Implement purecrypto functions, fingerprints, and signing key initialization

Author: quexten

Cargo.lock

@@ -8,8 +8,7 @@ use std::collections::HashMap;
 
 use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
-    AsymmetricCryptoKey, CryptoError, EncString, Kdf, KeyDecryptable, KeyEncryptable, MasterKey,
-    SigningKey, SymmetricCryptoKey, UnsignedSharedKey, UserKey,
+    AsymmetricCryptoKey, AsymmetricPublicCryptoKey, CryptoError, EncString, Kdf, KeyDecryptable, KeyEncryptable, MasterKey, SignatureAlgorithm, SignedPublicKeyOwnershipClaim, SigningKey, SymmetricCryptoKey, UnsignedSharedKey, UserKey
 };
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -18,7 +17,7 @@ use {tsify_next::Tsify, wasm_bindgen::prelude::*};
 
 use crate::{
     client::{encryption_settings::EncryptionSettingsError, LoginMethod, UserLoginMethod},
-    key_management::SymmetricKeyId,
+    key_management::{AsymmetricKeyId, SymmetricKeyId},
     Client, NotAuthenticatedError, VaultLockedError, WrongPasswordError,
 };
 
@@ -558,27 +557,47 @@ pub(super) fn verify_asymmetric_keys(
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
-pub struct MakeSigningKeysResponse {
+pub struct MakeUserSigningKeysResponse {
     /// The verifying key
     verifying_key: String,
     /// Signing key, encrypted with a symmetric key (user key, org key)
     signing_key: EncString,
+
+    /// A signed object claiming ownership of a public key. This ties the public key to the signature key
+    signed_public_key_ownership_claim: String,
 }
 
-pub fn make_signing_keys(wrapping_key: String) -> Result<MakeSigningKeysResponse, CryptoError> {
-    let wrapping_key = SymmetricCryptoKey::try_from(wrapping_key)?;
+/// Makes a new set of signing keys for a user. This also creates a signed public-key ownership claim for the currently used public key.
+#[allow(deprecated)]
+pub fn make_user_signing_keys(client: &Client) -> Result<MakeUserSigningKeysResponse, CryptoError> {
+    let key_store = client.internal.get_key_store();
+    let ctx = key_store.context();
+    let public_key = ctx
+        .dangerous_get_asymmetric_key(AsymmetricKeyId::UserPrivateKey)
+        .map_err(|_| CryptoError::InvalidKey)?
+        .to_public_der()?;
+    let public_key = AsymmetricPublicCryptoKey::from_der(&public_key)
+        .map_err(|_| CryptoError::InvalidKey)?;
+
+    let wrapping_key = ctx
+        .dangerous_get_symmetric_key(SymmetricKeyId::User)
+        .map_err(|_| CryptoError::InvalidKey)?;
     let signature_keypair = SigningKey::make_ed25519().unwrap();
     // This needs to be changed to use the correct cose content format before rolling out to real
     // accounts
     let encrypted_signing_key = signature_keypair
-        .to_cose()?
-        .encrypt_with_key(&wrapping_key)?;
+        .to_cose()?;
     let serialized_verifying_key = signature_keypair.to_verifying_key().to_cose()?;
     let serialized_verifying_key_b64 = STANDARD.encode(serialized_verifying_key);
+    let signed_public_key_ownership_claim = SignedPublicKeyOwnershipClaim::make_claim_with_key(
+        &public_key,
+        &signature_keypair,
+    )?;
 
-    Ok(MakeSigningKeysResponse {
+    Ok(MakeUserSigningKeysResponse {
         verifying_key: serialized_verifying_key_b64,
-        signing_key: encrypted_signing_key,
+        signing_key: encrypted_signing_key.encrypt_with_key(wrapping_key)?,
+        signed_public_key_ownership_claim: STANDARD.encode(signed_public_key_ownership_claim.as_bytes()),
     })
 }
 
@@ -867,14 +886,6 @@ mod tests {
         assert!(!private_key.is_empty());
     }
 
-    #[test]
-    fn test_make_signing_keys() {
-        let user_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
-        let response = make_signing_keys(user_key.to_base64()).unwrap();
-        assert!(!response.verifying_key.is_empty());
-        let _: Vec<u8> = response.signing_key.decrypt_with_key(&user_key).unwrap();
-    }
-
     #[test]
     fn test_verify_asymmetric_keys_success() {
         let (user_key, key_pair) = setup_asymmetric_keys_test();

crates/bitwarden-core/src/mobile/crypto.rs

@@ -3,9 +3,9 @@ use bitwarden_crypto::CryptoError;
 use bitwarden_crypto::{EncString, UnsignedSharedKey};
 
 use super::crypto::{
-    derive_key_connector, make_key_pair, make_signing_keys, verify_asymmetric_keys,
+    derive_key_connector, make_key_pair, make_user_signing_keys, verify_asymmetric_keys,
     DeriveKeyConnectorError, DeriveKeyConnectorRequest, EnrollAdminPasswordResetError,
-    MakeKeyPairResponse, MakeSigningKeysResponse, MobileCryptoError, VerifyAsymmetricKeysRequest,
+    MakeKeyPairResponse, MakeUserSigningKeysResponse, MobileCryptoError, VerifyAsymmetricKeysRequest,
     VerifyAsymmetricKeysResponse,
 };
 #[cfg(feature = "internal")]
@@ -105,9 +105,8 @@ impl CryptoClient {
 
     pub fn make_signing_keys(
         &self,
-        wrapping_key: String,
-    ) -> Result<MakeSigningKeysResponse, CryptoError> {
-        make_signing_keys(wrapping_key)
+    ) -> Result<MakeUserSigningKeysResponse, CryptoError> {
+        make_user_signing_keys(&self.client)
     }
 }
 

crates/bitwarden-core/src/mobile/crypto_client.rs

@@ -46,6 +46,7 @@ rayon = ">=1.8.1, <2.0"
 rsa = ">=0.9.2, <0.10"
 schemars = { workspace = true }
 serde = { workspace = true }
+serde_bytes = "0.11.17"
 sha1 = ">=0.10.5, <0.11"
 sha2 = ">=0.10.6, <0.11"
 subtle = ">=2.5.0, <3.0"

crates/bitwarden-crypto/Cargo.toml

@@ -62,6 +62,9 @@ pub enum CryptoError {
 
     #[error("Invalid namespace")]
     InvalidNamespace,
+
+    #[error("Invalid encoding")]
+    InvalidEncoding,
 }
 
 #[derive(Debug, Error)]

crates/bitwarden-crypto/src/error.rs

@@ -1,8 +1,8 @@
 use std::pin::Pin;
 
-use rsa::{pkcs8::DecodePublicKey, RsaPrivateKey, RsaPublicKey};
+use rsa::{pkcs8::DecodePublicKey, traits::PublicKeyParts, RsaPrivateKey, RsaPublicKey};
 
-use super::key_encryptable::CryptoKey;
+use super::{fingerprint::FingerprintableKey, key_encryptable::CryptoKey};
 use crate::error::{CryptoError, Result};
 
 /// Trait to allow both [`AsymmetricCryptoKey`] and [`AsymmetricPublicCryptoKey`] to be used to
@@ -34,6 +34,15 @@ impl AsymmetricEncryptable for AsymmetricPublicCryptoKey {
     }
 }
 
+impl FingerprintableKey for AsymmetricPublicCryptoKey {
+    fn fingerprint_parts(&self) -> Vec<Vec<u8>> {
+        vec![
+            self.key.n().to_bytes_le().as_slice().to_vec(),
+            self.key.e().to_bytes_le().as_slice().to_vec(),
+        ]
+    }
+}
+
 /// An asymmetric encryption key. Contains both the public and private key. Can be used to both
 /// encrypt and decrypt [`UnsignedSharedKey`](crate::UnsignedSharedKey).
 #[derive(Clone)]