refactor: use PivKeyConverter to convert between formats

Author: DennisDyallo

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Converters/KeyExtensions.cs

@@ -37,9 +37,9 @@ public static Memory<byte> EncodeAsPiv(this IPublicKey parameters)
     {
         return parameters switch
         {
-            ECPublicKey p => KeyToPivEncoding.EncodeECPublicKey(p),
-            RSAPublicKey p => KeyToPivEncoding.EncodeRSAPublicKey(p),
-            Curve25519PublicKey p => KeyToPivEncoding.EncodeCurve25519PublicKey(p),
+            ECPublicKey p => PivKeyConverter.EncodeECPublicKey(p),
+            RSAPublicKey p => PivKeyConverter.EncodeRSAPublicKey(p),
+            Curve25519PublicKey p => PivKeyConverter.EncodeCurve25519PublicKey(p),
             _ => throw new ArgumentException("Unsupported key type.", nameof(parameters))
         };
     }
@@ -54,9 +54,9 @@ public static Memory<byte> EncodeAsPiv(this IPrivateKey parameters)
     {
         return parameters switch
         {
-            ECPrivateKey p => KeyToPivEncoding.EncodeECPrivateKey(p),
-            RSAPrivateKey p => KeyToPivEncoding.EncodeRSAPrivateKey(p),
-            Curve25519PrivateKey p => KeyToPivEncoding.EncodeCurve25519PrivateKey(p),
+            ECPrivateKey p => PivKeyConverter.EncodeECPrivateKey(p),
+            RSAPrivateKey p => PivKeyConverter.EncodeRSAPrivateKey(p),
+            Curve25519PrivateKey p => PivKeyConverter.EncodeCurve25519PrivateKey(p),
             _ => throw new ArgumentException("Unsupported key type.", nameof(parameters))
         };
     }

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Converters/PivEncodingReader.cs

@@ -21,111 +21,99 @@ namespace Yubico.YubiKey.Piv.Converters;
 
 internal static class PivEncodingReader
 {
+    // Works with both Piv Encoded and GetMetaData encoded keys (with or without leading Public Key Tag)
+    // public static (ReadOnlyMemory<byte> Modulus, ReadOnlyMemory<byte> Exponent) GetPublicRSAValues(
+    //     ReadOnlyMemory<byte> encodedPublicKey)
+    // {
+    //     var tlvReader = new TlvReader(encodedPublicKey);
+    //     int tag = tlvReader.PeekTag(2);
+    //     var rsaKeyEncoding = tag == PivConstants.PublicKeyTag 
+    //         ? tlvReader.ReadValue(PivConstants.PublicKeyTag) 
+    //         : encodedPublicKey;
+    //     
+    //     var publicKeyValues = TlvObjects.DecodeDictionary(rsaKeyEncoding.Span);
+    //     bool hasModulus = publicKeyValues.TryGetValue(PivConstants.PublicRSAModulusTag, out var modulus);
+    //     bool hasExponent = publicKeyValues.TryGetValue(PivConstants.PublicRSAExponentTag, out var exponent);
+    //     if (!hasModulus || !hasExponent)
+    //     {
+    //         throw new ArgumentException(
+    //             string.Format(
+    //                 CultureInfo.CurrentCulture,
+    //                 ExceptionMessages.InvalidPublicKeyData
+    //                 ));
+    //     }
+    //     return (modulus, exponent);
+    // }
+    
     public static (ReadOnlyMemory<byte> Modulus, ReadOnlyMemory<byte> Exponent) GetPublicRSAValues(
         ReadOnlyMemory<byte> encodedPublicKey)
     {
-        var tlvReader = new TlvReader(encodedPublicKey);
-        int tag = tlvReader.PeekTag(2);
-        if (tag == PivConstants.PublicKeyTag)
+        var tlvObject = TlvObject.Parse(encodedPublicKey.Span);
+        var rsaKeyEncoding = tlvObject.Tag == PivConstants.PublicKeyTag 
+            ? tlvObject.Value 
+            : encodedPublicKey;
+        
+        var publicKeyValues = TlvObjects.DecodeDictionary(rsaKeyEncoding.Span);
+        bool hasModulus = publicKeyValues.TryGetValue(PivConstants.PublicRSAModulusTag, out var modulus);
+        bool hasExponent = publicKeyValues.TryGetValue(PivConstants.PublicRSAExponentTag, out var exponent);
+        if (!hasModulus || !hasExponent)
         {
-            tlvReader = tlvReader.ReadNestedTlv(tag);
-        }
-
-        var valueArray = new ReadOnlyMemory<byte>[2];
-
-        while (tlvReader.HasData)
-        {
-            tag = tlvReader.PeekTag();
-            int valueIndex = tag switch
-            {
-                PivConstants.PublicRSAModulusTag => 0,
-                PivConstants.PublicRSAExponentTag => 1,
-                _ => throw new ArgumentException(
-                    string.Format(CultureInfo.CurrentCulture, ExceptionMessages.InvalidPublicKeyData))
-            };
-
-            if (!valueArray[valueIndex].IsEmpty)
-            {
-                throw new ArgumentException(
-                    string.Format(
-                        CultureInfo.CurrentCulture,
-                        ExceptionMessages.InvalidPublicKeyData)
-                    );
-            }
-
-            valueArray[valueIndex] = tlvReader.ReadValue(tag);
+            throw new ArgumentException(
+                string.Format(
+                    CultureInfo.CurrentCulture,
+                    ExceptionMessages.InvalidPublicKeyData
+                    ));
         }
-
-        return (valueArray[0], valueArray[1]);
+        return (modulus, exponent);
     }
 
     // Will read PIV public key data and return the public point
     public static ReadOnlyMemory<byte> GetECPublicPointValues(ReadOnlyMemory<byte> encodedPublicKey)
     {
-        var tlvReader = new TlvReader(encodedPublicKey);
-
-        int tag = tlvReader.PeekTag(2);
-        if (tag == PivConstants.PublicKeyTag)
-        {
-            tlvReader = tlvReader.ReadNestedTlv(tag);
-        }
-
-        tag = tlvReader.PeekTag();
-        if (tag != PivConstants.PublicECTag)
+        var tlvObject = TlvObject.Parse(encodedPublicKey.Span);
+        var keyEncoding = tlvObject.Tag == PivConstants.PublicKeyTag
+            ? tlvObject.Value
+            : encodedPublicKey;
+        
+        var publicKeyValues = TlvObjects.DecodeDictionary(keyEncoding.Span);
+        bool hasPublicPoint = publicKeyValues.TryGetValue(PivConstants.PublicECTag, out var publicPoint);
+        if (!hasPublicPoint)
         {
             throw new ArgumentException(
                 string.Format(
                     CultureInfo.CurrentCulture,
-                    ExceptionMessages.InvalidPublicKeyData)
-                );
+                    ExceptionMessages.InvalidPublicKeyData
+                    ));
         }
-
-        var publicPoint = tlvReader.ReadValue(PivConstants.PublicECTag);
         return publicPoint;
     }
 
     public static RSAParameters GetRSAParameters(ReadOnlyMemory<byte> pivEncodedKey)
     {
-        const int CrtComponentCount = 5;
-
-        var tlvReader = new TlvReader(pivEncodedKey);
-        var valueArray = new ReadOnlyMemory<byte>[CrtComponentCount];
-
-        int index = 0;
-        for (; index < CrtComponentCount; index++)
+        var tlvObject = TlvObject.Parse(pivEncodedKey.Span);
+        var keyEncoding = tlvObject.Tag == PivConstants.PublicKeyTag
+            ? tlvObject.Value
+            : pivEncodedKey;
+        
+        var rsaTlvValues = TlvObjects.DecodeDictionary(keyEncoding.Span);
+        if (!rsaTlvValues.ContainsKey(PivConstants.PrivateRSAPrimePTag) ||
+            !rsaTlvValues.ContainsKey(PivConstants.PrivateRSAPrimeQTag) ||
+            !rsaTlvValues.ContainsKey(PivConstants.PrivateRSAExponentPTag) ||
+            !rsaTlvValues.ContainsKey(PivConstants.PrivateRSAExponentQTag) ||
+            !rsaTlvValues.ContainsKey(PivConstants.PrivateRSACoefficientTag))
         {
-            valueArray[index] = ReadOnlyMemory<byte>.Empty;
-        }
-
-        index = 0;
-        while (index < CrtComponentCount)
-        {
-            if (tlvReader.HasData == false)
-            {
-                break;
-            }
-
-            int tag = tlvReader.PeekTag();
-            var temp = tlvReader.ReadValue(tag);
-            if (tag <= 0 || tag > CrtComponentCount)
-            {
-                continue;
-            }
-
-            if (valueArray[tag - 1].IsEmpty == false)
-            {
-                continue;
-            }
-
-            index++;
-            valueArray[tag - 1] = temp;
+            throw new ArgumentException(
+                string.Format(
+                    CultureInfo.CurrentCulture,
+                    ExceptionMessages.InvalidPrivateKeyData
+                    ));
         }
-
-        var primeP = valueArray[PivConstants.PrivateRSAPrimePTag - 1].Span;
-        var primeQ = valueArray[PivConstants.PrivateRSAPrimeQTag - 1].Span;
-        var exponentP = valueArray[PivConstants.PrivateRSAExponentPTag - 1].Span;
-        var exponentQ = valueArray[PivConstants.PrivateRSAExponentQTag - 1].Span;
-        var coefficient = valueArray[PivConstants.PrivateRSACoefficientTag - 1].Span;
+        
+        var primeP = rsaTlvValues[PivConstants.PrivateRSAPrimePTag].Span;
+        var primeQ = rsaTlvValues[PivConstants.PrivateRSAPrimeQTag].Span;
+        var exponentP = rsaTlvValues[PivConstants.PrivateRSAExponentPTag].Span;
+        var exponentQ = rsaTlvValues[PivConstants.PrivateRSAExponentQTag].Span;
+        var coefficient = rsaTlvValues[PivConstants.PrivateRSACoefficientTag].Span;
 
         return new RSAParameters
         {
@@ -134,6 +122,7 @@ public static RSAParameters GetRSAParameters(ReadOnlyMemory<byte> pivEncodedKey)
             DP = exponentP.ToArray(),
             DQ = exponentQ.ToArray(),
             InverseQ = coefficient.ToArray(),
+
             // The YubiKey only works with the CRT components of the private RSA key,
             // that's why we set these values as empty.
             D = Array.Empty<byte>(),

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Converters/PivEncodingToKey.cs renamed to Yubico.YubiKey/src/Yubico/YubiKey/Piv/Converters/PivKeyConverter.Decode.cs

@@ -25,7 +25,7 @@ namespace Yubico.YubiKey.Piv.Converters;
 /// This class converts from a Piv Encoded Key to either instances of the common IPublicKey and IPrivateKey
 /// or concrete the concrete types that inherit these interfaces.
 /// </summary>
-internal static class PivEncodingToKey
+internal partial class PivKeyConverter
 {
     public static IPublicKey CreatePublicKey(ReadOnlyMemory<byte> pivEncodedKey, KeyType keyType) =>
         keyType switch
@@ -38,7 +38,7 @@ _ when keyType.IsRSA() => CreateRSAPublicKey(pivEncodedKey),
                     CultureInfo.CurrentCulture,
                     ExceptionMessages.InvalidApduResponseData))
         };
-    
+
     public static RSAPublicKey CreateRSAPublicKey(ReadOnlyMemory<byte> pivEncodedKey)
     {
         var (modulus, exponent) = PivEncodingReader.GetPublicRSAValues(pivEncodedKey);
@@ -81,7 +81,7 @@ public static Curve25519PublicKey CreateCurve25519PublicKey(ReadOnlyMemory<byte>
         var publicPoint = PivEncodingReader.GetECPublicPointValues(pivEncodedKey);
         return Curve25519PublicKey.CreateFromValue(publicPoint, keyType);
     }
-    
+
     /// <summary>
     /// Creates an instance of <see cref="IPrivateKey"/> from the
     /// given PIV-encoded key.
@@ -113,7 +113,7 @@ _ when keyType.IsRSA() => CreateRSAPrivateKey(pivEncodedKey),
         };
 
     public static Curve25519PrivateKey CreateCurve25519PrivateKey(
-        ReadOnlyMemory<byte> pivEncodedKey, 
+        ReadOnlyMemory<byte> pivEncodedKey,
         KeyType keyType)
     {
         if (!TlvObject.TryParse(pivEncodedKey.Span, out var tlv) || !PivConstants.IsValidPrivateECTag(tlv.Tag))
@@ -125,15 +125,15 @@ public static Curve25519PrivateKey CreateCurve25519PrivateKey(
         }
 
         using var privateValueHandle = new ZeroingMemoryHandle(tlv.Value.ToArray());
-    
+
         return tlv.Tag switch
         {
             PivConstants.PrivateECEd25519Tag when keyType == KeyType.Ed25519 => Curve25519PrivateKey.CreateFromValue(
                 privateValueHandle.Data, KeyType.Ed25519),
-            
+
             PivConstants.PrivateECX25519Tag when keyType == KeyType.X25519 => Curve25519PrivateKey.CreateFromValue(
                 privateValueHandle.Data, KeyType.X25519),
-            
+
             _ => throw new ArgumentException(
                 string.Format(
                     CultureInfo.CurrentCulture,
@@ -150,14 +150,16 @@ public static ECPrivateKey CreateECPrivateKey(ReadOnlyMemory<byte> pivEncodedKey
                     CultureInfo.CurrentCulture,
                     ExceptionMessages.InvalidPrivateKeyData));
         }
-    
+
         var allowedKeyDefinitions = KeyDefinitions
             .GetEcKeyDefinitions()
             .Where(kd => kd.AlgorithmOid == Oids.ECDSA);
+
         try
         {
             var keyDefinition = allowedKeyDefinitions
                 .Single(kd => kd.LengthInBytes == tlv.Value.Span.Length);
+
             using var privateValueHandle = new ZeroingMemoryHandle(tlv.Value.ToArray());
             return ECPrivateKey.CreateFromValue(privateValueHandle.Data, keyDefinition.KeyType);
         }

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Converters/KeyToPivEncoding.cs renamed to Yubico.YubiKey/src/Yubico/YubiKey/Piv/Converters/PivKeyConverter.Encode.cs

@@ -20,12 +20,11 @@
 namespace Yubico.YubiKey.Piv.Converters;
 
 /// <summary>
-/// This class contains methods to convert between the different key parameters and the PIV format.
+/// This class converts from a Piv Encoded Key to either instances of the common IPublicKey and IPrivateKey
+/// or concrete the concrete types that inherit these interfaces.
 /// </summary>
-public static class KeyToPivEncoding
+internal partial class PivKeyConverter
 {
-    #region PublicKeys
-
     public static Memory<byte> EncodeRSAPublicKey(RSAPublicKey parameters)
     {
         var rsaParameters = parameters.Parameters;
@@ -61,10 +60,6 @@ public static Memory<byte> EncodeECPublicKey(ECPublicKey parameters)
         return tlvWriter.Encode();
     }
 
-    #endregion
-
-    #region PrivateKeys
-
     public static Memory<byte> EncodeECPrivateKey(ECPrivateKey parameters)
     {
         var tlvWriter = new TlvWriter();
@@ -105,6 +100,4 @@ public static Memory<byte> EncodeCurve25519PrivateKey(Curve25519PrivateKey param
         tlvWriter.WriteValue(typeTag, parameters.PrivateKey.Span);
         return tlvWriter.Encode();
     }
-
-    #endregion
 }

Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivMetadata.cs

@@ -245,7 +245,7 @@ private void ParseResponseData(ReadOnlyMemory<byte> responseData)
 
                     case PublicTag:
                         // Public: public key partner to the private key in the slot
-                        PublicKeyParameters = PivEncodingToKey.CreatePublicKey(value, Algorithm.GetKeyType());
+                        PublicKeyParameters = PivKeyConverter.CreatePublicKey(value, Algorithm.GetKeyType());
 
                         #pragma warning disable CS0618 // Type or member is obsolete
                         PublicKey = PivPublicKey.Create(value, Algorithm);

Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.KeyPairs.cs

@@ -160,7 +160,7 @@ public IPublicKey GenerateKeyPair(
             var command = new GenerateKeyPairCommand(slotNumber, keyType, pinPolicy, touchPolicy);
             var response = Connection.SendCommand(command);
 
-            return PivEncodingToKey.CreatePublicKey(response.Data, keyType);
+            return PivKeyConverter.CreatePublicKey(response.Data, keyType);
         }
 
         /// <summary>

Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/ECPrivateKeyTests.cs

@@ -20,7 +20,7 @@ public void CreateFromPivEncoding_WithValidParameters_CreatesInstance()
             var pivPrivateKeyEncoded = pivPrivateKey.EncodedPrivateKey;
 
             // Act
-            var privateKeyParams = PivEncodingToKey.CreateECPrivateKey(pivPrivateKeyEncoded);
+            var privateKeyParams = PivKeyConverter.CreateECPrivateKey(pivPrivateKeyEncoded);
             var parameters = privateKeyParams.Parameters;
 
             // Assert

Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/ECPublicKeyTests.cs

@@ -20,7 +20,7 @@ public void CreateFromPivEncoding_WithValidParameters_CreatesInstance(KeyType ke
             var pivPublicKeyEncoded = pivPublicKey.PivEncodedPublicKey;
 
             // Act
-            var publicKeyParams = PivEncodingToKey.CreateECPublicKey(pivPublicKeyEncoded);
+            var publicKeyParams = PivKeyConverter.CreateECPublicKey(pivPublicKeyEncoded);
             var resultParameters = publicKeyParams.Parameters;
 
             // Assert