fix: Corriger l'erreur d'algorithme dans la dérivation des clés

- Remplacer deriveBits PBKDF2 par HMAC pour dériver les clés spend et scan - Résoudre l'erreur 'key.algorithm does not match that of operation' - Utiliser HMAC-SHA256 avec la clé maître pour dériver les clés spécifiques - Maintenir la sécurité cryptographique avec une approche compatible
2025-10-23 13:59:50 +02:00 · 2025-10-23 13:59:50 +02:00 · 451a1941dc
commit 451a1941dc
parent 47c90093e3
1 changed files with 26 additions and 18 deletions
--- a/src/services/secure-credentials.service.ts
+++ b/src/services/secure-credentials.service.ts
@ -272,15 +272,19 @@ export class SecureCredentialsService {
  private async deriveSpendKey(masterKey: CryptoKey, salt: Uint8Array): Promise<string> {
    const spendSalt = new Uint8Array([...salt, 0x73, 0x70, 0x65, 0x6e, 0x64]); // "spend"

-    const spendKeyMaterial = await crypto.subtle.deriveBits(
-      {
-        name: 'PBKDF2',
-        salt: spendSalt,
-        iterations: 1000,
-        hash: 'SHA-256'
-      },
-      masterKey,
-      256
+    // Use HMAC with the master key to derive spend key
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', masterKey),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign']
+    );
+
+    const spendKeyMaterial = await crypto.subtle.sign(
+      'HMAC',
+      hmacKey,
+      spendSalt
    );

    return Array.from(new Uint8Array(spendKeyMaterial))
@ -294,15 +298,19 @@ export class SecureCredentialsService {
  private async deriveScanKey(masterKey: CryptoKey, salt: Uint8Array): Promise<string> {
    const scanSalt = new Uint8Array([...salt, 0x73, 0x63, 0x61, 0x6e]); // "scan"

-    const scanKeyMaterial = await crypto.subtle.deriveBits(
-      {
-        name: 'PBKDF2',
-        salt: scanSalt,
-        iterations: 1000,
-        hash: 'SHA-256'
-      },
-      masterKey,
-      256
+    // Use HMAC with the master key to derive scan key
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', masterKey),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign']
+    );
+
+    const scanKeyMaterial = await crypto.subtle.sign(
+      'HMAC',
+      hmacKey,
+      scanSalt
    );

    return Array.from(new Uint8Array(scanKeyMaterial))