feat(sdk-core): add webauthnInfo support to createMpc

Add MpcWebauthnInfo parameter to CreateMpcOptions and thread it through
all four createKeychains implementations (EDDSA, EdDSA MPCv2, ECDSA,
ECDSA MPCv2). When provided, the user keychain is registered with an
additional webauthnDevices entry containing a PRF-encrypted copy of the
user private share, avoiding the need for a separate PUT /key/{id} call
post-wallet-creation.

Also wires webauthnInfo from generateWallet through generateMpcWallet
so TSS wallet creation passes the authenticator info end-to-end.

Ticket: WAL-761

Author: mohammadalfaiyazbitgo

modules/bitgo/test/v2/unit/keychains.ts

@@ -434,6 +434,51 @@ describe('V2 Keychains', function () {
           keychains.should.deepEqual(stubbedKeychainsTriplet);
         });
       });
+
+      ['tsol'].forEach((coin) => {
+        it('should pass webauthnInfo to createKeychains for EDDSA TSS', async function () {
+          const webauthnInfo = {
+            otpDeviceId: 'device-1',
+            prfSalt: 'salt-1',
+            passphrase: 'prf-derived-passphrase',
+          };
+          const createKeychains = sandbox
+            .stub(EDDSAUtils.default.prototype, 'createKeychains')
+            .resolves(stubbedKeychainsTriplet);
+          await bitgo.coin(coin).keychains().createMpc({
+            multisigType: 'tss',
+            passphrase: 'password',
+            enterprise: 'enterprise',
+            webauthnInfo,
+          });
+          createKeychains.calledOnce.should.be.true();
+          createKeychains.firstCall.args[0].should.have.property('webauthnInfo', webauthnInfo);
+        });
+      });
+
+      ['tbsc'].forEach((coin) => {
+        it('should pass webauthnInfo to createKeychains for ECDSA TSS', async function () {
+          nock(bgUrl).get('/api/v2/tss/settings').reply(200, {
+            coinSettings: {},
+          });
+          const webauthnInfo = {
+            otpDeviceId: 'device-1',
+            prfSalt: 'salt-1',
+            passphrase: 'prf-derived-passphrase',
+          };
+          const createKeychains = sandbox
+            .stub(ECDSAUtils.EcdsaUtils.prototype, 'createKeychains')
+            .resolves(stubbedKeychainsTriplet);
+          await bitgo.coin(coin).keychains().createMpc({
+            multisigType: 'tss',
+            passphrase: 'password',
+            enterprise: 'enterprise',
+            webauthnInfo,
+          });
+          createKeychains.calledOnce.should.be.true();
+          createKeychains.firstCall.args[0].should.have.property('webauthnInfo', webauthnInfo);
+        });
+      });
     });
 
     describe('Recreate Keychains from MPCV1 to MPCV2', async function () {

modules/sdk-core/src/bitgo/keychain/iKeychains.ts

@@ -12,6 +12,14 @@ export interface WebauthnInfo {
   encryptedPrv: string;
 }
 
+/** WebAuthn PRF-based encryption info passed to MPC key creation. The passphrase is the
+ * PRF-derived key used to encrypt the user private share before it is persisted. */
+export interface MpcWebauthnInfo {
+  otpDeviceId: string;
+  prfSalt: string;
+  passphrase: string;
+}
+
 export type SourceType = 'bitgo' | 'backup' | 'user' | 'cold';
 
 export type WebauthnFmt = 'none' | 'packed' | 'fido-u2f';
@@ -188,6 +196,7 @@ export interface CreateMpcOptions {
   originalPasscodeEncryptionCode?: string;
   enterprise?: string;
   retrofit?: DecryptedRetrofitPayload;
+  webauthnInfo?: MpcWebauthnInfo;
 }
 
 export interface RecreateMpcOptions extends Omit<CreateMpcOptions, 'retrofit' | 'multisigType'> {

modules/sdk-core/src/bitgo/keychain/keychains.ts

@@ -326,6 +326,7 @@ export class Keychains implements IKeychains {
       enterprise: params.enterprise,
       originalPasscodeEncryptionCode: params.originalPasscodeEncryptionCode,
       retrofit: params.retrofit,
+      webauthnInfo: params.webauthnInfo,
     });
   }
 

modules/sdk-core/src/bitgo/utils/mpcUtils.ts

@@ -5,7 +5,7 @@ import assert from 'assert';
 import { decrypt, readMessage, readPrivateKey, SerializedKeyPair } from 'openpgp';
 import { IBaseCoin, KeychainsTriplet } from '../baseCoin';
 import { BitGoBase } from '../bitgoBase';
-import { AddKeychainOptions, Keychain, KeyType } from '../keychain';
+import { AddKeychainOptions, Keychain, KeyType, MpcWebauthnInfo } from '../keychain';
 import { encryptText, getBitgoGpgPubKey } from './opengpgUtils';
 import {
   IntentRecipient,
@@ -105,6 +105,7 @@ export abstract class MpcUtils {
     passphrase: string;
     enterprise?: string;
     originalPasscodeEncryptionCode?: string;
+    webauthnInfo?: MpcWebauthnInfo;
   }): Promise<KeychainsTriplet>;
 
   /**

modules/sdk-core/src/bitgo/utils/tss/baseTSSUtils.ts

@@ -3,7 +3,7 @@ import * as openpgp from 'openpgp';
 import { Key, readKey, SerializedKeyPair } from 'openpgp';
 import { IBaseCoin, KeychainsTriplet } from '../../baseCoin';
 import { BitGoBase } from '../../bitgoBase';
-import { Keychain, KeyIndices } from '../../keychain';
+import { Keychain, KeyIndices, MpcWebauthnInfo } from '../../keychain';
 import { getTxRequest } from '../../tss';
 import { IWallet } from '../../wallet';
 import { MpcUtils } from '../mpcUtils';
@@ -194,6 +194,7 @@ export default class BaseTssUtils<KeyShare> extends MpcUtils implements ITssUtil
     enterprise?: string | undefined;
     originalPasscodeEncryptionCode?: string | undefined;
     isThirdPartyBackup?: boolean;
+    webauthnInfo?: MpcWebauthnInfo;
   }): Promise<KeychainsTriplet> {
     throw new Error('Method not implemented.');
   }

modules/sdk-core/src/bitgo/utils/tss/baseTypes.ts

@@ -1,7 +1,7 @@
 import { Key, SerializedKeyPair } from 'openpgp';
 import { IRequestTracer } from '../../../api';
 import { KeychainsTriplet, ParsedTransaction, TransactionParams } from '../../baseCoin';
-import { ApiKeyShare, Keychain } from '../../keychain';
+import { ApiKeyShare, Keychain, MpcWebauthnInfo } from '../../keychain';
 import { ApiVersion, Memo, WalletType } from '../../wallet';
 import { EDDSA, GShare, Signature, SignShare } from '../../../account-lib/mpc/tss';
 import { Signature as EcdsaSignature } from '../../../account-lib/mpc/tss/ecdsa/types';
@@ -482,6 +482,7 @@ export type CreateKeychainParamsBase = {
   passphrase?: string;
   enterprise?: string;
   originalPasscodeEncryptionCode?: string;
+  webauthnInfo?: MpcWebauthnInfo;
 };
 
 export type CreateBitGoKeychainParamsBase = Omit<CreateKeychainParamsBase, 'bitgoKeychain'>;

modules/sdk-core/src/bitgo/utils/tss/ecdsa/ecdsa.ts

@@ -7,7 +7,7 @@ import { EcdsaPaillierProof, EcdsaRangeProof, EcdsaTypes, hexToBigInt, minModulu
 import { bip32 } from '@bitgo/utxo-lib';
 
 import { ECDSA, Ecdsa } from '../../../../account-lib/mpc/tss';
-import { AddKeychainOptions, Keychain, KeyType } from '../../../keychain';
+import { AddKeychainOptions, Keychain, KeyType, MpcWebauthnInfo } from '../../../keychain';
 import ECDSAMethods, { ECDSAMethodTypes } from '../../../tss/ecdsa';
 import { KeychainsTriplet } from '../../../baseCoin';
 import {
@@ -106,6 +106,7 @@ export class EcdsaUtils extends BaseEcdsaUtils {
     passphrase: string;
     enterprise?: string | undefined;
     originalPasscodeEncryptionCode?: string | undefined;
+    webauthnInfo?: MpcWebauthnInfo;
   }): Promise<KeychainsTriplet> {
     const MPC = new Ecdsa();
     const m = 2;
@@ -138,6 +139,7 @@ export class EcdsaUtils extends BaseEcdsaUtils {
       bitgoKeychain,
       passphrase: params.passphrase,
       originalPasscodeEncryptionCode: params.originalPasscodeEncryptionCode,
+      webauthnInfo: params.webauthnInfo,
     });
     const backupKeychainPromise = this.createBackupKeychain({
       userGpgKey,
@@ -177,6 +179,7 @@ export class EcdsaUtils extends BaseEcdsaUtils {
     bitgoKeychain,
     passphrase,
     originalPasscodeEncryptionCode,
+    webauthnInfo,
   }: CreateEcdsaKeychainParams): Promise<Keychain> {
     if (!passphrase) {
       throw new Error('Please provide a wallet passphrase');
@@ -191,7 +194,8 @@ export class EcdsaUtils extends BaseEcdsaUtils {
       backupKeyShare.userHeldKeyShare,
       bitgoKeychain,
       passphrase,
-      originalPasscodeEncryptionCode
+      originalPasscodeEncryptionCode,
+      webauthnInfo
     );
   }
 
@@ -304,7 +308,8 @@ export class EcdsaUtils extends BaseEcdsaUtils {
     backupKeyShare: KeyShare,
     bitgoKeychain: Keychain,
     passphrase: string,
-    originalPasscodeEncryptionCode?: string
+    originalPasscodeEncryptionCode?: string,
+    webauthnInfo?: MpcWebauthnInfo
   ): Promise<Keychain> {
     const bitgoKeyShares = bitgoKeychain.keyShares;
     if (!bitgoKeyShares) {
@@ -389,7 +394,7 @@ export class EcdsaUtils extends BaseEcdsaUtils {
     );
 
     const prv = JSON.stringify(recipientCombinedKey.signingMaterial);
-    const recipientKeychainParams = {
+    const recipientKeychainParams: AddKeychainOptions = {
       source: recipient,
       keyType: 'tss' as KeyType,
       commonKeychain: bitgoKeychain.commonKeychain,
@@ -401,6 +406,19 @@ export class EcdsaUtils extends BaseEcdsaUtils {
       originalPasscodeEncryptionCode,
     };
 
+    if (webauthnInfo && recipientIndex === 1) {
+      recipientKeychainParams.webauthnDevices = [
+        {
+          otpDeviceId: webauthnInfo.otpDeviceId,
+          prfSalt: webauthnInfo.prfSalt,
+          encryptedPrv: this.bitgo.encrypt({
+            input: prv,
+            password: webauthnInfo.passphrase,
+          }),
+        },
+      ];
+    }
+
     const keychains = this.baseCoin.keychains();
     return recipientIndex === 1
       ? await keychains.add(recipientKeychainParams)

modules/sdk-core/src/bitgo/utils/tss/ecdsa/ecdsaMPCv2.ts

@@ -20,7 +20,7 @@ import {
 } from '@bitgo/public-types';
 
 import { Ecdsa } from '../../../../account-lib';
-import { AddKeychainOptions, Keychain, KeyType } from '../../../keychain';
+import { AddKeychainOptions, Keychain, KeyType, MpcWebauthnInfo } from '../../../keychain';
 import { DecryptedRetrofitPayload } from '../../../keychain/iKeychains';
 import { ECDSAMethodTypes, getTxRequest } from '../../../tss';
 import { sendSignatureShareV2, sendTxRequest } from '../../../tss/common';
@@ -57,6 +57,7 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
     enterprise: string;
     originalPasscodeEncryptionCode?: string;
     retrofit?: DecryptedRetrofitPayload;
+    webauthnInfo?: MpcWebauthnInfo;
   }): Promise<KeychainsTriplet> {
     const { userSession, backupSession } = this.getUserAndBackupSession(2, 3, params.retrofit);
     const userGpgKey = await generateGPGKeyPair('secp256k1');
@@ -318,7 +319,8 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
       userPrivateMaterial,
       userReducedPrivateMaterial,
       params.passphrase,
-      params.originalPasscodeEncryptionCode
+      params.originalPasscodeEncryptionCode,
+      params.webauthnInfo
     );
     const backupKeychainPromise = this.addBackupKeychain(
       bitgoCommonKeychain,
@@ -350,20 +352,23 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
     privateMaterial?: Buffer,
     reducedPrivateMaterial?: Buffer,
     passphrase?: string,
-    originalPasscodeEncryptionCode?: string
+    originalPasscodeEncryptionCode?: string,
+    webauthnInfo?: MpcWebauthnInfo
   ): Promise<Keychain> {
     let source: string;
     let encryptedPrv: string | undefined = undefined;
     let reducedEncryptedPrv: string | undefined = undefined;
+    let privateMaterialBase64: string | undefined = undefined;
     switch (participantIndex) {
       case MPCv2PartiesEnum.USER:
       case MPCv2PartiesEnum.BACKUP:
         source = participantIndex === MPCv2PartiesEnum.USER ? 'user' : 'backup';
         assert(privateMaterial, `Private material is required for ${source} keychain`);
         assert(reducedPrivateMaterial, `Reduced private material is required for ${source} keychain`);
         assert(passphrase, `Passphrase is required for ${source} keychain`);
+        privateMaterialBase64 = privateMaterial.toString('base64');
         encryptedPrv = this.bitgo.encrypt({
-          input: privateMaterial.toString('base64'),
+          input: privateMaterialBase64,
           password: passphrase,
         });
         // Encrypts the CBOR-encoded ReducedKeyShare (which contains the party's private
@@ -393,6 +398,19 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
       isMPCv2: true,
     };
 
+    if (webauthnInfo && participantIndex === MPCv2PartiesEnum.USER && privateMaterialBase64) {
+      recipientKeychainParams.webauthnDevices = [
+        {
+          otpDeviceId: webauthnInfo.otpDeviceId,
+          prfSalt: webauthnInfo.prfSalt,
+          encryptedPrv: this.bitgo.encrypt({
+            input: privateMaterialBase64,
+            password: webauthnInfo.passphrase,
+          }),
+        },
+      ];
+    }
+
     const keychains = this.baseCoin.keychains();
     return { ...(await keychains.add(recipientKeychainParams)), reducedEncryptedPrv: reducedEncryptedPrv };
   }
@@ -512,15 +530,17 @@ export class EcdsaMPCv2Utils extends BaseEcdsaUtils {
     privateMaterial: Buffer,
     reducedPrivateMaterial: Buffer,
     passphrase: string,
-    originalPasscodeEncryptionCode?: string
+    originalPasscodeEncryptionCode?: string,
+    webauthnInfo?: MpcWebauthnInfo
   ): Promise<Keychain> {
     return this.createParticipantKeychain(
       MPCv2PartiesEnum.USER,
       commonKeychain,
       privateMaterial,
       reducedPrivateMaterial,
       passphrase,
-      originalPasscodeEncryptionCode
+      originalPasscodeEncryptionCode,
+      webauthnInfo
     );
   }
 

modules/sdk-core/src/bitgo/utils/tss/eddsa/eddsa.ts

@@ -4,7 +4,7 @@
 import assert from 'assert';
 import * as openpgp from 'openpgp';
 import Eddsa, { GShare, SignShare } from '../../../../account-lib/mpc/tss';
-import { AddKeychainOptions, CreateBackupOptions, Keychain } from '../../../keychain';
+import { AddKeychainOptions, CreateBackupOptions, Keychain, MpcWebauthnInfo } from '../../../keychain';
 import { verifyWalletSignature } from '../../../tss/eddsa/eddsa';
 import { createShareProof, encryptText, generateGPGKeyPair, getBitgoGpgPubKey } from '../../opengpgUtils';
 import {
@@ -128,6 +128,7 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
     bitgoKeychain,
     passphrase,
     originalPasscodeEncryptionCode,
+    webauthnInfo,
   }: CreateEddsaKeychainParams): Promise<Keychain> {
     const MPC = await Eddsa.initialize();
     const bitgoKeyShares = bitgoKeychain.keyShares;
@@ -189,6 +190,18 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
         password: passphrase,
       });
     }
+    if (webauthnInfo && userKeychainParams.encryptedPrv) {
+      userKeychainParams.webauthnDevices = [
+        {
+          otpDeviceId: webauthnInfo.otpDeviceId,
+          prfSalt: webauthnInfo.prfSalt,
+          encryptedPrv: this.bitgo.encrypt({
+            input: JSON.stringify(userSigningMaterial),
+            password: webauthnInfo.passphrase,
+          }),
+        },
+      ];
+    }
 
     return await this.baseCoin.keychains().add(userKeychainParams);
   }
@@ -344,6 +357,7 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
     passphrase?: string;
     enterprise?: string;
     originalPasscodeEncryptionCode?: string;
+    webauthnInfo?: MpcWebauthnInfo;
   }): Promise<KeychainsTriplet> {
     const MPC = await Eddsa.initialize();
     const m = 2;
@@ -370,6 +384,7 @@ export class EddsaUtils extends baseTSSUtils<KeyShare> {
       bitgoKeychain,
       passphrase: params.passphrase,
       originalPasscodeEncryptionCode: params.originalPasscodeEncryptionCode,
+      webauthnInfo: params.webauthnInfo,
     });
     const backupKeychainPromise = this.createBackupKeychain({
       userGpgKey,