From 451a1941dc49ba46e21619fceacbb93a4bb9d5e9 Mon Sep 17 00:00:00 2001
From: NicolasCantu <nicolas.cantu@pm.me>
Date: Thu, 23 Oct 2025 13:59:50 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20Corriger=20l'erreur=20d'algorithme=20dan?=
 =?UTF-8?q?s=20la=20d=C3=A9rivation=20des=20cl=C3=A9s?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remplacer deriveBits PBKDF2 par HMAC pour dériver les clés spend et scan
- Résoudre l'erreur 'key.algorithm does not match that of operation'
- Utiliser HMAC-SHA256 avec la clé maître pour dériver les clés spécifiques
- Maintenir la sécurité cryptographique avec une approche compatible
---
 src/services/secure-credentials.service.ts | 44 +++++++++++++---------
 1 file changed, 26 insertions(+), 18 deletions(-)

diff --git a/src/services/secure-credentials.service.ts b/src/services/secure-credentials.service.ts
index 2e79c28..890c1f0 100644
--- a/src/services/secure-credentials.service.ts
+++ b/src/services/secure-credentials.service.ts
@@ -272,15 +272,19 @@ export class SecureCredentialsService {
   private async deriveSpendKey(masterKey: CryptoKey, salt: Uint8Array): Promise<string> {
     const spendSalt = new Uint8Array([...salt, 0x73, 0x70, 0x65, 0x6e, 0x64]); // "spend"
 
-    const spendKeyMaterial = await crypto.subtle.deriveBits(
-      {
-        name: 'PBKDF2',
-        salt: spendSalt,
-        iterations: 1000,
-        hash: 'SHA-256'
-      },
-      masterKey,
-      256
+    // Use HMAC with the master key to derive spend key
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', masterKey),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign']
+    );
+
+    const spendKeyMaterial = await crypto.subtle.sign(
+      'HMAC',
+      hmacKey,
+      spendSalt
     );
 
     return Array.from(new Uint8Array(spendKeyMaterial))
@@ -294,15 +298,19 @@ export class SecureCredentialsService {
   private async deriveScanKey(masterKey: CryptoKey, salt: Uint8Array): Promise<string> {
     const scanSalt = new Uint8Array([...salt, 0x73, 0x63, 0x61, 0x6e]); // "scan"
 
-    const scanKeyMaterial = await crypto.subtle.deriveBits(
-      {
-        name: 'PBKDF2',
-        salt: scanSalt,
-        iterations: 1000,
-        hash: 'SHA-256'
-      },
-      masterKey,
-      256
+    // Use HMAC with the master key to derive scan key
+    const hmacKey = await crypto.subtle.importKey(
+      'raw',
+      await crypto.subtle.exportKey('raw', masterKey),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign']
+    );
+
+    const scanKeyMaterial = await crypto.subtle.sign(
+      'HMAC',
+      hmacKey,
+      scanSalt
     );
 
     return Array.from(new Uint8Array(scanKeyMaterial))