[PM-5731] feat: implement signing

2026-01-08 03:23:23 +00:00 · 2024-01-29 14:43:14 +01:00
parent 7ca9e61e93
commit 5d5d113369
8 changed files with 35 additions and 68 deletions
--- a/src/Core/Abstractions/ICryptoFunctionService.cs
+++ b/src/Core/Abstractions/ICryptoFunctionService.cs
@@ -21,7 +21,6 @@ namespace Bit.Core.Abstractions
        Task<byte[]> HkdfAsync(byte[] ikm, byte[] salt, byte[] info, int outputByteSize, HkdfAlgorithm algorithm);
        Task<byte[]> HkdfExpandAsync(byte[] prk, string info, int outputByteSize, HkdfAlgorithm algorithm);
        Task<byte[]> HkdfExpandAsync(byte[] prk, byte[] info, int outputByteSize, HkdfAlgorithm algorithm);
-        Task<byte[]> SignAsync(byte[] data, byte[] privateKey, ICryptoSignOptions options);
        Task<byte[]> HashAsync(string value, CryptoHashAlgorithm algorithm);
        Task<byte[]> HashAsync(byte[] value, CryptoHashAlgorithm algorithm);
        Task<byte[]> HmacAsync(byte[] value, byte[] key, CryptoHashAlgorithm algorithm);
--- a/src/Core/Models/Domain/CryptoEcdsaAlgorithm.cs
+++ b/src/Core/Models/Domain/CryptoEcdsaAlgorithm.cs
@@ -1,6 +0,0 @@
-namespace Bit.Core.Models.Domain
-{
-    public enum CryptoEcdsaAlgorithm : byte {
-        P256Sha256 = 0,
-    }
-}
--- a/src/Core/Models/Domain/CryptoSignEcdsaOptions.cs
+++ b/src/Core/Models/Domain/CryptoSignEcdsaOptions.cs
@@ -1,13 +0,0 @@
-namespace Bit.Core.Models.Domain
-{
-    public struct CryptoSignEcdsaOptions : ICryptoSignOptions
-    {
-        public enum DsaSignatureFormat : byte {
-            IeeeP1363FixedFieldConcatenation = 0,
-            Rfc3279DerSequence = 1
-        }
-
-        public CryptoEcdsaAlgorithm Algorithm { get; set; }
-        public DsaSignatureFormat SignatureFormat { get; set; }
-    }
-}
--- a/src/Core/Models/Domain/ICryptoSignOptions.cs
+++ b/src/Core/Models/Domain/ICryptoSignOptions.cs
@@ -1,6 +0,0 @@
-namespace Bit.Core.Models.Domain
-{
-    public interface ICryptoSignOptions
-    {
-    }
-}
--- a/src/Core/Services/Fido2AuthenticatorService.cs
+++ b/src/Core/Services/Fido2AuthenticatorService.cs
@@ -5,6 +5,7 @@ using Bit.Core.Models.Domain;
 using Bit.Core.Utilities.Fido2;
 using Bit.Core.Utilities;
 using System.Formats.Cbor;
+using System.Security.Cryptography;

 namespace Bit.Core.Services
 {
@@ -184,7 +185,7 @@ namespace Bit.Core.Services
                    counter: selectedFido2Credential.CounterValue
                );

-                var signature = await GenerateSignature(
+                var signature = GenerateSignature(
                    authData: authenticatorData,
                    clientDataHash: assertionParams.Hash,
                    privateKey: selectedFido2Credential.KeyBytes
@@ -286,8 +287,8 @@ namespace Bit.Core.Services
        // TODO: Move this to a separate service
        private (PublicKey publicKey, byte[] privateKey) GenerateKeyPair()
        {
-            var dsa = System.Security.Cryptography.ECDsa.Create();
-            dsa.GenerateKey(System.Security.Cryptography.ECCurve.NamedCurves.nistP256);
+            var dsa = ECDsa.Create();
+            dsa.GenerateKey(ECCurve.NamedCurves.nistP256);
            var privateKey = dsa.ExportPkcs8PrivateKey();

            return (new PublicKey(dsa), privateKey);
@@ -400,20 +401,19 @@ namespace Bit.Core.Services
            return attestationObject.Encode();
        }

-        private async Task<byte[]> GenerateSignature(
-            byte[] authData,
-            byte[] clientDataHash,
-            byte[] privateKey
-        )
+        // TODO: Move this to a separate service
+        private byte[] GenerateSignature(byte[] authData, byte[] clientDataHash, byte[] privateKey)
        {
            var sigBase = authData.Concat(clientDataHash).ToArray();
-            var signature = await _cryptoFunctionService.SignAsync(sigBase, privateKey, new CryptoSignEcdsaOptions
-            {
-                Algorithm = CryptoEcdsaAlgorithm.P256Sha256,
-                SignatureFormat = CryptoSignEcdsaOptions.DsaSignatureFormat.Rfc3279DerSequence
-            });
+            var dsa = ECDsa.Create();
+            dsa.ImportPkcs8PrivateKey(privateKey, out var bytesRead);

-            return signature;
+            if (bytesRead == 0) 
+            {
+                throw new Exception("Failed to import private key");
+            }
+
+            return dsa.SignData(sigBase, HashAlgorithmName.SHA256);
        }

        private string GuidToStandardFormat(byte[] bytes)
@@ -428,9 +428,9 @@ namespace Bit.Core.Services

        private class PublicKey
        {
-            private readonly System.Security.Cryptography.ECDsa _dsa;
+            private readonly ECDsa _dsa;

-            public PublicKey(System.Security.Cryptography.ECDsa dsa) {
+            public PublicKey(ECDsa dsa) {
                _dsa = dsa;
            }

--- a/src/Core/Services/PclCryptoFunctionService.cs
+++ b/src/Core/Services/PclCryptoFunctionService.cs
@@ -122,16 +122,6 @@ namespace Bit.Core.Services
            return okm.Take(outputByteSize).ToArray();
        }

-        public Task<byte[]> SignAsync(byte[] data, byte[] privateKey, ICryptoSignOptions options)
-        {
-            throw new NotSupportedException();
-
-            // Not supported on iOS and Android
-            // var provider = AsymmetricKeyAlgorithmProvider.OpenAlgorithm(AsymmetricAlgorithm.EcdsaP256Sha256);
-            // var cryptoKey = provider.ImportKeyPair(privateKey, CryptographicPrivateKeyBlobType.Pkcs8RawPrivateKeyInfo);
-            // return Task.FromResult(CryptographicEngine.Sign(cryptoKey, data));
-        }
-
        public Task<byte[]> HashAsync(string value, CryptoHashAlgorithm algorithm)
        {
            return HashAsync(Encoding.UTF8.GetBytes(value), algorithm);