feat(sdk-core): add attachPasskeyToWallet function

- fetch wallet to infer coin, keychainId, enterpriseId
- verify encryptedPrv exists before PRF assertion
- derive enterprise salt and re-encrypt prv with PRF-derived password
- PUT webauthnInfo to keychain endpoint

Ticket: WCN-189

Author: derranW26

Dockerfile

@@ -43,9 +43,10 @@ COPY --from=builder /tmp/bitgo/modules/express /var/bitgo-express/
 #COPY_START
 COPY --from=builder /tmp/bitgo/modules/abstract-lightning /var/modules/abstract-lightning/
 COPY --from=builder /tmp/bitgo/modules/sdk-core /var/modules/sdk-core/
+COPY --from=builder /tmp/bitgo/modules/passkey-crypto /var/modules/passkey-crypto/
+COPY --from=builder /tmp/bitgo/modules/sjcl /var/modules/sjcl/
 COPY --from=builder /tmp/bitgo/modules/sdk-lib-mpc /var/modules/sdk-lib-mpc/
 COPY --from=builder /tmp/bitgo/modules/sdk-opensslbytes /var/modules/sdk-opensslbytes/
-COPY --from=builder /tmp/bitgo/modules/sjcl /var/modules/sjcl/
 COPY --from=builder /tmp/bitgo/modules/secp256k1 /var/modules/secp256k1/
 COPY --from=builder /tmp/bitgo/modules/statics /var/modules/statics/
 COPY --from=builder /tmp/bitgo/modules/utxo-lib /var/modules/utxo-lib/
@@ -145,9 +146,10 @@ COPY --from=builder /tmp/bitgo/modules/sdk-coin-zec /var/modules/sdk-coin-zec/
 
 RUN cd /var/modules/abstract-lightning && yarn link && \
 cd /var/modules/sdk-core && yarn link && \
+cd /var/modules/passkey-crypto && yarn link && \
+cd /var/modules/sjcl && yarn link && \
 cd /var/modules/sdk-lib-mpc && yarn link && \
 cd /var/modules/sdk-opensslbytes && yarn link && \
-cd /var/modules/sjcl && yarn link && \
 cd /var/modules/secp256k1 && yarn link && \
 cd /var/modules/statics && yarn link && \
 cd /var/modules/utxo-lib && yarn link && \
@@ -250,9 +252,10 @@ cd /var/modules/sdk-coin-zec && yarn link
 RUN cd /var/bitgo-express && \
     yarn link @bitgo/abstract-lightning && \
     yarn link @bitgo/sdk-core && \
+    yarn link @bitgo/passkey-crypto && \
+    yarn link @bitgo/sjcl && \
     yarn link @bitgo/sdk-lib-mpc && \
     yarn link @bitgo/sdk-opensslbytes && \
-    yarn link @bitgo/sjcl && \
     yarn link @bitgo/secp256k1 && \
     yarn link @bitgo/statics && \
     yarn link @bitgo/utxo-lib && \

modules/sdk-core/package.json

@@ -40,6 +40,7 @@
     ]
   },
   "dependencies": {
+    "@bitgo/passkey-crypto": "^0.1.0",
     "@bitgo/public-types": "5.97.0",
     "@bitgo/sdk-lib-mpc": "^10.11.1",
     "@bitgo/secp256k1": "^1.11.0",

modules/sdk-core/src/bitgo/passkey/attachPasskeyToWallet.ts

@@ -0,0 +1,81 @@
+import { BitGoBase } from '../bitgoBase';
+import { Keychain } from '../keychain';
+import { deriveEnterpriseSalt, derivePassword } from '@bitgo/passkey-crypto';
+import { WebAuthnOtpDevice, WebAuthnProvider } from './types';
+
+export async function attachPasskeyToWallet(params: {
+  bitgo: BitGoBase;
+  walletId: string;
+  device: WebAuthnOtpDevice;
+  existingPassphrase: string;
+  provider: WebAuthnProvider;
+}): Promise<Keychain> {
+  const { bitgo, walletId, device, existingPassphrase, provider } = params;
+
+  // Throw early if PRF extension is not supported
+  if (!device.prfSalt) {
+    throw new Error('PRF extension not supported by this device. Please use a different passkey.');
+  }
+
+  // Fetch wallet to infer coin, keychainId, enterpriseId
+  const walletData = await bitgo.get(bitgo.url(`/wallet/${walletId}`, 2)).result();
+
+  const coin = walletData.coin;
+  if (!coin || typeof coin !== 'string') {
+    throw new Error(`Wallet ${walletId} has no coin type.`);
+  }
+
+  const keys = walletData.keys as string[] | undefined;
+  if (!keys || keys.length === 0) {
+    throw new Error(`Wallet ${walletId} has no keys.`);
+  }
+  const keychainId = keys[0];
+
+  const enterpriseId = walletData.enterprise as string | undefined;
+  if (!enterpriseId) {
+    throw new Error(`Wallet ${walletId} has no enterprise.`);
+  }
+
+  // Fetch user keychain
+  const keychain = await bitgo.get(bitgo.url(`/${coin}/key/${keychainId}`, 2)).result();
+
+  if (!keychain.encryptedPrv) {
+    throw new Error(
+      `Keychain ${keychainId} has no encryptedPrv. Cannot attach passkey without an existing encrypted private key.`
+    );
+  }
+
+  // Derive enterprise-scoped salt
+  const enterpriseSalt = deriveEnterpriseSalt(device.prfSalt, enterpriseId);
+
+  // Decrypt private key with existing passphrase
+  const privateKey = bitgo.decrypt({ password: existingPassphrase, input: keychain.encryptedPrv });
+
+  // PRF assertion — evalByCredential maps this device's credentialId to its enterprise salt
+  const authResult = await provider.get({
+    publicKey: {} as PublicKeyCredentialRequestOptions,
+    evalByCredential: { [device.credentialId]: enterpriseSalt },
+  });
+
+  if (!authResult.prfResult) {
+    throw new Error('PRF assertion did not return a result.');
+  }
+
+  // Derive password from PRF output and re-encrypt
+  const prfPassword = derivePassword(authResult.prfResult);
+  const encryptedPrv = bitgo.encrypt({ password: prfPassword, input: privateKey });
+
+  // PUT webauthnInfo to keychain endpoint
+  const updatedKeychain = await bitgo
+    .put(bitgo.url(`/${coin}/key/${keychainId}`, 2))
+    .send({
+      webauthnInfo: {
+        prfSalt: enterpriseSalt,
+        otpDeviceId: device.id,
+        encryptedPrv,
+      },
+    })
+    .result();
+
+  return updatedKeychain as Keychain;
+}

modules/sdk-core/src/bitgo/passkey/index.ts

@@ -0,0 +1,2 @@
+export * from './attachPasskeyToWallet';
+export * from './types';

modules/sdk-core/src/bitgo/passkey/types.ts

@@ -0,0 +1 @@
+export type { WebAuthnOtpDevice, WebAuthnProvider, PasskeyAuthResult, PasskeyGetOptions } from '@bitgo/passkey-crypto';