feat(sdk-core): add derivePasskeyPrfKey function

derranW26 · derranW26 · commit adc92b6ed38c · 2026-05-04T11:15:41.000-04:00
- fetch keychain webauthn devices and build PRF eval map - trigger WebAuthn assertion via provider - derive hex wallet passphrase from PRF output Ticket: WCN-411
diff --git a/Dockerfile b/Dockerfile
@@ -43,9 +43,10 @@ COPY --from=builder /tmp/bitgo/modules/express /var/bitgo-express/
 #COPY_START
 COPY --from=builder /tmp/bitgo/modules/abstract-lightning /var/modules/abstract-lightning/
 COPY --from=builder /tmp/bitgo/modules/sdk-core /var/modules/sdk-core/
+COPY --from=builder /tmp/bitgo/modules/passkey-crypto /var/modules/passkey-crypto/
+COPY --from=builder /tmp/bitgo/modules/sjcl /var/modules/sjcl/
 COPY --from=builder /tmp/bitgo/modules/sdk-lib-mpc /var/modules/sdk-lib-mpc/
 COPY --from=builder /tmp/bitgo/modules/sdk-opensslbytes /var/modules/sdk-opensslbytes/
-COPY --from=builder /tmp/bitgo/modules/sjcl /var/modules/sjcl/
 COPY --from=builder /tmp/bitgo/modules/secp256k1 /var/modules/secp256k1/
 COPY --from=builder /tmp/bitgo/modules/statics /var/modules/statics/
 COPY --from=builder /tmp/bitgo/modules/utxo-lib /var/modules/utxo-lib/
@@ -145,9 +146,10 @@ COPY --from=builder /tmp/bitgo/modules/sdk-coin-zec /var/modules/sdk-coin-zec/
 
 RUN cd /var/modules/abstract-lightning && yarn link && \
 cd /var/modules/sdk-core && yarn link && \
+cd /var/modules/passkey-crypto && yarn link && \
+cd /var/modules/sjcl && yarn link && \
 cd /var/modules/sdk-lib-mpc && yarn link && \
 cd /var/modules/sdk-opensslbytes && yarn link && \
-cd /var/modules/sjcl && yarn link && \
 cd /var/modules/secp256k1 && yarn link && \
 cd /var/modules/statics && yarn link && \
 cd /var/modules/utxo-lib && yarn link && \
@@ -250,9 +252,10 @@ cd /var/modules/sdk-coin-zec && yarn link
 RUN cd /var/bitgo-express && \
     yarn link @bitgo/abstract-lightning && \
     yarn link @bitgo/sdk-core && \
+    yarn link @bitgo/passkey-crypto && \
+    yarn link @bitgo/sjcl && \
     yarn link @bitgo/sdk-lib-mpc && \
     yarn link @bitgo/sdk-opensslbytes && \
-    yarn link @bitgo/sjcl && \
     yarn link @bitgo/secp256k1 && \
     yarn link @bitgo/statics && \
     yarn link @bitgo/utxo-lib && \
diff --git a/modules/sdk-core/package.json b/modules/sdk-core/package.json
@@ -40,6 +40,7 @@
     ]
   },
   "dependencies": {
+    "@bitgo/passkey-crypto": "^0.1.0",
     "@bitgo/public-types": "5.97.0",
     "@bitgo/sdk-lib-mpc": "^10.11.1",
     "@bitgo/secp256k1": "^1.11.0",
diff --git a/modules/sdk-core/src/bitgo/passkey/derivePasskeyPrfKey.ts b/modules/sdk-core/src/bitgo/passkey/derivePasskeyPrfKey.ts
@@ -0,0 +1,54 @@
+import {
+  buildEvalByCredential,
+  matchDeviceByCredentialId,
+  derivePassword,
+  type WebAuthnProvider,
+} from '@bitgo/passkey-crypto';
+import type { BitGoBase } from '../bitgoBase';
+import type { IWallet } from '../wallet/iWallet';
+
+/**
+ * Derives a wallet passphrase from a passkey PRF output.
+ *
+ * Fetches the wallet's user keychain, triggers a WebAuthn assertion with PRF
+ * evaluation, and returns a hex-encoded passphrase suitable for use as
+ * walletPassphrase in signing calls.
+ */
+export async function derivePasskeyPrfKey(params: {
+  bitgo: BitGoBase;
+  wallet: IWallet;
+  provider: WebAuthnProvider;
+}): Promise<string> {
+  const { wallet, provider } = params;
+
+  // Fetch the wallet's user keychain to get webauthnDevices
+  const keychain = await wallet.getEncryptedUserKeychain();
+  const devices = keychain.webauthnDevices;
+
+  if (!devices || devices.length === 0) {
+    throw new Error('No passkey devices available');
+  }
+
+  // Build PRF eval map from devices
+  const { evalByCredential } = buildEvalByCredential(devices as Parameters<typeof buildEvalByCredential>[0]);
+
+  if (Object.keys(evalByCredential).length === 0) {
+    throw new Error('No passkey devices available with a valid PRF salt');
+  }
+
+  // Trigger WebAuthn assertion with PRF evaluation
+  const result = await provider.get({
+    publicKey: { challenge: new Uint8Array() } as PublicKeyCredentialRequestOptions,
+    evalByCredential,
+  });
+
+  // Verify the credential matches a known device
+  matchDeviceByCredentialId(devices as Parameters<typeof matchDeviceByCredentialId>[0], result.credentialId);
+
+  // Derive and return hex-encoded wallet passphrase
+  if (!result.prfResult) {
+    throw new Error('PRF output was not returned by the authenticator');
+  }
+
+  return derivePassword(result.prfResult);
+}
diff --git a/modules/sdk-core/src/bitgo/passkey/index.ts b/modules/sdk-core/src/bitgo/passkey/index.ts
@@ -0,0 +1 @@
+export { derivePasskeyPrfKey } from './derivePasskeyPrfKey';
diff --git a/modules/sdk-core/test/unit/bitgo/passkey/derivePasskeyPrfKey.ts b/modules/sdk-core/test/unit/bitgo/passkey/derivePasskeyPrfKey.ts
@@ -0,0 +1,134 @@
+import * as assert from 'assert';
+import * as sinon from 'sinon';
+import { derivePasskeyPrfKey } from '../../../../src/bitgo/passkey/derivePasskeyPrfKey';
+
+describe('derivePasskeyPrfKey', function () {
+  const mockDevices = [
+    {
+      otpDeviceId: 'device-1',
+      authenticatorInfo: { credID: 'cred-aaa', fmt: 'none' as const, publicKey: 'pk-1' },
+      prfSalt: 'salt-aaa',
+      encryptedPrv: 'enc-prv-1',
+    },
+    {
+      otpDeviceId: 'device-2',
+      authenticatorInfo: { credID: 'cred-bbb', fmt: 'none' as const, publicKey: 'pk-2' },
+      prfSalt: 'salt-bbb',
+      encryptedPrv: 'enc-prv-2',
+    },
+  ];
+
+  function makeWallet(devices: typeof mockDevices | undefined) {
+    return {
+      getEncryptedUserKeychain: sinon.stub().resolves({
+        id: 'keychain-id',
+        pub: 'xpub123',
+        encryptedPrv: 'encrypted-prv',
+        type: 'independent',
+        webauthnDevices: devices,
+      }),
+    };
+  }
+
+  afterEach(function () {
+    sinon.restore();
+  });
+
+  it('should return a hex string on happy path', async function () {
+    const prfResult = new Uint8Array([0xde, 0xad, 0xbe, 0xef]).buffer;
+
+    const mockProvider = {
+      create: sinon.stub(),
+      get: sinon.stub().resolves({
+        prfResult,
+        credentialId: 'cred-aaa',
+        otpCode: 'otp-123',
+      }),
+    };
+
+    const wallet = makeWallet(mockDevices);
+
+    const result = await derivePasskeyPrfKey({
+      bitgo: {} as any,
+      wallet: wallet as any,
+      provider: mockProvider,
+    });
+
+    // derivePassword converts ArrayBuffer to hex
+    assert.strictEqual(result, 'deadbeef');
+    assert.ok(mockProvider.get.calledOnce);
+    // Verify evalByCredential was passed
+    const getCallArgs = mockProvider.get.firstCall.args[0];
+    assert.strictEqual(getCallArgs.evalByCredential['cred-aaa'], 'salt-aaa');
+    assert.strictEqual(getCallArgs.evalByCredential['cred-bbb'], 'salt-bbb');
+  });
+
+  it("should throw 'No passkey devices available' when no devices", async function () {
+    const wallet = makeWallet(undefined);
+    const mockProvider = { create: sinon.stub(), get: sinon.stub() };
+
+    await assert.rejects(
+      () => derivePasskeyPrfKey({ bitgo: {} as any, wallet: wallet as any, provider: mockProvider }),
+      (err: Error) => {
+        assert.strictEqual(err.message, 'No passkey devices available');
+        return true;
+      }
+    );
+  });
+
+  it("should throw 'No passkey devices available' when devices array is empty", async function () {
+    const wallet = makeWallet([] as any);
+    const mockProvider = { create: sinon.stub(), get: sinon.stub() };
+
+    await assert.rejects(
+      () => derivePasskeyPrfKey({ bitgo: {} as any, wallet: wallet as any, provider: mockProvider }),
+      (err: Error) => {
+        assert.strictEqual(err.message, 'No passkey devices available');
+        return true;
+      }
+    );
+  });
+
+  it("should throw 'No passkey devices available with a valid PRF salt' when no device has prfSalt", async function () {
+    const devicesWithoutSalt = [
+      {
+        otpDeviceId: 'device-1',
+        authenticatorInfo: { credID: 'cred-aaa', fmt: 'none' as const, publicKey: 'pk-1' },
+        prfSalt: '', // empty — buildEvalByCredential skips falsy prfSalt
+        encryptedPrv: 'enc-prv-1',
+      },
+    ];
+
+    const wallet = makeWallet(devicesWithoutSalt as any);
+    const mockProvider = { create: sinon.stub(), get: sinon.stub() };
+
+    await assert.rejects(
+      () => derivePasskeyPrfKey({ bitgo: {} as any, wallet: wallet as any, provider: mockProvider }),
+      (err: Error) => {
+        assert.strictEqual(err.message, 'No passkey devices available with a valid PRF salt');
+        return true;
+      }
+    );
+  });
+
+  it("should throw 'Could not identify which passkey device was used' when credentialId not found", async function () {
+    const mockProvider = {
+      create: sinon.stub(),
+      get: sinon.stub().resolves({
+        prfResult: new ArrayBuffer(32),
+        credentialId: 'unknown-cred-id',
+        otpCode: 'otp-123',
+      }),
+    };
+
+    const wallet = makeWallet(mockDevices);
+
+    await assert.rejects(
+      () => derivePasskeyPrfKey({ bitgo: {} as any, wallet: wallet as any, provider: mockProvider }),
+      (err: Error) => {
+        assert.strictEqual(err.message, 'Could not identify which passkey device was used');
+        return true;
+      }
+    );
+  });
+});
diff --git a/modules/sdk-core/tsconfig.json b/modules/sdk-core/tsconfig.json
@@ -10,6 +10,9 @@
   "include": ["src/**/*", "test/**/*"],
   "exclude": ["node_modules"],
   "references": [
+    {
+      "path": "../passkey-crypto"
+    },
     {
       "path": "../statics"
     },

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@`
`40`	`40`	`]`
`41`	`41`	`},`
`42`	`42`	`"dependencies": {`
	`43`	`+ "@bitgo/passkey-crypto": "^0.1.0",`
`43`	`44`	`"@bitgo/public-types": "5.97.0",`
`44`	`45`	`"@bitgo/sdk-lib-mpc": "^10.11.1",`
`45`	`46`	`"@bitgo/secp256k1": "^1.11.0",`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+export { derivePasskeyPrfKey } from './derivePasskeyPrfKey';`