Skip to content

Commit 28c7e29

Browse files
authored
[PM-12400] Add private key regeneration SDK methods (#6)
## 🎟️ Tracking <!-- Paste the link to the Jira or GitHub issue or otherwise describe / point to where this change is coming from. --> https://bitwarden.atlassian.net/browse/PM-12400 ## 📔 Objective <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. --> Add shared methods to enable private key regeneration in clients.
1 parent 19c56fb commit 28c7e29

File tree

3 files changed

+241
-4
lines changed

3 files changed

+241
-4
lines changed

crates/bitwarden-core/src/mobile/client_crypto.rs

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,10 @@
11
#[cfg(feature = "internal")]
22
use bitwarden_crypto::{AsymmetricEncString, EncString};
33

4-
use super::crypto::{derive_key_connector, DeriveKeyConnectorRequest};
4+
use super::crypto::{
5+
derive_key_connector, make_key_pair, verify_asymmetric_keys, DeriveKeyConnectorRequest,
6+
MakeKeyPairResponse, VerifyAsymmetricKeysRequest, VerifyAsymmetricKeysResponse,
7+
};
58
use crate::{client::encryption_settings::EncryptionSettingsError, Client};
69
#[cfg(feature = "internal")]
710
use crate::{
@@ -56,6 +59,17 @@ impl<'a> ClientCrypto<'a> {
5659
pub fn derive_key_connector(&self, request: DeriveKeyConnectorRequest) -> Result<String> {
5760
derive_key_connector(request)
5861
}
62+
63+
pub fn make_key_pair(&self, user_key: String) -> Result<MakeKeyPairResponse> {
64+
make_key_pair(user_key)
65+
}
66+
67+
pub fn verify_asymmetric_keys(
68+
&self,
69+
request: VerifyAsymmetricKeysRequest,
70+
) -> Result<VerifyAsymmetricKeysResponse> {
71+
verify_asymmetric_keys(request)
72+
}
5973
}
6074

6175
impl<'a> Client {

crates/bitwarden-core/src/mobile/crypto.rs

Lines changed: 203 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
11
use std::collections::HashMap;
22

3+
use base64::{engine::general_purpose::STANDARD, Engine};
34
use bitwarden_crypto::{
4-
AsymmetricEncString, EncString, Kdf, KeyDecryptable, KeyEncryptable, MasterKey,
5-
SymmetricCryptoKey,
5+
AsymmetricCryptoKey, AsymmetricEncString, EncString, Kdf, KeyDecryptable, KeyEncryptable,
6+
MasterKey, SymmetricCryptoKey, UserKey,
67
};
78
use schemars::JsonSchema;
89
use serde::{Deserialize, Serialize};
@@ -350,10 +351,115 @@ pub(super) fn derive_key_connector(request: DeriveKeyConnectorRequest) -> Result
350351
Ok(master_key.to_base64())
351352
}
352353

354+
#[derive(Serialize, Deserialize, Debug, JsonSchema)]
355+
#[serde(rename_all = "camelCase", deny_unknown_fields)]
356+
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
357+
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
358+
pub struct MakeKeyPairResponse {
359+
/// The user's public key
360+
user_public_key: String,
361+
/// User's private key, encrypted with the user key
362+
user_key_encrypted_private_key: EncString,
363+
}
364+
365+
pub fn make_key_pair(user_key: String) -> Result<MakeKeyPairResponse> {
366+
let user_key = UserKey::new(SymmetricCryptoKey::try_from(user_key)?);
367+
368+
let key_pair = user_key.make_key_pair()?;
369+
370+
Ok(MakeKeyPairResponse {
371+
user_public_key: key_pair.public,
372+
user_key_encrypted_private_key: key_pair.private,
373+
})
374+
}
375+
376+
#[derive(Serialize, Deserialize, Debug, JsonSchema)]
377+
#[serde(rename_all = "camelCase", deny_unknown_fields)]
378+
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
379+
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
380+
pub struct VerifyAsymmetricKeysRequest {
381+
/// The user's user key
382+
user_key: String,
383+
/// The user's public key
384+
user_public_key: String,
385+
/// User's private key, encrypted with the user key
386+
user_key_encrypted_private_key: EncString,
387+
}
388+
389+
#[derive(Serialize, Deserialize, Debug, JsonSchema)]
390+
#[serde(rename_all = "camelCase", deny_unknown_fields)]
391+
#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
392+
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
393+
pub struct VerifyAsymmetricKeysResponse {
394+
/// Whether the user's private key was decryptable by the user key.
395+
private_key_decryptable: bool,
396+
/// Whether the user's private key was a valid RSA key and matched the public key provided.
397+
valid_private_key: bool,
398+
}
399+
400+
pub fn verify_asymmetric_keys(
401+
request: VerifyAsymmetricKeysRequest,
402+
) -> Result<VerifyAsymmetricKeysResponse> {
403+
#[derive(Debug, thiserror::Error)]
404+
enum VerifyError {
405+
#[error("Failed to decrypt private key: {0:?}")]
406+
DecryptFailed(bitwarden_crypto::CryptoError),
407+
#[error("Failed to parse decrypted private key: {0:?}")]
408+
ParseFailed(bitwarden_crypto::CryptoError),
409+
#[error("Failed to derive a public key: {0:?}")]
410+
PublicFailed(bitwarden_crypto::CryptoError),
411+
#[error("Derived public key doesn't match")]
412+
KeyMismatch,
413+
}
414+
415+
fn verify_inner(
416+
user_key: &SymmetricCryptoKey,
417+
request: &VerifyAsymmetricKeysRequest,
418+
) -> Result<(), VerifyError> {
419+
let decrypted_private_key: Vec<u8> = request
420+
.user_key_encrypted_private_key
421+
.decrypt_with_key(user_key)
422+
.map_err(VerifyError::DecryptFailed)?;
423+
424+
let private_key = AsymmetricCryptoKey::from_der(&decrypted_private_key)
425+
.map_err(VerifyError::ParseFailed)?;
426+
427+
let derived_public_key_vec = private_key
428+
.to_public_der()
429+
.map_err(VerifyError::PublicFailed)?;
430+
431+
let derived_public_key = STANDARD.encode(&derived_public_key_vec);
432+
433+
if derived_public_key != request.user_public_key {
434+
return Err(VerifyError::KeyMismatch);
435+
}
436+
Ok(())
437+
}
438+
439+
let user_key = SymmetricCryptoKey::try_from(request.user_key.clone())?;
440+
441+
Ok(match verify_inner(&user_key, &request) {
442+
Ok(_) => VerifyAsymmetricKeysResponse {
443+
private_key_decryptable: true,
444+
valid_private_key: true,
445+
},
446+
Err(e) => {
447+
log::debug!("User asymmetric keys verification: {}", e);
448+
449+
VerifyAsymmetricKeysResponse {
450+
private_key_decryptable: !matches!(e, VerifyError::DecryptFailed(_)),
451+
valid_private_key: false,
452+
}
453+
}
454+
})
455+
}
456+
353457
#[cfg(test)]
354458
mod tests {
355459
use std::num::NonZeroU32;
356460

461+
use bitwarden_crypto::RsaKeyPair;
462+
357463
use super::*;
358464
use crate::Client;
359465

@@ -585,4 +691,99 @@ mod tests {
585691

586692
assert_eq!(result, "ySXq1RVLKEaV1eoQE/ui9aFKIvXTl9PAXwp1MljfF50=");
587693
}
694+
695+
fn setup_asymmetric_keys_test() -> (UserKey, RsaKeyPair) {
696+
let master_key = MasterKey::derive(
697+
"asdfasdfasdf",
698+
699+
&Kdf::PBKDF2 {
700+
iterations: NonZeroU32::new(600_000).unwrap(),
701+
},
702+
)
703+
.unwrap();
704+
let user_key = (master_key.make_user_key().unwrap()).0;
705+
let key_pair = user_key.make_key_pair().unwrap();
706+
707+
(user_key, key_pair)
708+
}
709+
710+
#[test]
711+
fn test_make_key_pair() {
712+
let (user_key, _) = setup_asymmetric_keys_test();
713+
714+
let response = make_key_pair(user_key.0.to_base64()).unwrap();
715+
716+
assert!(!response.user_public_key.is_empty());
717+
let encrypted_private_key = response.user_key_encrypted_private_key;
718+
let private_key: Vec<u8> = encrypted_private_key.decrypt_with_key(&user_key.0).unwrap();
719+
assert!(!private_key.is_empty());
720+
}
721+
722+
#[test]
723+
fn test_verify_asymmetric_keys_success() {
724+
let (user_key, key_pair) = setup_asymmetric_keys_test();
725+
726+
let request = VerifyAsymmetricKeysRequest {
727+
user_key: user_key.0.to_base64(),
728+
user_public_key: key_pair.public,
729+
user_key_encrypted_private_key: key_pair.private,
730+
};
731+
let response = verify_asymmetric_keys(request).unwrap();
732+
733+
assert!(response.private_key_decryptable);
734+
assert!(response.valid_private_key);
735+
}
736+
737+
#[test]
738+
fn test_verify_asymmetric_keys_decrypt_failed() {
739+
let (user_key, key_pair) = setup_asymmetric_keys_test();
740+
let undecryptable_private_key = "2.cqD39M4erPZ3tWaz2Fng9w==|+Bsp/xvM30oo+HThKN12qirK0A63EjMadcwethCX7kEgfL5nEXgAFsSgRBMpByc1djgpGDMXzUTLOE+FejXRsrEHH/ICZ7jPMgSR+lV64Mlvw3fgvDPQdJ6w3MCmjPueGQtrlPj1K78BkRomN3vQwwRBFUIJhLAnLshTOIFrSghoyG78na7McqVMMD0gmC0zmRaSs2YWu/46ES+2Rp8V5OC4qdeeoJM9MQfaOtmaqv7NRVDeDM3DwoyTJAOcon8eovMKE4jbFPUboiXjNQBkBgjvLhco3lVJnFcQuYgmjqrwuUQRsfAtZjxFXg/RQSH2D+SI5uRaTNQwkL4iJqIw7BIKtI0gxDz6eCVdq/+DLhpImgCV/aaIhF/jkpGqLCceFsYMbuqdULMM1VYKgV+IAuyC65R+wxOaKS+1IevvPnNp7tgKAvT5+shFg8piusj+rQ49daX2SmV2OImwdWMmmX93bcVV0xJ/WYB1yrqmyRUcTwyvX3RQF25P5okIIzFasRp8jXFZe8C6f93yzkn1TPQbp95zF4OsWjfPFVH4hzca07ACt2HjbAB75JakWbFA5MbCF8aOIwIfeLVhVlquQXCldOHCsl22U/f3HTGLB9OS8F83CDAy7qZqpKha9Im8RUhHoyf+lXrky0gyd6un7Ky8NSkVOGd8CEG7bvZfutxv/qtAjEM9/lV78fh8TQIy9GNgioMzplpuzPIJOgMaY/ZFZj6a8H9OMPneN5Je0H/DwHEglSyWy7CMgwcbQgXYGXc8rXTTxL71GUAFHzDr4bAJvf40YnjndoL9tf+oBw8vVNUccoD4cjyOT5w8h7M3Liaxk9/0O8JR98PKxxpv1Xw6XjFCSEHeG2y9FgDUASFR4ZwG1qQBiiLMnJ7e9kvxsdnmasBux9H0tOdhDhAM16Afk3NPPKA8eztJVHJBAfQiaNiUA4LIJ48d8EpUAe2Tvz0WW/gQThplUINDTpvPf+FojLwc5lFwNIPb4CVN1Ui8jOJI5nsOw4BSWJvLzJLxawHxX/sBuK96iXza+4aMH+FqYKt/twpTJtiVXo26sPtHe6xXtp7uO4b+bL9yYUcaAci69L0W8aNdu8iF0lVX6kFn2lOL8dBLRleGvixX9gYEVEsiI7BQBjxEBHW/YMr5F4M4smqCpleZIAxkse1r2fQ33BSOJVQKInt4zzgdKwrxDzuVR7RyiIUuNXHsprKtRHNJrSc4x5kWFUeivahed2hON+Ir/ZvrxYN6nJJPeYYH4uEm1Nn4osUzzfWILlqpmDPK1yYy365T38W8wT0cbdcJrI87ycS37HeB8bzpFJZSY/Dzv48Yy19mDZJHLJLCRqyxNeIlBPsVC8fvxQhzr+ZyS3Wi8Dsa2Sgjt/wd0xPULLCJlb37s+1aWgYYylr9QR1uhXheYfkXFED+saGWwY1jlYL5e2Oo9n3sviBYwJxIZ+RTKFgwlXV5S+Jx/MbDpgnVHP1KaoU6vvzdWYwMChdHV/6PhZVbeT2txq7Qt+zQN59IGrOWf6vlMkHxfUzMTD58CE+xAaz/D05ljHMesLj9hb3MSrymw0PcwoFGWUMIzIQE73pUVYNE7fVHa8HqUOdoxZ5dRZqXRVox1xd9siIPE3e6CuVQIMabTp1YLno=|Y38qtTuCwNLDqFnzJ3Cgbjm1SE15OnhDm9iAMABaQBA=".parse().unwrap();
741+
742+
let request = VerifyAsymmetricKeysRequest {
743+
user_key: user_key.0.to_base64(),
744+
user_public_key: key_pair.public,
745+
user_key_encrypted_private_key: undecryptable_private_key,
746+
};
747+
let response = verify_asymmetric_keys(request).unwrap();
748+
749+
assert!(!response.private_key_decryptable);
750+
assert!(!response.valid_private_key);
751+
}
752+
753+
#[test]
754+
fn test_verify_asymmetric_keys_parse_failed() {
755+
let (user_key, key_pair) = setup_asymmetric_keys_test();
756+
757+
let invalid_private_key = "bad_key"
758+
.to_string()
759+
.into_bytes()
760+
.encrypt_with_key(&user_key.0)
761+
.unwrap();
762+
763+
let request = VerifyAsymmetricKeysRequest {
764+
user_key: user_key.0.to_base64(),
765+
user_public_key: key_pair.public,
766+
user_key_encrypted_private_key: invalid_private_key,
767+
};
768+
let response = verify_asymmetric_keys(request).unwrap();
769+
770+
assert!(response.private_key_decryptable);
771+
assert!(!response.valid_private_key);
772+
}
773+
774+
#[test]
775+
fn test_verify_asymmetric_keys_key_mismatch() {
776+
let (user_key, key_pair) = setup_asymmetric_keys_test();
777+
let new_key_pair = user_key.make_key_pair().unwrap();
778+
779+
let request = VerifyAsymmetricKeysRequest {
780+
user_key: user_key.0.to_base64(),
781+
user_public_key: key_pair.public,
782+
user_key_encrypted_private_key: new_key_pair.private,
783+
};
784+
let response = verify_asymmetric_keys(request).unwrap();
785+
786+
assert!(response.private_key_decryptable);
787+
assert!(!response.valid_private_key);
788+
}
588789
}

crates/bitwarden-wasm-internal/src/crypto.rs

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,10 @@ use std::rc::Rc;
22

33
use bitwarden_core::{
44
client::encryption_settings::EncryptionSettingsError,
5-
mobile::crypto::{InitOrgCryptoRequest, InitUserCryptoRequest},
5+
mobile::crypto::{
6+
InitOrgCryptoRequest, InitUserCryptoRequest, MakeKeyPairResponse,
7+
VerifyAsymmetricKeysRequest, VerifyAsymmetricKeysResponse,
8+
},
69
Client,
710
};
811
use wasm_bindgen::prelude::*;
@@ -35,4 +38,23 @@ impl ClientCrypto {
3538
) -> Result<(), EncryptionSettingsError> {
3639
self.0.crypto().initialize_org_crypto(req).await
3740
}
41+
42+
/// Generates a new key pair and encrypts the private key with the provided user key.
43+
/// Crypto initialization not required.
44+
pub fn make_key_pair(
45+
&self,
46+
user_key: String,
47+
) -> Result<MakeKeyPairResponse, bitwarden_core::Error> {
48+
self.0.crypto().make_key_pair(user_key)
49+
}
50+
51+
/// Verifies a user's asymmetric keys by decrypting the private key with the provided user
52+
/// key. Returns if the private key is decryptable and if it is a valid matching key.
53+
/// Crypto initialization not required.
54+
pub fn verify_asymmetric_keys(
55+
&self,
56+
request: VerifyAsymmetricKeysRequest,
57+
) -> Result<VerifyAsymmetricKeysResponse, bitwarden_core::Error> {
58+
self.0.crypto().verify_asymmetric_keys(request)
59+
}
3860
}

0 commit comments

Comments
 (0)