fix(fido2,core): apply previewSign code-audit findings

Three audit fixes plus a regression test for the new precondition guard.
All four are concrete, well-scoped changes from Plans/codeaudit-previewsign-port.md.

1. Crypto leak (HIGH): ArkgPrimitivesOpenSsl.BlBlindPublicKey now wraps its
   body in try/finally and zeroes the blinding scalar tauBytes via
   CryptographicOperations.ZeroMemory. Brings tauBytes in line with the
   other secret-bearing arrays in the same file (ephSkBytes, kPrime, mk,
   ikmTau, prk, full) which were already zeroed.

2. API footgun (HIGH): GetAssertionParameters.AddPreviewSignByCredentialExtension
   now throws InvalidOperationException with an actionable message when the
   parent's allow-list is null/empty. Without this guard, customers got a
   cryptic firmware "option or extension invalid" error from the YubiKey.
   The required precondition is enforced at the protocol level by the
   firmware (and documented in python-fido2's reference impl); the SDK
   should fail fast and explain how to fix the call site.

3. Documentation lies (LOW): MakeCredentialData.GetPreviewSignGeneratedKey
   and AuthenticatorData.GetPreviewSignSignature each had stale
   <exception cref="NotImplementedException"> tags inherited from a draft
   that were no longer accurate. Deleted.

4. Regression test: PreviewSignExtensionTests now asserts
   AddPreviewSignByCredentialExtension throws InvalidOperationException with
   "AllowCredential" in the message when the allow-list is empty. New helper
   BuildAuthenticatorInfoWithPreviewSign supports the test without hardware.

Verification:
  Yubico.YubiKey.UnitTests:  3588 PASS (3587 baseline + 1 new test)
  Yubico.Core.UnitTests:     488 PASS / 21 SKIP (baseline match)
  Build:                     0 warnings, 0 errors
  3 ARKG NativeShims tests still fail with EntryPointNotFoundException
  for Native_EC_POINT_is_on_curve — expected interim state until the
  Yubico.NativeShims 1.16.1-prerelease.20260428.1 NuGet package lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: DennisDyallo

Yubico.Core/src/Yubico/Core/Cryptography/ArkgPrimitivesOpenSsl.cs

@@ -213,26 +213,33 @@ private static BigInteger BlPrf(byte[] ikmTau, byte[] ctx)
         private static byte[] BlBlindPublicKey(byte[] pkBl, BigInteger tau)
         {
             byte[] tauBytes = ScalarToBytes(tau);
-            using SafeEcGroup group = NativeMethods.EcGroupNewByCurveName(
-                ECCurve.NamedCurves.nistP256.ToSslCurveId());
-            using SafeEcPoint pkBlPoint = SecToPoint(group, pkBl);
-            using SafeEcPoint result = NativeMethods.EcPointNew(group);
-            using SafeBigNum tauBn = NativeMethods.BnBinaryToBigNum(tauBytes);
-            using SafeBigNum oneBn = NativeMethods.BnBinaryToBigNum(new byte[] { 0x01 });
-
-            // r = tau*G + 1*pkBl  =>  r = pkBl + tau*G.
-            int rc = NativeMethods.EcPointMul(
-                group,
-                result,
-                tauBn.DangerousGetHandle(),
-                pkBlPoint.DangerousGetHandle(),
-                oneBn.DangerousGetHandle());
-            if (rc != 1)
+            try
             {
-                throw new CryptographicException("EC_POINT_mul failed in BlBlindPublicKey.");
-            }
+                using SafeEcGroup group = NativeMethods.EcGroupNewByCurveName(
+                    ECCurve.NamedCurves.nistP256.ToSslCurveId());
+                using SafeEcPoint pkBlPoint = SecToPoint(group, pkBl);
+                using SafeEcPoint result = NativeMethods.EcPointNew(group);
+                using SafeBigNum tauBn = NativeMethods.BnBinaryToBigNum(tauBytes);
+                using SafeBigNum oneBn = NativeMethods.BnBinaryToBigNum(new byte[] { 0x01 });
 
-            return PointToSec(group, result);
+                // r = tau*G + 1*pkBl  =>  r = pkBl + tau*G.
+                int rc = NativeMethods.EcPointMul(
+                    group,
+                    result,
+                    tauBn.DangerousGetHandle(),
+                    pkBlPoint.DangerousGetHandle(),
+                    oneBn.DangerousGetHandle());
+                if (rc != 1)
+                {
+                    throw new CryptographicException("EC_POINT_mul failed in BlBlindPublicKey.");
+                }
+
+                return PointToSec(group, result);
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(tauBytes);
+            }
         }
 
         // ---------------------------------------------------------------------

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/AuthenticatorData.cs

@@ -401,9 +401,6 @@ public CredProtectPolicy GetCredProtectExtension()
         /// <returns>
         /// The signature bytes if the extension was used and returned data; otherwise, <c>null</c>.
         /// </returns>
-        /// <exception cref="NotImplementedException">
-        /// This method is not yet implemented.
-        /// </exception>
         public byte[]? GetPreviewSignSignature()
         {
             if (!TryGetExtensionData(Fido2.Extensions.PreviewSign, out Memory<byte> encodedValue))

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/GetAssertionParameters.cs

@@ -443,6 +443,10 @@ public void EncodeHmacSecretExtension(PinUvAuthProtocolBase authProtocol)
         /// <exception cref="NotSupportedException">
         /// The YubiKey does not support the previewSign extension.
         /// </exception>
+        /// <exception cref="InvalidOperationException">
+        /// The allow-list is null or empty. The previewSign extension requires at least one credential
+        /// in the allow-list.
+        /// </exception>
         public void AddPreviewSignByCredentialExtension(
             AuthenticatorInfo authenticatorInfo,
             PreviewSignDerivedKey derivedKey,
@@ -457,6 +461,13 @@ public void AddPreviewSignByCredentialExtension(
                 throw new NotSupportedException(ExceptionMessages.NotSupportedByYubiKeyVersion);
             }
 
+            if (AllowList is null || AllowList.Count == 0)
+            {
+                throw new InvalidOperationException(
+                    "The previewSign extension's sign-by-credential mode requires at least one credential in the allow-list. " +
+                    "Call AllowCredential() with the credential ID returned from MakeCredential before invoking AddPreviewSignByCredentialExtension().");
+            }
+
             byte[] tbs;
             using (SHA256 sha = CryptographyProviders.Sha256Creator())
             {

Yubico.YubiKey/src/Yubico/YubiKey/Fido2/MakeCredentialData.cs

@@ -286,9 +286,6 @@ private bool ReadAttestation(CborMap<int> map)
         /// A <see cref="PreviewSignGeneratedKey"/> if the extension was used and returned
         /// data; otherwise, <c>null</c>.
         /// </returns>
-        /// <exception cref="NotImplementedException">
-        /// This method is not yet implemented.
-        /// </exception>
         public PreviewSignGeneratedKey? GetPreviewSignGeneratedKey()
         {
             if (UnsignedExtensionOutputs is null

Yubico.YubiKey/tests/unit/Yubico/YubiKey/Fido2/PreviewSignExtensionTests.cs

@@ -179,6 +179,25 @@ public void AddPreviewSignByCredential_ThrowsWhenExtensionUnsupported()
                     new byte[] { 0xAA }));
         }
 
+        [Fact]
+        public void AddPreviewSignByCredential_ThrowsWhenAllowListEmpty()
+        {
+            var info = BuildAuthenticatorInfoWithPreviewSign();
+            var parameters = new GetAssertionParameters(
+                new RelyingParty("rp.example"),
+                new byte[32]);
+
+            PreviewSignDerivedKey derivedKey = BuildDerivedKeyFixture();
+
+            var ex = Assert.Throws<InvalidOperationException>(
+                () => parameters.AddPreviewSignByCredentialExtension(
+                    info,
+                    derivedKey,
+                    new byte[] { 0xAA }));
+
+            Assert.Contains("AllowCredential", ex.Message);
+        }
+
         // ==================================================================
         // Helpers
         // ==================================================================
@@ -403,6 +422,31 @@ private static AuthenticatorInfo BuildAuthenticatorInfoWithoutPreviewSign()
             return new AuthenticatorInfo(cbor.Encode());
         }
 
+        // Builds a synthetic AuthenticatorInfo WITH previewSign in its
+        // Extensions list.
+        private static AuthenticatorInfo BuildAuthenticatorInfoWithPreviewSign()
+        {
+            byte[] aaguid = new byte[16];
+            var cbor = new CborWriter(CborConformanceMode.Ctap2Canonical, convertIndefiniteLengthEncodings: true);
+            cbor.WriteStartMap(3);
+
+            cbor.WriteInt32(1);
+            cbor.WriteStartArray(1);
+            cbor.WriteTextString("FIDO_2_1");
+            cbor.WriteEndArray();
+
+            cbor.WriteInt32(2);
+            cbor.WriteStartArray(1);
+            cbor.WriteTextString(Extensions.PreviewSign);
+            cbor.WriteEndArray();
+
+            cbor.WriteInt32(3);
+            cbor.WriteByteString(aaguid);
+
+            cbor.WriteEndMap();
+            return new AuthenticatorInfo(cbor.Encode());
+        }
+
         private static byte[] BuildSec1Generator()
         {
             // Fixed P-256 generator — valid SEC1 point used as a placeholder