFunctionService.cs
@@ -32,6 +32,7 @@ namespace Bit.Core.Abstractions
        Task<byte[]> RsaDecryptAsync(byte[] data, byte[] privateKey, CryptoHashAlgorithm algorithm);
        Task<byte[]> RsaExtractPublicKeyAsync(byte[] privateKey);
        Task<Tuple<byte[], byte[]>> RsaGenerateKeyPairAsync(int length);
+        Task<(byte[] PublicKey, byte[] PrivateKey)> EcdsaGenerateKeyPairAsync(CryptoEcdsaAlgorithm algorithm);
        Task<byte[]> RandomBytesAsync(int length);
        byte[] RandomBytes(int length);
        Task<uint> RandomNumberAsync();
--- a/src/Core/Models/Domain/CryptoEcdsaAlgorithm.cs
+++ b/src/Core/Models/Domain/CryptoEcdsaAlgorithm.cs
@@ -0,0 +1,6 @@
+namespace Bit.Core.Models.Domain
+{
+    public enum CryptoEcdsaAlgorithm : byte {
+        P256Sha256 = 0,
+    }
+}
--- a/src/Core/Models/Domain/CryptoSignEcdsaOptions.cs
+++ b/src/Core/Models/Domain/CryptoSignEcdsaOptions.cs
@@ -2,16 +2,12 @@
 {
    public struct CryptoSignEcdsaOptions : ICryptoSignOptions
    {
-        public enum EcdsaAlgorithm : byte {
-            EcdsaP256Sha256 = 0,
-        }
-
        public enum DsaSignatureFormat : byte {
            IeeeP1363FixedFieldConcatenation = 0,
            Rfc3279DerSequence = 1
        }

-        public EcdsaAlgorithm Algorithm { get; set; }
+        public CryptoEcdsaAlgorithm Algorithm { get; set; }
        public DsaSignatureFormat SignatureFormat { get; set; }
    }
 }
--- a/src/Core/Models/View/Fido2CredentialView.cs
+++ b/src/Core/Models/View/Fido2CredentialView.cs
@@ -43,9 +43,13 @@ namespace Bit.Core.Models.View
            set => KeyValue = value == null ? null : CoreHelpers.Base64UrlEncode(value);
        }

+        public bool DiscoverableValue {
+            get => bool.TryParse(Discoverable, out var discoverable) && discoverable;
+            set => Discoverable = value.ToString();
+        }
+
        public override string SubTitle => UserName;
        public override List<KeyValuePair<string, LinkedIdType>> LinkedFieldOptions => new List<KeyValuePair<string, LinkedIdType>>();
-        public bool IsDiscoverable => bool.TryParse(Discoverable, out var isDiscoverable) && isDiscoverable;
        public bool CanLaunch => !string.IsNullOrEmpty(RpId);
        public string LaunchUri => $"https://{RpId}";

--- a/src/Core/Services/Fido2AuthenticatorService.cs
+++ b/src/Core/Services/Fido2AuthenticatorService.cs
@@ -3,6 +3,7 @@ using Bit.Core.Models.View;
 using Bit.Core.Enums;
 using Bit.Core.Models.Domain;
 using Bit.Core.Utilities.Fido2;
+using Bit.Core.Utilities;

 namespace Bit.Core.Services
 {
@@ -54,9 +55,44 @@ namespace Bit.Core.Services
                UserVerification = makeCredentialParams.RequireUserVerification
            });

+            var cipherId = response.CipherId;
+            string credentialId;
+            // if (cipherId === undefined) {
+            //     this.logService?.warning(
+            //     `[Fido2Authenticator] Aborting because user confirmation was not recieved.`,
+            //     );
+            //     throw new Fido2AuthenticatorError(Fido2AuthenticatorErrorCode.NotAllowed);
+            // }
+            
+            try {
+                var (publicKey, privateKey) = await _cryptoFunctionService.EcdsaGenerateKeyPairAsync(CryptoEcdsaAlgorithm.P256Sha256);
+                var fido2Credential = CreateCredentialView(makeCredentialParams, privateKey);
+
+                var encrypted = await _cipherService.GetAsync(cipherId);
+                var cipher = await encrypted.DecryptAsync();
+
+                // if (
+                // !userVerified &&
+                // (params.requireUserVerification || cipher.reprompt !== CipherRepromptType.None)
+                // ) {
+                // this.logService?.warning(
+                //     `[Fido2Authenticator] Aborting because user verification was unsuccessful.`,
+                // );
+                // throw new Fido2AuthenticatorError(Fido2AuthenticatorErrorCode.NotAllowed);
+                // }
+
+                cipher.Login.Fido2Credentials = [fido2Credential];
+                var reencrypted = await _cipherService.EncryptAsync(cipher);
+                await _cipherService.SaveWithServerAsync(reencrypted);
+                credentialId = fido2Credential.CredentialId;
+            } catch {
+                throw;
+                // throw new NotImplementedException();
+            }
+
            return new Fido2AuthenticatorMakeCredentialResult
            {
-                CredentialId = GuidToRawFormat(Guid.NewGuid().ToString()),
+                CredentialId = GuidToRawFormat(credentialId),
                AttestationObject = Array.Empty<byte>(),
                AuthData = Array.Empty<byte>(),
                PublicKey = Array.Empty<byte>(),
@@ -227,10 +263,29 @@ namespace Bit.Core.Services
                cipher.Type == CipherType.Login &&
                cipher.Login.HasFido2Credentials &&
                cipher.Login.MainFido2Credential.RpId == rpId &&
-                cipher.Login.MainFido2Credential.IsDiscoverable
+                cipher.Login.MainFido2Credential.DiscoverableValue
            );
        }

+        private Fido2CredentialView CreateCredentialView(Fido2AuthenticatorMakeCredentialParams makeCredentialsParams, byte[] privateKey)
+        {
+            return new Fido2CredentialView {
+                CredentialId = Guid.NewGuid().ToString(),
+                KeyType = "public-key",
+                KeyAlgorithm = "ECDSA",
+                KeyCurve = "P-256",
+                KeyValue = CoreHelpers.Base64UrlEncode(privateKey),
+                RpId = makeCredentialsParams.RpEntity.Id,
+                UserHandle = CoreHelpers.Base64UrlEncode(makeCredentialsParams.UserEntity.Id),
+                UserName = makeCredentialsParams.UserEntity.Name,
+                CounterValue = 0,
+                RpName = makeCredentialsParams.RpEntity.Name,
+                // UserDisplayName = makeCredentialsParams.UserEntity.DisplayName,
+                DiscoverableValue = makeCredentialsParams.RequireResidentKey,
+                CreationDate = DateTime.Now
+            };
+        }
+
        private async Task<byte[]> GenerateAuthData(
            string rpId,
            bool userVerification,
@@ -288,7 +343,7 @@ namespace Bit.Core.Services
            var sigBase = authData.Concat(clientDataHash).ToArray();
            var signature = await _cryptoFunctionService.SignAsync(sigBase, privateKey, new CryptoSignEcdsaOptions
            {
-                Algorithm = CryptoSignEcdsaOptions.EcdsaAlgorithm.EcdsaP256Sha256,
+                Algorithm = CryptoEcdsaAlgorithm.P256Sha256,
                SignatureFormat = CryptoSignEcdsaOptions.DsaSignatureFormat.Rfc3279DerSequence
            });

--- a/src/Core/Services/PclCryptoFunctionService.cs
+++ b/src/Core/Services/PclCryptoFunctionService.cs
@@ -228,6 +228,20 @@ namespace Bit.Core.Services
            return Task.FromResult(new Tuple<byte[], byte[]>(publicKey, privateKey));
        }

+        public Task<(byte[], byte[])> EcdsaGenerateKeyPairAsync(CryptoEcdsaAlgorithm algorithm)
+        {
+            if (algorithm != CryptoEcdsaAlgorithm.P256Sha256)
+            {
+                throw new ArgumentException("Unsupported algorithm.");
+            }
+
+            var provider = AsymmetricKeyAlgorithmProvider.OpenAlgorithm(AsymmetricAlgorithm.EcdsaP256Sha256);
+            var cryptoKey = provider.CreateKeyPair(256);
+            var publicKey = cryptoKey.ExportPublicKey(CryptographicPublicKeyBlobType.X509SubjectPublicKeyInfo);
+            var privateKey = cryptoKey.Export(CryptographicPrivateKeyBlobType.Pkcs8RawPrivateKeyInfo);
+            return Task.FromResult((publicKey, privateKey));
+        }
+
        public Task<byte[]> RandomBytesAsync(int length)
        {
            return Task.FromResult(CryptographicBuffer.GenerateRandom(length));