Closed michaelcfanning closed 4 months ago
derivedKeyBytes[31] = (byte)((derivedKeyBytes[31] & 0xC0) | 0b0111);
nit: can we have some comments what its doing here?
Refers to: src/Microsoft.Security.Utilities.Core/IdentifiableSecrets.cs:308 in fe5a8fd. [](commit_id = fe5a8fdfab06b3cfbd1eefad711bec23f829e9cd, deletion_comment = False)
derivedKeyBytes[31] = (byte)((derivedKeyBytes[31] & 0xC0) | 0b0111);
Good idea, I will add this later. We are encoding deri
in advance of the provider signature, an operation that's entirely non-obvious from this magic. :)
In reply to: 2123573592
Refers to: src/Microsoft.Security.Utilities.Core/IdentifiableSecrets.cs:308 in fe5a8fd. [](commit_id = fe5a8fdfab06b3cfbd1eefad711bec23f829e9cd, deletion_comment = False)
IdentifiableSecrets.ComputeDerivedSymmetricKey
toComputeDerivedIdentifiableKey
.IdentifiableSecrets.ComputeDerivedIdentifiableKey
to accept an alternate checksum seed for constructing the derived key.CommonAnnotatedSecret
key class for next-generation identifiable secrets.Identifiable.ComputeDerivedCommonAnnotatedKey
to generate keys derived from common annotated secrets.This change adds a new derived key API that is fully conformant with the next-generation common annotated security key standard, as well as a base class to instantiate and deconstruct individual elements of a
CommonAnnotatedSecret
.This change additionally updates the older
identifiable
derived key computation to allow for the derived key checksum to diverge from the checksum of the parent key.