fix,tests: Fixed bug where attest cert could not be RSA3072 or RSA4096, removed obsolete tests and consolidated Piv tests

Yubico.YubiKey/examples/PivSampleCode/CertificateOperations/SampleCertificateOperations.cs

@@ -497,7 +497,9 @@ public static AsymmetricAlgorithm GetPublicKeyFromCertificate(X509Certificate2 c
 
             if (string.Equals(certificate.PublicKey.Oid.FriendlyName, "ECC", StringComparison.Ordinal))
             {
+#pragma warning disable CS0618 // Type or member is obsolete
                 var pivPub = new PivEccPublicKey(certificate.PublicKey.EncodedKeyValue.RawData);
+#pragma warning restore CS0618 // Type or member is obsolete
                 return KeyConverter.GetDotNetFromPivPublicKey(pivPub);
             }
 

Yubico.YubiKey/examples/PivSampleCode/Converters/KeyConverter.Asymmetric.cs

@@ -65,7 +65,9 @@ public static PivPublicKey GetPivPublicKeyFromDotNet(AsymmetricAlgorithm dotNetO
                 offset += keySize + (keySize - eccParams.Q.Y.Length);
                 Array.Copy(eccParams.Q.Y, 0, point, offset, eccParams.Q.Y.Length);
 
+#pragma warning disable CS0618 // Type or member is obsolete
                 var eccPubKey = new PivEccPublicKey(point);
+#pragma warning restore CS0618 // Type or member is obsolete
                 return (PivPublicKey)eccPubKey;
             }
 

Yubico.YubiKey/examples/PivSampleCode/YubiKeyOperations/KeyPairs.cs

@@ -33,7 +33,9 @@ public static bool RunGenerateKeyPair(
             {
                 pivSession.KeyCollector = KeyCollectorDelegate;
 
+#pragma warning disable CS0618 // Type or member is obsolete
                 var pivPublicKey = pivSession.GenerateKeyPair(slotNumber, algorithm, pinPolicy, touchPolicy);
+#pragma warning restore CS0618 // Type or member is obsolete
 
                 // At this point you will likely want to save the public key and
                 // other information. For this sample, we're simply going to
@@ -74,7 +76,9 @@ public static bool RunImportPrivateKey(
             {
                 pivSession.KeyCollector = KeyCollectorDelegate;
 
+#pragma warning disable CS0618 // Type or member is obsolete
                 pivSession.ImportPrivateKey(slotNumber, privateKey, pinPolicy, touchPolicy);
+#pragma warning restore CS0618 // Type or member is obsolete
 
                 // At this point you will likely want to save the public key and
                 // other information. For this sample, we're simply going to

Yubico.YubiKey/examples/PivSampleCode/YubiKeyOperations/PrivateKeyOperations.cs

@@ -170,7 +170,9 @@ public static bool RunKeyAgree(
             using (var pivSession = new PivSession(yubiKey))
             {
                 pivSession.KeyCollector = KeyCollectorDelegate;
+#pragma warning disable CS0618 // Type or member is obsolete
                 computedSecret = pivSession.KeyAgree(slotNumber, correspondentPublicKey);
+#pragma warning restore CS0618 // Type or member is obsolete
             }
 
             return true;

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AsnPublicKeyEncoder.cs

@@ -100,19 +100,12 @@ public static byte[] EncodeToSubjectPublicKeyInfo(
     /// </summary>
     /// <param name="parameters">The RSA public key parameters.</param>
     /// <returns>A byte array containing the ASN.1 DER encoded public key.</returns>
-    /// <remarks>
-    /// Only public key parameters are supported. The method will throw an <see cref="ArgumentException"/> if any of the private key parameters are set.
-    /// </remarks>
     public static byte[] EncodeToSubjectPublicKeyInfo(RSAParameters parameters)
     {
-        if (parameters.D != null ||
-            parameters.P != null ||
-            parameters.Q != null ||
-            parameters.DP != null ||
-            parameters.DQ != null ||
-            parameters.InverseQ != null)
+        if (parameters.Exponent == null ||
+            parameters.Modulus == null)
         {
-            throw new ArgumentException("Only public key parameters should be provided.");
+            throw new InvalidOperationException("Cannot export public key, missing required parameters");
         }
 
         return EncodeToSubjectPublicKeyInfo(parameters.Modulus, parameters.Exponent);
@@ -125,17 +118,7 @@ public static byte[] EncodeToSubjectPublicKeyInfo(RSAParameters parameters)
     /// <returns>A byte array containing the ASN.1 DER encoded public key.</returns>
     public static byte[] EncodeToSubjectPublicKeyInfo(ECParameters parameters)
     {
-        if (parameters.D != null)
-        {
-            throw new ArgumentException("Only public key parameters should be provided.", nameof(parameters));
-        }
-
-        if (parameters.Q.X == null)
-        {
-            throw new ArgumentException("EC point coordinates cannot be null.", nameof(parameters));
-        }
-
-        if (parameters.Q.Y == null)
+        if (parameters.Q.X == null || parameters.Q.Y == null)
         {
             throw new ArgumentException("EC point coordinates cannot be null.", nameof(parameters));
         }

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/ECPublicKey.cs

@@ -99,7 +99,6 @@ protected ECPublicKey(ECDsa ecdsa)
 
     /// <inheritdoc />
     public override byte[] ExportSubjectPublicKeyInfo() => AsnPublicKeyEncoder.EncodeToSubjectPublicKeyInfo(Parameters);
-
 
     /// <summary>
     /// Creates an instance of <see cref="ECPublicKey"/> from the given <paramref name="parameters"/>.
@@ -118,7 +117,7 @@ protected ECPublicKey(ECDsa ecdsa)
     /// <exception cref="ArgumentException">
     /// Thrown if the key type is not a valid EC key.
     /// </exception>
-    public static IPublicKey CreateFromValue(ReadOnlyMemory<byte> publicPoint, KeyType keyType)
+    public static ECPublicKey CreateFromValue(ReadOnlyMemory<byte> publicPoint, KeyType keyType)
     {
         var keyDefinition = KeyDefinitions.GetByKeyType(keyType);
         if (keyDefinition.AlgorithmOid is not Oids.ECDSA)
@@ -142,13 +141,13 @@ public static IPublicKey CreateFromValue(ReadOnlyMemory<byte> publicPoint, KeyTy
     }
 
     /// <summary>
-    /// Creates an instance of <see cref="IPublicKey"/> from a DER-encoded public key.
+    /// Creates an instance of <see cref="ECPublicKey"/> from a DER-encoded public key.
     /// </summary>
     /// <param name="encodedKey">The DER-encoded public key.</param>
     /// <returns>An instance of <see cref="IPublicKey"/>.</returns>
     /// <exception cref="CryptographicException">
     /// Thrown if the public key is invalid.
     /// </exception>
-    public static IPublicKey CreateFromPkcs8(ReadOnlyMemory<byte> encodedKey) =>
-        AsnPublicKeyDecoder.CreatePublicKey(encodedKey);
+    public static ECPublicKey CreateFromPkcs8(ReadOnlyMemory<byte> encodedKey) =>
+        (ECPublicKey)AsnPublicKeyDecoder.CreatePublicKey(encodedKey);
 }

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/IPublicKey.cs

@@ -24,12 +24,3 @@ public interface IPublicKey : IKeyBase
     /// </returns>
     public byte[] ExportSubjectPublicKeyInfo();
 }
-
-public abstract class PublicKey : IPublicKey
-{
-    /// <inheritdoc />
-    public abstract KeyType KeyType { get; }
-
-    /// <inheritdoc />
-    public abstract byte[] ExportSubjectPublicKeyInfo();
-}

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/KeyDefinitions.cs

@@ -107,6 +107,8 @@ public static KeyDefinition GetByRSALength(int keySizeBits)
 
             throw new NotSupportedException($"Unsupported RSA length: {keySizeBits}");
         }
+
+        public static KeyDefinition GetByRSAModulusLength(byte[] modulus) => GetByRSALength(modulus.Length * 8);
 
         /// <summary>
         /// Gets a key definition by its curve type.
@@ -162,6 +164,12 @@ public static KeyDefinition GetByOid(string oid)
                 throw new NotSupportedException(
                     "RSA keys are not supported by this method as all RSA keys share the same OID.");
             }
+
+            if (string.Equals(oid, Oids.ECDSA, StringComparison.OrdinalIgnoreCase))
+            {
+                throw new NotSupportedException(
+                    "All ECDSA keys (P-256, P-384, P-521) share the same OID. Use the Curve OID instead.");
+            }
 
             var keyDefinition = AllDefinitions.Values.FirstOrDefault(d => d.AlgorithmOid == oid || d.CurveOid == oid);
             return keyDefinition ?? throw new NotSupportedException(

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/KeyType.cs

@@ -15,7 +15,7 @@
 namespace Yubico.YubiKey.Cryptography;
 
 /// <summary>
-/// Represents the type of a cryptographic key.
+/// Represents the type of cryptographic key.
 /// </summary>
 public enum KeyType
 {

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/PublicKey.cs

@@ -0,0 +1,24 @@
+// Copyright 2024 Yubico AB
+// 
+// Licensed under the Apache License, Version 2.0 (the "License").
+// You may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//     http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+namespace Yubico.YubiKey.Cryptography;
+
+public abstract class PublicKey : IPublicKey
+{
+    /// <inheritdoc />
+    public abstract KeyType KeyType { get; }
+
+    /// <inheritdoc />
+    public abstract byte[] ExportSubjectPublicKeyInfo();
+}

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/RSAPublicKey.cs

@@ -44,21 +44,11 @@ public sealed class RSAPublicKey : PublicKey
 
     private RSAPublicKey(RSAParameters parameters)
     {
-        if (parameters.D != null || 
-            parameters.P != null || 
-            parameters.Q != null ||
-            parameters.DP != null ||
-            parameters.DQ != null ||
-            parameters.InverseQ != null
-           )
-        {
-            throw new ArgumentException("Parameters must not contain private key data");
-        }
-
         Parameters = parameters.DeepCopy();
-        KeyDefinition = KeyDefinitions.GetByRSALength(parameters.Modulus.Length * 8);
+        KeyDefinition = KeyDefinitions.GetByRSAModulusLength(parameters.Modulus);
     }
 
+    /// <inheritdoc />
     public override byte[] ExportSubjectPublicKeyInfo()
     {
         if (Parameters.Exponent == null ||
@@ -83,7 +73,21 @@ public override byte[] ExportSubjectPublicKeyInfo()
     /// <exception cref="ArgumentException">
     /// Thrown if the parameters contain private key data.
     /// </exception>
-    public static RSAPublicKey CreateFromParameters(RSAParameters parameters) => new(parameters);
+    public static RSAPublicKey CreateFromParameters(RSAParameters parameters)
+    {
+        if (parameters.D != null || 
+            parameters.P != null || 
+            parameters.Q != null ||
+            parameters.DP != null ||
+            parameters.DQ != null ||
+            parameters.InverseQ != null
+           )
+        {
+            throw new ArgumentException("Parameters must not contain private key data");
+        }
+
+        return new RSAPublicKey(parameters);
+    }
 
     /// <summary>
     /// Creates a new instance of <see cref="IPublicKey"/> from a DER-encoded public key.
@@ -93,6 +97,6 @@ public override byte[] ExportSubjectPublicKeyInfo()
     /// <exception cref="CryptographicException">
     /// Thrown if the public key is invalid.
     /// </exception>
-    public static IPublicKey CreateFromPkcs8(ReadOnlyMemory<byte> encodedKey) =>
-        AsnPublicKeyDecoder.CreatePublicKey(encodedKey);
+    public static RSAPublicKey CreateFromPkcs8(ReadOnlyMemory<byte> encodedKey) =>
+        (RSAPublicKey)AsnPublicKeyDecoder.CreatePublicKey(encodedKey);
 }

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/AuthenticateSignCommand.cs

@@ -14,7 +14,9 @@
 
 using System;
 using System.Globalization;
+using System.Linq;
 using Yubico.Core.Iso7816;
+using Yubico.YubiKey.Cryptography;
 
 namespace Yubico.YubiKey.Piv.Commands
 {
@@ -90,13 +92,6 @@ public sealed class AuthenticateSignCommand : AuthenticateCommand, IYubiKeyComma
     {
         private const byte DigestTag = 0x81;
 
-        private const int Rsa1024DigestDataLength = 128;
-        private const int Rsa2048DigestDataLength = 256;
-        private const int Rsa3072DigestDataLength = 384;
-        private const int Rsa4096DigestDataLength = 512;
-        private const int EccP256DigestDataLength = 32;
-        private const int EccP384DigestDataLength = 48;
-
         // The default constructor explicitly defined. We don't want it to be
         // used.
         private AuthenticateSignCommand()
@@ -166,25 +161,21 @@ public AuthenticateSignCommand(ReadOnlyMemory<byte> digestData, byte slotNumber)
             DataTag = DigestTag;
             Data = digestData;
             SlotNumber = slotNumber;
+            Algorithm = GetPivAlgorithm(digestData);
+        }
 
-            // Determine the algorithm based on the length of the digest data.
-            // Currently, the length of the data must be 128 (RSA-1024), 256
-            // (RSA-2048), 384 (RSA-3072), 512 (RSA-4096), 32 (ECC-P256), or 48 (ECC-P384).
-            // Return the PivAlgorithm, or if the length is not supported, throw an
-            // exception.
-            Algorithm = digestData.Length switch
+        private static PivAlgorithm GetPivAlgorithm(ReadOnlyMemory<byte> digestData)
+        {
+            if (KeyDefinitions.All.Values
+                    .Where(k => k.IsRSA || k.IsEllipticCurve)
+                    .Where(k => !k.KeyType.IsCurve25519())
+                    .SingleOrDefault(k => k.LengthInBytes == digestData.Length) is { } keyDefinition)
             {
-                Rsa1024DigestDataLength => PivAlgorithm.Rsa1024,
-                Rsa2048DigestDataLength => PivAlgorithm.Rsa2048,
-                Rsa3072DigestDataLength => PivAlgorithm.Rsa3072,
-                Rsa4096DigestDataLength => PivAlgorithm.Rsa4096,
-                EccP256DigestDataLength => PivAlgorithm.EccP256,
-                EccP384DigestDataLength => PivAlgorithm.EccP384,
-                _ => throw new ArgumentException(
-                    string.Format(
-                        CultureInfo.CurrentCulture,
-                        ExceptionMessages.IncorrectDigestLength)),
-            };
+                return keyDefinition.KeyType.GetPivAlgorithm();
+            }
+
+            throw new ArgumentException(
+                string.Format(CultureInfo.CurrentCulture, ExceptionMessages.IncorrectDigestLength));
         }
 
         /// <summary>

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/CreateAttestationStatementCommand.cs

@@ -76,7 +76,7 @@ public byte SlotNumber
             get => _slotNumber;
             set
             {
-                if (PivSlot.IsValidSlotNumberForSigning(value) == false)
+                if (!PivSlot.IsValidSlotNumberForSigning(value))
                 {
                     throw new ArgumentException(
                         string.Format(
@@ -152,7 +152,7 @@ public CreateAttestationStatementCommand()
         /// </exception>
         public CommandApdu CreateCommandApdu()
         {
-            if (PivSlot.IsValidSlotNumberForSigning(_slotNumber) == false)
+            if (!PivSlot.IsValidSlotNumberForSigning(_slotNumber))
             {
                 throw new InvalidOperationException(
                     string.Format(
@@ -161,7 +161,7 @@ public CommandApdu CreateCommandApdu()
                         _slotNumber));
             }
 
-            return new CommandApdu()
+            return new CommandApdu
             {
                 Ins = AttestInstruction,
                 P1 = SlotNumber,

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/GetMetadataCommand.cs

@@ -140,7 +140,7 @@ public GetMetadataCommand(byte slotNumber)
         /// </remarks>
         public GetMetadataCommand()
         {
-            _slotNumber = 0;
+
         }
 
         /// <inheritdoc />

Yubico.YubiKey/src/Yubico/YubiKey/Piv/Objects/PinProtectedData.cs

@@ -142,7 +142,7 @@ public void SetManagementKey(ReadOnlyMemory<byte> managementKey)
             if (IsValidKeyLength(managementKey.Length))
             {
                 managementKey.CopyTo(_mgmtKey);
-                ManagementKey = _mgmtKey.Slice(0, managementKey.Length);
+                ManagementKey = _mgmtKey[..managementKey.Length];
                 return;
             }