Fix keywrap

Author: quexten

crates/bitwarden-crypto/src/cose.rs

@@ -92,7 +92,7 @@ pub(crate) fn encrypt_xchacha20_poly1305(
 pub(crate) fn decrypt_xchacha20_poly1305(
     cose_encrypt0_message: &[u8],
     key: &crate::XChaCha20Poly1305Key,
-) -> Result<Vec<u8>, CryptoError> {
+) -> Result<(Vec<u8>, ContentFormat), CryptoError> {
     let msg = coset::CoseEncrypt0::from_slice(cose_encrypt0_message)
         .map_err(|err| CryptoError::EncString(EncStringParseError::InvalidCoseEncoding(err)))?;
     let Some(ref alg) = msg.protected.header.alg else {
@@ -117,12 +117,30 @@ pub(crate) fn decrypt_xchacha20_poly1305(
     })?;
 
     if let Some(ref content_type) = msg.protected.header.content_type {
-        if *content_type == ContentType::Text(CONTENT_TYPE_PADDED_UTF8.to_string()) {
-            // Unpad the data to get the original plaintext
-            return crate::keys::utils::unpad_bytes(&decrypted_message).map(|bytes| bytes.to_vec());
+        match content_type {
+            ContentType::Text(format) if format == CONTENT_TYPE_PADDED_UTF8 => {
+                if *content_type == ContentType::Text(CONTENT_TYPE_PADDED_UTF8.to_string()) {
+                    // Unpad the data to get the original plaintext
+                    let data = crate::keys::utils::unpad_bytes(&decrypted_message)
+                        .map_err(|_| CryptoError::InvalidPadding)?;
+                    return Ok((data.to_vec(), ContentFormat::Utf8));
+                }
+            },
+            ContentType::Assigned(content_format) if *content_format == CoapContentFormat::Pkcs8 => {
+                return Ok((decrypted_message.to_vec(), ContentFormat::Pkcs8));
+            }
+            ContentType::Assigned(content_format) if *content_format == CoapContentFormat::CoseKey => {
+                return Ok((decrypted_message.to_vec(), ContentFormat::CoseKey));
+            }
+            ContentType::Assigned(content_format) if *content_format == CoapContentFormat::OctetStream => {
+                return Ok((decrypted_message.to_vec(), ContentFormat::OctetStream));
+            }
+            _ => {}
         }
     }
-    Ok(decrypted_message)
+    Err(CryptoError::EncString(
+        EncStringParseError::CoseMissingContentType,
+    ))
 }
 
 const SYMMETRIC_KEY: Label = Label::Int(iana::SymmetricKeyParameter::K as i64);
@@ -168,7 +186,7 @@ mod test {
     use super::*;
 
     #[test]
-    fn test_encrypt_decrypt_roundtrip() {
+    fn test_encrypt_decrypt_roundtrip_octetstream() {
         let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
             SymmetricCryptoKey::make_xchacha20_poly1305_key()
         else {
@@ -179,6 +197,49 @@ mod test {
         let encrypted =
             encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::OctetStream).unwrap();
         let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
-        assert_eq!(decrypted, plaintext);
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::OctetStream));
+    }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip_utf8() {
+        let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
+            SymmetricCryptoKey::make_xchacha20_poly1305_key()
+        else {
+            panic!("Failed to create XChaCha20Poly1305Key");
+        };
+
+        let plaintext = b"Hello, world!";
+        let encrypted = encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::Utf8).unwrap();
+        let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::Utf8));
     }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip_pkcs8() {
+        let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
+            SymmetricCryptoKey::make_xchacha20_poly1305_key()
+        else {
+            panic!("Failed to create XChaCha20Poly1305Key");
+        };
+
+        let plaintext = b"Hello, world!";
+        let encrypted = encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::Pkcs8).unwrap();
+        let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::Pkcs8));
+    }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip_cosekey() {
+        let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
+            SymmetricCryptoKey::make_xchacha20_poly1305_key()
+        else {
+            panic!("Failed to create XChaCha20Poly1305Key");
+        };
+
+        let plaintext = b"Hello, world!";
+        let encrypted = encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::CoseKey).unwrap();
+        let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::CoseKey));
+    }
+
 }

crates/bitwarden-crypto/src/enc_string/symmetric.rs

@@ -307,7 +307,7 @@ impl KeyDecryptable<SymmetricCryptoKey, Vec<u8>> for EncString {
                 EncString::Cose_Encrypt0_B64 { data },
                 SymmetricCryptoKey::XChaCha20Poly1305Key(key),
             ) => {
-                let decrypted_message =
+                let (decrypted_message, _) =
                     crate::cose::decrypt_xchacha20_poly1305(data.as_slice(), key)?;
                 Ok(decrypted_message)
             }

crates/bitwarden-crypto/src/error.rs

@@ -83,6 +83,8 @@ pub enum EncStringParseError {
     InvalidCoseEncoding(coset::CoseError),
     #[error("Algorithm missing in COSE header")]
     CoseMissingAlgorithm,
+    #[error("Content type missing in COSE header")]
+    CoseMissingContentType,
 }
 
 #[derive(Debug, Error)]

crates/bitwarden-crypto/src/keys/symmetric_crypto_key.rs

@@ -208,6 +208,13 @@ impl SymmetricCryptoKey {
         }
     }
 
+    pub(crate) fn try_from_cose(serialized_key: &[u8]) -> Result<Self, CryptoError> {
+        let cose_key = coset::CoseKey::from_slice(serialized_key)
+            .map_err(|_| CryptoError::InvalidKey)?;
+        let key = SymmetricCryptoKey::try_from(&cose_key)?;
+        Ok(key)
+    }
+
     pub fn to_base64(&self) -> String {
         STANDARD.encode(self.to_encoded())
     }
@@ -286,9 +293,7 @@ impl TryFrom<&mut [u8]> for SymmetricCryptoKey {
             Ok(Self::Aes256CbcKey(Aes256CbcKey { enc_key }))
         } else if value.len() > Self::AES256_CBC_HMAC_KEY_LEN {
             let unpadded_value = unpad_key(value)?;
-            let cose_key =
-                coset::CoseKey::from_slice(unpadded_value).map_err(|_| CryptoError::InvalidKey)?;
-            SymmetricCryptoKey::try_from(&cose_key)
+            Ok(Self::try_from_cose(unpadded_value)?)
         } else {
             Err(CryptoError::InvalidKeyLen)
         };

crates/bitwarden-crypto/src/store/context.rs

@@ -132,24 +132,44 @@ impl<Ids: KeyIds> KeyStoreContext<'_, Ids> {
     ///
     /// # Arguments
     ///
-    /// * `encryption_key` - The key id used to decrypt the `encrypted_key`. It must already exist
+    /// * `wrapping_key` - The key id used to decrypt the `wrapped_key`. It must already exist
     ///   in the context
     /// * `new_key_id` - The key id where the decrypted key will be stored. If it already exists, it
     ///   will be overwritten
-    /// * `encrypted_key` - The key to decrypt
+    /// * `wrapped_key` - The key to decrypt
     pub fn unwrap_symmetric_key(
         &mut self,
-        encryption_key: Ids::Symmetric,
+        wrapping_key: Ids::Symmetric,
         new_key_id: Ids::Symmetric,
-        encrypted_key: &EncString,
+        wrapped_key: &EncString,
     ) -> Result<Ids::Symmetric> {
-        let mut new_key_material =
-            self.decrypt_data_with_symmetric_key(encryption_key, encrypted_key)?;
+        let wrapping_key = self.get_symmetric_key(wrapping_key)?;
+
+        let key = match (wrapped_key, wrapping_key) {
+            (EncString::Aes256Cbc_B64 { iv, data }, SymmetricCryptoKey::Aes256CbcKey(key)) => {
+                SymmetricCryptoKey::try_from(crate::aes::decrypt_aes256(iv, data.clone(), &key.enc_key)?)?
+            }
+            (
+                EncString::Aes256Cbc_HmacSha256_B64 { iv, mac, data },
+                SymmetricCryptoKey::Aes256CbcHmacKey(key),
+            ) => {
+                SymmetricCryptoKey::try_from(crate::aes::decrypt_aes256_hmac(iv, mac, data.clone(), &key.mac_key, &key.enc_key)?)?
+            }
+            (EncString::Cose_Encrypt0_B64 { data }, SymmetricCryptoKey::XChaCha20Poly1305Key(key)) => {
+                let (content_bytes, content_format) = crate::cose::decrypt_xchacha20_poly1305(data, key)?;
+                match content_format {
+                    ContentFormat::OctetStream => SymmetricCryptoKey::try_from(content_bytes)?,
+                    ContentFormat::CoseKey => SymmetricCryptoKey::try_from_cose(&content_bytes)?,
+                    _ => return Err(CryptoError::InvalidKey)
+                }
+            }
+            _ => return Err(CryptoError::InvalidKey),
+        };
 
         #[allow(deprecated)]
         self.set_symmetric_key(
             new_key_id,
-            SymmetricCryptoKey::try_from(new_key_material.as_mut_slice())?,
+            key,
         )?;
 
         // Returning the new key identifier for convenience
@@ -179,7 +199,7 @@ impl<Ids: KeyIds> KeyStoreContext<'_, Ids> {
         // or `Aes256CbcKey`, or by specifying the content format to be CoseKey, in case the
         // wrapped key is a `XChaCha20Poly1305Key`.
         match (wrapping_key_instance, key_to_wrap_instance) {
-            (Aes256CbcHmacKey(_), Aes256CbcHmacKey(_) | Aes256CbcKey(_)) => self
+            (Aes256CbcHmacKey(_), Aes256CbcHmacKey(_) | Aes256CbcKey(_) | XChaCha20Poly1305Key(_)) => self
                 .encrypt_data_with_symmetric_key(
                     wrapping_key,
                     key_to_wrap_instance.to_encoded().as_slice(),
@@ -368,6 +388,10 @@ impl<Ids: KeyIds> KeyStoreContext<'_, Ids> {
                 EncString::Aes256Cbc_HmacSha256_B64 { iv, mac, data },
                 SymmetricCryptoKey::Aes256CbcHmacKey(key),
             ) => crate::aes::decrypt_aes256_hmac(iv, mac, data.clone(), &key.mac_key, &key.enc_key),
+            (EncString::Cose_Encrypt0_B64 { data }, SymmetricCryptoKey::XChaCha20Poly1305Key(key)) => {
+                let (data, _) = crate::cose::decrypt_xchacha20_poly1305(data, key)?;
+                Ok(data)
+            }
             _ => Err(CryptoError::InvalidKey),
         }
     }
@@ -468,4 +492,44 @@ mod tests {
         // Assert that the decrypted data is the same
         assert_eq!(decrypted1.0, decrypted2.0);
     }
+
+    #[test]
+    fn test_wrap_unwrap_aes256_cbc_hmac() {
+        let store: KeyStore<TestIds> = KeyStore::default();
+        let mut ctx = store.context_mut();
+
+        // Aes256 CBC HMAC keys
+        let key_aes_1_id = TestSymmKey::A(1);
+        let key_aes_1 = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
+        ctx.set_symmetric_key(key_aes_1_id, key_aes_1.clone()).unwrap();
+        let key_aes_2_id = TestSymmKey::A(2);
+        let key_aes_2 = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
+        ctx.set_symmetric_key(key_aes_2_id, key_aes_2.clone()).unwrap();
+
+        // XChaCha20 Poly1305 keys
+        let key_xchacha_3_id = TestSymmKey::A(3);
+        let key_xchacha_3 = SymmetricCryptoKey::make_xchacha20_poly1305_key();
+        ctx.set_symmetric_key(key_xchacha_3_id, key_xchacha_3.clone()).unwrap();
+        let key_xchacha_4_id = TestSymmKey::A(4);
+        let key_xchacha_4 = SymmetricCryptoKey::make_xchacha20_poly1305_key();
+        ctx.set_symmetric_key(key_xchacha_4_id, key_xchacha_4.clone()).unwrap();
+
+        // Wrap and unwrap the keys
+        let wrapped_key_1_2 = ctx.wrap_symmetric_key(key_aes_1_id, key_aes_2_id).unwrap();
+        let wrapped_key_1_3 = ctx.wrap_symmetric_key(key_aes_1_id, key_xchacha_3_id).unwrap();
+        let wrapped_key_3_1 = ctx.wrap_symmetric_key(key_xchacha_3_id, key_aes_1_id).unwrap();
+        let wrapped_key_3_4 = ctx.wrap_symmetric_key(key_xchacha_3_id, key_xchacha_4_id).unwrap();
+
+        // Unwrap the keys
+        let unwrapped_key_2 = ctx.unwrap_symmetric_key(key_aes_1_id, key_aes_2_id, &wrapped_key_1_2).unwrap();
+        let unwrapped_key_3 = ctx.unwrap_symmetric_key(key_aes_1_id, key_xchacha_3_id, &wrapped_key_1_3).unwrap();
+        let unwrapped_key_1 = ctx.unwrap_symmetric_key(key_xchacha_3_id, key_aes_1_id, &wrapped_key_3_1).unwrap();
+        let unwrapped_key_4 = ctx.unwrap_symmetric_key(key_xchacha_3_id, key_xchacha_4_id, &wrapped_key_3_4).unwrap();
+
+        // Assert that the unwrapped keys are the same as the original keys
+        assert_eq!(unwrapped_key_2, key_aes_2_id);
+        assert_eq!(unwrapped_key_3, key_xchacha_3_id);
+        assert_eq!(unwrapped_key_1, key_aes_1_id);
+        assert_eq!(unwrapped_key_4, key_xchacha_4_id);
+    }
 }