misc: minor work

remove unnecessary overload
remove comment

Author: DennisDyallo

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/GenerateKeyPairResponse.cs

@@ -127,9 +127,7 @@ public byte SlotNumber
         /// <exception cref="ArgumentException">
         /// The algorithm specified is not a supported asymmetric algorithm.
         /// </exception>
-        [Obsolete("Replaced by PublicKeyParameters.KeyType")] 
         public PivAlgorithm Algorithm 
-            // the algorithm is not returned by the generate key pair, so this is useless, its already known by the caller
         {
             get => _algorithm;
             set
@@ -161,7 +159,6 @@ public PivAlgorithm Algorithm
         /// <param name="algorithm">
         /// The algorithm (and key size) of the key pair generated.
         /// </param>
-        [Obsolete("Use other constructor")]
         public GenerateKeyPairResponse(
             ResponseApdu responseApdu,
             byte slotNumber,
@@ -211,9 +208,7 @@ public GenerateKeyPairResponse(
         /// <exception cref="InvalidOperationException">
         /// Thrown when <see cref="YubiKeyResponse.Status"/> is not <see cref="ResponseStatus.Success"/>.
         /// </exception>
-        public PivPublicKey GetData() => // To change this to return IPublicKeyPArameters would be a brekaing change. But is it necessary? Can we still use
-            // the pivpublickey inside the piv app? yes we can, but we dont need the caller to know we are converting in the bg
-            // but in some times the caller is receiving a pivpublickey..
+        public PivPublicKey GetData() =>
             Status switch
             {
 #pragma warning disable CS0618 // Type or member is obsolete

Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs

@@ -158,140 +158,6 @@ public byte[] Sign(byte slotNumber, ReadOnlyMemory<byte> dataToSign)
                     ExceptionMessages.IncorrectDigestLength));
         }
 
-        /// <summary>
-        /// Create a digital signature using the key in the given slot.
-        /// </summary>
-        /// <remarks>
-        /// The caller supplies the data to sign in the form of a formatted
-        /// message digest.
-        /// <para>
-        /// This method returns the digital signature created, if it can build
-        /// one. Otherwise it will throw an exception.
-        /// </para>
-        /// <para>
-        /// If the slot specified is not one that can sign, or it does not
-        /// contain a key, this method will throw an exception. If the input data
-        /// is not the correct length, the method will throw an exception.
-        /// </para>
-        /// <para>
-        /// If the key is ECC P-256, then the formatted digest is simply the
-        /// message digest itself, but it must be exactly 32 bytes. If the input
-        /// is not exactly 32 bytes, the method will throw an exception. If the
-        /// input data is shorter than 32 bytes, prepend pad bytes of 00 until
-        /// the length is exactly 32 bytes. You will almost certainly want to use
-        /// SHA-256 as the digest algorithm. The signature will be the BER
-        /// encoding of
-        /// <code>
-        ///   SEQUENCE {
-        ///     r   INTEGER,
-        ///     s   INTEGER }
-        /// </code>
-        /// </para>
-        /// <para>
-        /// If the key is ECC P-384, then the formatted digest is simply the
-        /// message digest itself, but it must be exactly 48 bytes. If the input
-        /// is not exactly 48 bytes, the method will throw an exception. If the
-        /// input data is shorter than 48 bytes, prepend pad bytes of 00 until
-        /// the length is exactly 48 bytes. You will almost certainly want to use
-        /// SHA-384 as the digest algorithm. The signature will be the BER
-        /// encoding of
-        /// <code>
-        ///   SEQUENCE {
-        ///     r   INTEGER,
-        ///     s   INTEGER }
-        /// </code>
-        /// </para>
-        /// <para>
-        /// If the key is RSA 1024/2048/3072/4096, then the input must be exactly 128/256/384/512 bytes,
-        /// otherwise the method will throw an exception. You can use the
-        /// <see cref="Cryptography.RsaFormat"/> class to format the data. That
-        /// class will be able to format the digest into either PKCS #1 v1.5 or a
-        /// subset of PKCS #1 PSS. However, if that class does not support the
-        /// exact format you want, you will have to write your own formatting
-        /// code and guarantee the input to this method is exactly 128/256/384/512 bytes
-        /// (prepend pad bytes of 00 until the length is exactly 128/256/384/512 if needed).
-        /// The signature will be a 128/256/384/512-byte block.
-        /// </para>
-        /// <para>
-        /// Signing might require the PIN and/or touch, depending on the PIN and
-        /// touch policies specified at the time the key was generated or
-        /// imported.
-        /// </para>
-        /// <para>
-        /// If a PIN is required, this method will call the necessary
-        /// routines to verify the PIN. See <see cref="VerifyPin()"/> for more
-        /// information on PIN verification. If the user cancels, this method
-        /// will throw an exception.
-        /// </para>
-        /// <para>
-        /// If touch is required, the YubiKey itself will flash its touch signal
-        /// and wait. If the YubiKey is not touched before the touch timeout, the
-        /// YubiKey will return with an error, and this method will throw an
-        /// exception (<c>OperationCanceledException</c>). Note that this method
-        /// will not make another effort to sign if the YubiKey is not touched,
-        /// it will simply throw the exception.
-        /// </para>
-        /// <para>
-        /// Note that on YubiKeys prior to version 5.3, it is not possible to know
-        /// programmatically what the PIN or touch policies are without actually
-        /// trying to sign. Also, it is not possible to know programmatically if
-        /// an authentication failure is due to PIN or touch. This means that on
-        /// older YubiKeys, this method will try to sign without the PIN, and if
-        /// it does not work because of authentication failure, it will not know
-        /// if the failure was due to PIN or touch. Hence, it will try to verify
-        /// the PIN then try to sign again. This all means that on older
-        /// YubiKeys, it is possible a YubiKey slot was originally configured
-        /// with a PIN policy of "never" and a touch policy of "always", and this
-        /// method will call for the PIN anyway. This happens if the user does
-        /// not touch the YubiKey before the timeout. See the User's Manual entry
-        /// on <xref href="UsersManualPivKeepingTrack">keeping track</xref> of
-        /// slot contents.
-        /// </para>
-        /// </remarks>
-        /// <param name="slotNumber">
-        /// The slot containing the key to use.
-        /// </param>
-        /// <param name="dataToSign">
-        /// The formatted message digest.
-        /// </param>
-        /// <param name="keyType">The algorithm to use.</param>
-        /// <returns>
-        /// The resulting signature.
-        /// </returns>
-        /// <exception cref="ArgumentException">
-        /// The slot number given was not valid, or the data to sign was an
-        /// invalid length.
-        /// </exception>
-        /// <exception cref="InvalidOperationException">
-        /// There was no key in the slot specified or the data did not match the
-        /// key (e.g. the data to sign was 32 bytes long but the key was ECC
-        /// P-384).
-        /// </exception>
-        /// <exception cref="OperationCanceledException">
-        /// Either the PIN was required and the user canceled collection or touch
-        /// was required and the user did not touch within the timeout period.
-        /// </exception>
-        /// <exception cref="SecurityException">
-        /// The remaining retries count indicates the PIN is blocked.
-        /// </exception>
-        /// <exception cref="NotSupportedException">
-        /// If the specified <see cref="PivAlgorithm"/> is not supported by the provided <see cref="IYubiKeyDevice"/>.
-        /// </exception>
-        public byte[] Sign(byte slotNumber, ReadOnlyMemory<byte> dataToSign, KeyType keyType)
-        {
-            var pivAlgorithm = keyType.GetPivAlgorithm();
-            YubiKey.ThrowIfUnsupportedAlgorithm(pivAlgorithm);
-            
-            var signCommand = new AuthenticateSignCommand(dataToSign, slotNumber, pivAlgorithm);
-            return PerformPrivateKeyOperation(
-                slotNumber,
-                signCommand,
-                signCommand.Algorithm,
-                string.Format(
-                    CultureInfo.CurrentCulture,
-                    ExceptionMessages.IncorrectDigestLength));
-        }
-
         /// <summary>
         /// Decrypt the given data using the key in the given slot.
         /// </summary>

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/DecryptTests.cs

@@ -102,7 +102,7 @@ public void Decrypt_2048_Succeeds(PivPinPolicy pinPolicy, StandardTestDevice tes
         [InlineData(KeyType.RSA2048, 0x95, RsaFormat.Sha256, 2, StandardTestDevice.Fw5)]
         [InlineData(KeyType.RSA2048, 0x95, RsaFormat.Sha384, 2, StandardTestDevice.Fw5)]
         [InlineData(KeyType.RSA2048, 0x95, RsaFormat.Sha512, 2, StandardTestDevice.Fw5)]
-        [Obsolete] // FIx later
+        [Obsolete] // TODO Fix later
         public void EncryptCSharp_Decrypt_Correct(KeyType keyType, byte slotNumber, int digestAlgorithm, int paddingScheme, StandardTestDevice testDeviceType)
         {
             var rsaPadding = RSAEncryptionPadding.Pkcs1;

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/PinAlwaysTests.cs

@@ -46,10 +46,10 @@ public void PinAlways_Sign_Succeeds(StandardTestDevice testDeviceType)
                     0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88
                 };
 
-                byte[] signature1 = pivSession.Sign(slotNumber, dataToSign, KeyType.P256);
+                byte[] signature1 = pivSession.Sign(slotNumber, dataToSign);
                 Assert.Equal(0x30, signature1[0]);
 
-                byte[] signature2 = pivSession.Sign(slotNumber, dataToSign, KeyType.P256);
+                byte[] signature2 = pivSession.Sign(slotNumber, dataToSign);
                 bool isSame = signature1.SequenceEqual(signature2);
                 Assert.False(isSame);
             }
@@ -80,10 +80,10 @@ public void Slot9C_Default_Sign_Succeeds(StandardTestDevice testDeviceType)
                     0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88
                 };
 
-                byte[] signature1 = pivSession.Sign(slotNumber, dataToSign, KeyType.P256);
+                byte[] signature1 = pivSession.Sign(slotNumber, dataToSign);
                 Assert.Equal(0x30, signature1[0]);
 
-                byte[] signature2 = pivSession.Sign(slotNumber, dataToSign, KeyType.P256);
+                byte[] signature2 = pivSession.Sign(slotNumber, dataToSign);
                 bool isSame = signature1.SequenceEqual(signature2);
                 Assert.False(isSame);
             }

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/SignTests.cs

@@ -44,7 +44,7 @@ public void Sign_WithEd25519_RandomData_Succeeds(
             var publicKeyParameters = pivSession.GenerateKeyPair(PivSlot.Retired12, KeyType.Ed25519);
 
             // Act
-            var signature = pivSession.Sign(PivSlot.Retired12, dataToSign, KeyType.Ed25519);
+            var signature = pivSession.Sign(PivSlot.Retired12, dataToSign);
 
             // -> Verify the signature
             var bouncyKeyParameters = GetBouncyKeyParameters(publicKeyParameters);
@@ -71,7 +71,7 @@ public void Sign_WithEd25519_RandomData_Succeeds(
         [InlineData(StandardTestDevice.Fw5Fips, KeyType.RSA4096)]
         [InlineData(StandardTestDevice.Fw5Fips, KeyType.P256)]
         [InlineData(StandardTestDevice.Fw5Fips, KeyType.P384)]
-        public async Task Sign_with_RSAandECDsa_Succeeds(
+        public async Task Sign_with_RSAandECDsa_Succeeds( // TODO Tests are flaky
             StandardTestDevice testDeviceType,
             KeyType keyType)
         {
@@ -107,7 +107,7 @@ public async Task Sign_with_RSAandECDsa_Succeeds(
             var collectorObj = new Simple39KeyCollector();
             pivSession.KeyCollector = collectorObj.Simple39KeyCollectorDelegate;
 
-            var signature2 = pivSession.Sign(slotNumber, dataToSign, keyType);
+            var signature2 = pivSession.Sign(slotNumber, dataToSign);
             Assert.True(isValid);
             Assert.NotEmpty(signature2);
         }
@@ -230,7 +230,7 @@ public void SignRsa_VerifyCSharp_Correct(
                 pivSession.KeyCollector = collectorObj.Simple39KeyCollectorDelegate;
 
                 pivSession.ImportPrivateKey(slotNumber, priKey.GetPivPrivateKey());
-                byte[] signature = pivSession.Sign(slotNumber, formattedData, keyType);
+                byte[] signature = pivSession.Sign(slotNumber, formattedData);
 
                 using RSA rsaPublic = pubKey.GetRsaObject();
                 bool isVerified = rsaPublic.VerifyData(dataToSign, signature, hashAlgorithm, padding);
@@ -283,7 +283,7 @@ public void SignEcc_VerifyCSharp_CorrectObsolete(
 
                 pivSession.ImportPrivateKey(slotNumber, priKey.GetPivPrivateKey());
 
-                byte[] signature = pivSession.Sign(slotNumber, digester.Hash, keyType);
+                byte[] signature = pivSession.Sign(slotNumber, digester.Hash);
 
                 bool isValid = ConvertEcdsaSignature(signature, digester.Hash!.Length, out byte[] rsSignature);
                 Assert.True(isValid);
@@ -338,7 +338,7 @@ public void SignEcc_VerifyCSharp_Correct(
 
                 pivSession.ImportPrivateKey(slotNumber, privateKey);
 
-                byte[] signature = pivSession.Sign(slotNumber, digester.Hash, keyType);
+                byte[] signature = pivSession.Sign(slotNumber, digester.Hash);
 
                 bool isValid = ConvertEcdsaSignature(signature, digester.Hash!.Length, out byte[] rsSignature);
                 Assert.True(isValid);