Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-5693] Migrate SDK to CryptoService #8

Open
wants to merge 1 commit into
base: ps/secure-crypto-service
Choose a base branch
from
Open

[PM-5693] Migrate SDK to CryptoService #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 20 additions & 16 deletions crates/bitwarden-core/src/auth/auth_request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ use bitwarden_crypto::{EncString, KeyDecryptable, SymmetricCryptoKey};

#[cfg(feature = "internal")]
use crate::client::encryption_settings::EncryptionSettingsError;
use crate::{error::Error, Client};
use crate::{error::Error, key_management::SymmetricKeyRef, Client};

#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
pub struct AuthRequestResponse {
Expand Down Expand Up @@ -83,8 +83,11 @@ pub(crate) fn approve_auth_request(
) -> Result<AsymmetricEncString, Error> {
let public_key = AsymmetricPublicCryptoKey::from_der(&STANDARD.decode(public_key)?)?;

let enc = client.internal.get_encryption_settings()?;
let key = enc.get_key(&None)?;
let crypto_service = client.internal.get_crypto_service();
let ctx = crypto_service.context();

#[allow(deprecated)]
let key = ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)?;

Ok(AsymmetricEncString::encrypt_rsa2048_oaep_sha1(
&key.to_vec(),
Expand Down Expand Up @@ -235,21 +238,22 @@ mod tests {

// We can validate that the vault is unlocked correctly by confirming the user key is the
// same
assert_eq!(
existing_device
.internal
.get_encryption_settings()
.unwrap()
.get_key(&None)
let existing_key_b64 = {
let ctx = existing_device.internal.get_crypto_service().context();
#[allow(deprecated)]
ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)
.unwrap()
.to_base64(),
new_device
.internal
.get_encryption_settings()
.unwrap()
.get_key(&None)
.to_base64()
};

let new_key_b64 = {
let ctx = new_device.internal.get_crypto_service().context();
#[allow(deprecated)]
ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)
.unwrap()
.to_base64()
);
};

assert_eq!(existing_key_b64, new_key_b64,);
}
}
6 changes: 4 additions & 2 deletions crates/bitwarden-core/src/auth/client_auth.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,9 +162,11 @@

#[cfg(feature = "internal")]
fn trust_device(client: &Client) -> Result<TrustDeviceResponse> {
let enc = client.internal.get_encryption_settings()?;
use crate::key_management::SymmetricKeyRef;

let user_key = enc.get_key(&None)?;
let ctx = client.internal.get_crypto_service().context();

Check warning on line 167 in crates/bitwarden-core/src/auth/client_auth.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/client_auth.rs#L167 

Added line #L167 was not covered by tests
#[allow(deprecated)]
let user_key = ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)?;

Check warning on line 169 in crates/bitwarden-core/src/auth/client_auth.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/client_auth.rs#L169 

Added line #L169 was not covered by tests

Ok(DeviceKey::trust_device(user_key)?)
}
Expand Down
9 changes: 6 additions & 3 deletions crates/bitwarden-core/src/auth/password/validate.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ pub(crate) fn validate_password_user_key(
password: String,
encrypted_user_key: String,
) -> Result<String> {
use crate::key_management::SymmetricKeyRef;

let login_method = client
.internal
.get_login_method()
Expand All @@ -59,9 +61,10 @@ pub(crate) fn validate_password_user_key(
.decrypt_user_key(encrypted_user_key.parse()?)
.map_err(|_| "wrong password")?;

let enc = client.internal.get_encryption_settings()?;

let existing_key = enc.get_key(&None)?;
let crypto_service = client.internal.get_crypto_service();
let ctx = crypto_service.context();
#[allow(deprecated)]
let existing_key = ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)?;

if user_key.to_vec() != existing_key.to_vec() {
return Err("wrong user key".into());
Expand Down
6 changes: 4 additions & 2 deletions crates/bitwarden-core/src/auth/pin.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ use bitwarden_crypto::{EncString, PinKey};
use crate::{
client::{LoginMethod, UserLoginMethod},
error::{Error, Result},
key_management::SymmetricKeyRef,
Client,
};

Expand All @@ -24,8 +25,9 @@ pub(crate) fn validate_pin(
match login_method {
UserLoginMethod::Username { email, kdf, .. }
| UserLoginMethod::ApiKey { email, kdf, .. } => {
let enc = client.internal.get_encryption_settings()?;
let user_key = enc.get_key(&None)?;
let ctx = client.internal.get_crypto_service().context();
#[allow(deprecated)]
let user_key = ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)?;

let pin_key = PinKey::derive(pin.as_bytes(), email.as_bytes(), kdf)?;

Expand Down
11 changes: 8 additions & 3 deletions crates/bitwarden-core/src/auth/renew.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
use crate::{
auth::api::request::AccessTokenRequest,
client::ServiceAccountLoginMethod,
key_management::SymmetricKeyRef,
secrets_manager::state::{self, ClientState},
};
use crate::{
Expand Down Expand Up @@ -70,10 +71,14 @@
.send(&config)
.await?;

if let (IdentityTokenResponse::Payload(r), Some(state_file), Ok(enc_settings)) =
(&result, state_file, client.get_encryption_settings())
if let (IdentityTokenResponse::Payload(r), Some(state_file)) =
(&result, state_file)

Check warning on line 75 in crates/bitwarden-core/src/auth/renew.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/renew.rs#L74-L75 

Added lines #L74 - L75 were not covered by tests
{
if let Ok(enc_key) = enc_settings.get_key(&None) {
let ctx = client.get_crypto_service().context();

Check warning on line 77 in crates/bitwarden-core/src/auth/renew.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/renew.rs#L77 

Added line #L77 was not covered by tests

#[allow(deprecated)]
if let Ok(enc_key) = ctx.dangerous_get_symmetric_key(SymmetricKeyRef::User)
{

Check warning on line 81 in crates/bitwarden-core/src/auth/renew.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/renew.rs#L80-L81 

Added lines #L80 - L81 were not covered by tests
let state =
ClientState::new(r.access_token.clone(), enc_key.to_base64());
_ = state::set(state_file, access_token, state);
Expand Down
3 changes: 2 additions & 1 deletion crates/bitwarden-core/src/client/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
use std::sync::{Arc, RwLock};

use bitwarden_crypto::service::CryptoService;
use reqwest::header::{self, HeaderValue};

use super::internal::InternalClient;
Expand Down Expand Up @@ -78,7 +79,7 @@ impl Client {
device_type: settings.device_type,
})),
external_client,
encryption_settings: RwLock::new(None),
crypto_service: CryptoService::new(),
},
}
}
Expand Down
122 changes: 43 additions & 79 deletions crates/bitwarden-core/src/client/encryption_settings.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
use std::collections::HashMap;

use bitwarden_crypto::{AsymmetricCryptoKey, CryptoError, KeyContainer, SymmetricCryptoKey};
use bitwarden_crypto::{service::CryptoService, AsymmetricCryptoKey, SymmetricCryptoKey};
#[cfg(feature = "internal")]
use bitwarden_crypto::{AsymmetricEncString, EncString, MasterKey};
use bitwarden_crypto::{AsymmetricEncString, EncString};
use thiserror::Error;
use uuid::Uuid;

#[cfg(feature = "internal")]
use crate::error::Result;
use crate::VaultLocked;
use crate::{
key_management::{AsymmetricKeyRef, SymmetricKeyRef},
VaultLocked,
};

#[derive(Debug, Error)]
pub enum EncryptionSettingsError {
Expand All @@ -28,32 +29,9 @@
MissingPrivateKey,
}

#[derive(Clone)]
pub struct EncryptionSettings {
user_key: SymmetricCryptoKey,
pub(crate) private_key: Option<AsymmetricCryptoKey>,
org_keys: HashMap<Uuid, SymmetricCryptoKey>,
}

impl std::fmt::Debug for EncryptionSettings {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.debug_struct("EncryptionSettings").finish()
}
}
pub struct EncryptionSettings {}

impl EncryptionSettings {
/// Initialize the encryption settings with the master key and the encrypted user keys
#[cfg(feature = "internal")]
pub(crate) fn new(
master_key: MasterKey,
user_key: EncString,
private_key: EncString,
) -> Result<Self, EncryptionSettingsError> {
// Decrypt the user key
let user_key = master_key.decrypt_user_key(user_key)?;
Self::new_decrypted_key(user_key, private_key)
}

/// Initialize the encryption settings with the decrypted user key and the encrypted user
/// private key This should only be used when unlocking the vault via biometrics or when the
/// vault is set to lock: "never" Otherwise handling the decrypted user key is dangerous and
Expand All @@ -62,7 +40,8 @@
pub(crate) fn new_decrypted_key(
user_key: SymmetricCryptoKey,
private_key: EncString,
) -> Result<Self, EncryptionSettingsError> {
crypto_service: &CryptoService<SymmetricKeyRef, AsymmetricKeyRef>,
) -> Result<(), EncryptionSettingsError> {
use bitwarden_crypto::KeyDecryptable;
use log::warn;

Expand All @@ -83,76 +62,61 @@
// )
};

Ok(EncryptionSettings {
user_key,
private_key,
org_keys: HashMap::new(),
})
#[allow(deprecated)]
{
let mut ctx = crypto_service.context_mut();
ctx.set_symmetric_key(SymmetricKeyRef::User, user_key)?;
if let Some(private_key) = private_key {
ctx.set_asymmetric_key(AsymmetricKeyRef::UserPrivateKey, private_key)?;
}

Check warning on line 71 in crates/bitwarden-core/src/client/encryption_settings.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/client/encryption_settings.rs#L71 

Added line #L71 was not covered by tests
}

Ok(())
}

/// Initialize the encryption settings with only a single decrypted key.
/// This is used only for logging in Secrets Manager with an access token
#[cfg(feature = "secrets")]
pub(crate) fn new_single_key(key: SymmetricCryptoKey) -> Self {
EncryptionSettings {
user_key: key,
private_key: None,
org_keys: HashMap::new(),
}
pub(crate) fn new_single_key(
key: SymmetricCryptoKey,
crypto_service: &CryptoService<SymmetricKeyRef, AsymmetricKeyRef>,
) {
#[allow(deprecated)]
crypto_service
.context_mut()
.set_symmetric_key(SymmetricKeyRef::User, key)
.expect("Mutable context");

Check warning on line 88 in crates/bitwarden-core/src/client/encryption_settings.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/client/encryption_settings.rs#L80-L88 

Added lines #L80 - L88 were not covered by tests
}

#[cfg(feature = "internal")]
pub(crate) fn set_org_keys(
&mut self,
org_enc_keys: Vec<(Uuid, AsymmetricEncString)>,
) -> Result<&Self, EncryptionSettingsError> {
use bitwarden_crypto::KeyDecryptable;
crypto_service: &CryptoService<SymmetricKeyRef, AsymmetricKeyRef>,
) -> Result<(), EncryptionSettingsError> {
let mut ctx = crypto_service.context_mut();

if !ctx.has_asymmetric_key(AsymmetricKeyRef::UserPrivateKey) {
return Err(VaultLocked.into());

Check warning on line 99 in crates/bitwarden-core/src/client/encryption_settings.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/client/encryption_settings.rs#L99 

Added line #L99 was not covered by tests
}

// Make sure we only keep the keys given in the arguments and not any of the previous
// ones, which might be from organizations that the user is no longer a part of anymore
self.org_keys.clear();
ctx.retain_symmetric_keys(|key_ref| !matches!(key_ref, SymmetricKeyRef::Organization(_)));

// FIXME: [PM-11690] - Early abort to handle private key being corrupt
if org_enc_keys.is_empty() {
return Ok(self);
return Ok(());

Check warning on line 108 in crates/bitwarden-core/src/client/encryption_settings.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/client/encryption_settings.rs#L108 

Added line #L108 was not covered by tests
}

let private_key = self
.private_key
.as_ref()
.ok_or(EncryptionSettingsError::MissingPrivateKey)?;

// Decrypt the org keys with the private key
for (org_id, org_enc_key) in org_enc_keys {
let mut dec: Vec<u8> = org_enc_key.decrypt_with_key(private_key)?;

let org_key = SymmetricCryptoKey::try_from(dec.as_mut_slice())?;

self.org_keys.insert(org_id, org_key);
ctx.decrypt_symmetric_key_with_asymmetric_key(
AsymmetricKeyRef::UserPrivateKey,
SymmetricKeyRef::Organization(org_id),
&org_enc_key,
)?;
}

Ok(self)
}

pub fn get_key(&self, org_id: &Option<Uuid>) -> Result<&SymmetricCryptoKey, CryptoError> {
// If we don't have a private key set (to decode multiple org keys), we just use the main
// user key
if self.private_key.is_none() {
return Ok(&self.user_key);
}

match org_id {
Some(org_id) => self
.org_keys
.get(org_id)
.ok_or(CryptoError::MissingKey(*org_id)),
None => Ok(&self.user_key),
}
}
}

impl KeyContainer for EncryptionSettings {
fn get_key(&self, org_id: &Option<Uuid>) -> Result<&SymmetricCryptoKey, CryptoError> {
EncryptionSettings::get_key(self, org_id)
Ok(())
}
}
Loading
Loading