fix(passkey-crypto): use base64url everywhere for the PRF salt

The attach and derive flows were feeding different bytes to the WebAuthn
PRF extension for the same passkey, so the password derived at attach
time could not decrypt the keychain blob written with that same password
(ccm tag mismatch on every transaction approval).

Three encoding inconsistencies caused this:

- deriveEnterpriseSalt returned hex while the server stores base64url
  and the WebAuthn extension expects raw bytes — every consumer had to
  re-encode, and one of them did it wrong.
- attachPasskeyToWallet ran the hex output back through a
  hex-to-base64url conversion before handing it to provider.get, so
  the browser PRF saw the hex characters interpreted as base64 garbage.
- prfHelpers.buildEvalByCredential tried to convert the stored
  base64url salt to hex via Buffer.from(...).toString('hex'), which is
  a no-op under the browser Buffer polyfill and a real conversion in
  Node — same code, different bytes.

Standardise on base64url end-to-end: deriveEnterpriseSalt emits
base64url, attachPasskeyToWallet passes that string straight through
to the PRF eval, and prfHelpers reads device.prfSalt unchanged. The
WebAuthn provider layer is the single point that decodes base64url to
bytes for navigator.credentials.get.

Refs: WCN-410

TICKET: WCN-410

Author: derranW26

modules/passkey-crypto/src/attachPasskeyToWallet.ts

@@ -37,8 +37,10 @@ export async function attachPasskeyToWallet(params: {
   const keychain = await wallet.getEncryptedUserKeychain();
   const keychainId = keychain.id;
 
-  // Derive enterprise-scoped salt
-  const enterpriseSalt = deriveEnterpriseSalt(device.prfSalt, enterpriseId);
+  // Derive enterprise-scoped salt (base64url; same encoding is used as the
+  // PRF eval input and as the server-stored prfSalt so the bytes fed to the
+  // authenticator match between attach and derive).
+  const prfSalt = deriveEnterpriseSalt(device.prfSalt, enterpriseId);
 
   // Decrypt private key with existing passphrase
   const privateKey = bitgo.decrypt({ password: existingPassphrase, input: keychain.encryptedPrv });
@@ -48,36 +50,28 @@ export async function attachPasskeyToWallet(params: {
   // and each entry must correspond to a key in the evalByCredential map.
   const credentialIdBuffer = Buffer.from(device.credentialId.replace(/-/g, '+').replace(/_/g, '/'), 'base64').buffer;
 
-  // PRF assertion — evalByCredential maps this device's credentialId to its enterprise salt
+  // PRF assertion — evalByCredential maps this device's credentialId to the
+  // base64url enterprise salt. The provider layer is responsible for decoding
+  // base64url to raw bytes before handing it to the WebAuthn PRF extension.
   const authResult = await provider.get({
     publicKey: {
       allowCredentials: [{ type: 'public-key', id: credentialIdBuffer }],
     } as PublicKeyCredentialRequestOptions,
-    evalByCredential: { [device.credentialId]: enterpriseSalt },
+    evalByCredential: { [device.credentialId]: prfSalt },
   });
 
   if (!authResult.prfResult) {
     throw new Error('PRF assertion did not return a result.');
   }
 
-  // Derive password from PRF output and re-encrypt
   const prfPassword = derivePassword(authResult.prfResult);
   const encryptedPrv = bitgo.encrypt({ password: prfPassword, input: privateKey });
 
-  // Convert enterpriseSalt from hex to base64url (URL-safe, no padding)
-  // as required by the server's prfSalt validation.
-  const prfSaltBase64url = Buffer.from(enterpriseSalt, 'hex')
-    .toString('base64')
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=+$/, '');
-
-  // PUT webauthnInfo to keychain endpoint
   const updatedKeychain = await bitgo
     .put(bitgo.url(`/${coin}/key/${keychainId}`, 2))
     .send({
       webauthnInfo: {
-        prfSalt: prfSaltBase64url,
+        prfSalt,
         otpDeviceId: device.id,
         encryptedPrv,
       },

modules/passkey-crypto/src/deriveEnterpriseSalt.ts

@@ -6,11 +6,22 @@ import { createHmac } from 'crypto';
  * Computes HMAC-SHA256(key=prfSalt_base64url_decoded, data=enterpriseId_utf8).
  * The baseSalt must always come from the server — never generate it client-side.
  *
+ * Returns base64url so the same encoding is used everywhere the salt is handled
+ * (server storage, PRF eval input, prfHelpers lookup). Mixing encodings
+ * (e.g. hex on the client, base64url on the server) caused the PRF to receive
+ * different bytes during attach vs derive in browser environments where
+ * `Buffer.toString('hex')` is unreliable.
+ *
  * @param baseSalt - Server-provided base64url-encoded PRF salt
  * @param enterpriseId - Enterprise identifier
- * @returns Hex-encoded HMAC-SHA256 digest
+ * @returns Base64url-encoded HMAC-SHA256 digest (no padding)
  */
 export function deriveEnterpriseSalt(baseSalt: string, enterpriseId: string): string {
   const keyBytes = Buffer.from(baseSalt.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
-  return createHmac('sha256', keyBytes).update(enterpriseId).digest('hex');
+  return createHmac('sha256', keyBytes)
+    .update(enterpriseId)
+    .digest('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
 }

modules/passkey-crypto/src/prfHelpers.ts

@@ -14,8 +14,22 @@ export function buildEvalByCredential(devices: WebauthnDevice[]): {
   for (const device of devices) {
     if (!device.prfSalt) continue;
     const { credID } = device.authenticatorInfo;
-    evalByCredential[credID] = device.prfSalt;
-    credIdToDevice.set(credID, device);
+
+    // Normalise credID to base64url (no padding, URL-safe chars) so it matches
+    // the key format used by attachPasskeyToWallet (device.credentialId from the
+    // browser, which is already base64url). The WebAuthn PRF extension looks up
+    // the selected credential's ID against evalByCredential keys — if the encoding
+    // differs (e.g. standard base64 with padding/+/), the lookup silently fails and
+    // PRF evaluates with no salt, producing a different output.
+    const credIdBase64url = credID.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+
+    // Pass prfSalt through as-is (base64url). attachPasskeyToWallet writes the
+    // server-stored salt in the same encoding and feeds the same string to
+    // the PRF extension at attach time, so both paths produce the same salt
+    // bytes — provided the WebAuthn provider layer decodes base64url before
+    // handing the bytes to navigator.credentials.get.
+    evalByCredential[credIdBase64url] = device.prfSalt;
+    credIdToDevice.set(credIdBase64url, device);
   }
 
   return { evalByCredential, credIdToDevice };
@@ -26,7 +40,10 @@ export function buildEvalByCredential(devices: WebauthnDevice[]): {
  * @throws if no matching device is found
  */
 export function matchDeviceByCredentialId(devices: WebauthnDevice[], credentialId: string): WebauthnDevice {
-  const device = devices.find((d) => d.authenticatorInfo.credID === credentialId);
+  // Normalise both sides to base64url so padding/char differences don't break matching.
+  const normalise = (s: string) => s.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+  const needle = normalise(credentialId);
+  const device = devices.find((d) => normalise(d.authenticatorInfo.credID) === needle);
   if (!device) {
     throw new Error('Could not identify which passkey device was used');
   }

modules/passkey-crypto/test/unit/deriveEnterpriseSalt.test.ts

@@ -5,7 +5,10 @@ import { deriveEnterpriseSalt } from '../../src';
 const REAL_FIXTURE = {
   basePrfSalt: 'ZqJ64M2dL65zn2-Jxd58SMN2ILc9QjbCFxUTGHd_LC8',
   enterpriseId: '69c2aea1a3d7bc07f7f775c0ca86b0ec',
-  expectedDerivedSalt: 'a226ac3aace4bb2b84cfff34e37fb7217620852bb72d5e0dfdad4c2c8473994f',
+  // base64url encoding of the HMAC-SHA256(baseSalt_decoded, enterpriseId) digest.
+  // Same encoding the server stores and the WebAuthn PRF extension consumes — keeping
+  // one encoding everywhere avoids the hex/base64url mismatch that broke browser PRF.
+  expectedDerivedSalt: 'oiasOqzkuyuEz_8043-3IXYghSu3LV4N_a1MLIRzmU8',
 };
 
 describe('deriveEnterpriseSalt', function () {
@@ -37,10 +40,11 @@ describe('deriveEnterpriseSalt', function () {
     assert.notStrictEqual(saltA, saltB);
   });
 
-  it('returns a non-empty hex string', function () {
+  it('returns a non-empty unpadded base64url string', function () {
     const result = deriveEnterpriseSalt(REAL_FIXTURE.basePrfSalt, REAL_FIXTURE.enterpriseId);
     assert.strictEqual(typeof result, 'string');
     assert.ok(result.length > 0);
-    assert.match(result, /^[0-9a-f]{64}$/);
+    // Base64url alphabet, no padding. SHA-256 = 32 bytes → 43 base64url chars.
+    assert.match(result, /^[A-Za-z0-9_-]{43}$/);
   });
 });