Merge branch 'main' of github.com:bitwarden/sdk-internal into arch/more-uuids

# Conflicts:
#	crates/bitwarden-core/src/key_management/crypto.rs

Author: Hinton

.github/CODEOWNERS

@@ -9,6 +9,9 @@
 
 crates/bitwarden-vault/** @bitwarden/team-vault-dev @bitwarden/team-platform-dev
 
+# Temporarily owned by multiple teams
+/crates/bitwarden-crypto/ @bitwarden/team-platform-dev @bitwarden/dept-architecture @bitwarden/team-key-management-dev
+
 # BRE for publish workflow changes
 .github/workflows/publish-*.yml @bitwarden/dept-bre
 .github/workflows/release-rust-crates.yml @bitwarden/dept-bre

.github/workflows/lint.yml

@@ -6,6 +6,8 @@ on:
     branches: ["main"]
   pull_request:
 
+permissions: {}
+
 env:
   CARGO_TERM_COLOR: always
 
@@ -15,6 +17,10 @@ jobs:
 
     runs-on: ubuntu-24.04
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -54,7 +60,7 @@ jobs:
         run: cargo install clippy-sarif sarif-fmt --locked --git https://github.com/psastras/sarif-rs.git --rev 11c33a53f6ffeaed736856b86fb6b7b09fabdfd8
 
       - name: Cargo clippy-sarif
-        run: cargo clippy --all-features --tests --message-format=json |
+        run: cargo clippy --all-features --all-targets --message-format=json |
           clippy-sarif | tee clippy_result.sarif | sarif-fmt
         env:
           RUSTFLAGS: "-D warnings"
@@ -70,7 +76,7 @@ jobs:
       # status code of the command is caught and reported as failed in GitHub.
       # This should be cached from the previous step and should be fast.
       - name: Cargo clippy
-        run: cargo clippy --all-features --tests
+        run: cargo clippy --all-features --all-targets
         env:
           RUSTFLAGS: "-D warnings"
 

Cargo.lock

@@ -144,7 +144,7 @@ export RUSTFLAGS="-D warnings"
 
 cargo +nightly fmt --check
 cargo +nightly udeps --workspace --all-features
-cargo clippy --all-features --tests
+cargo clippy --all-features --all-targets
 cargo sort --workspace --check
 npm run lint
 ```

README.md

@@ -1,7 +1,7 @@
 use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
     fingerprint, generate_random_alphanumeric, AsymmetricCryptoKey, AsymmetricPublicCryptoKey,
-    CryptoError, UnsignedSharedKey,
+    CryptoError, PublicKeyEncryptionAlgorithm, UnsignedSharedKey,
 };
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, SymmetricCryptoKey};
@@ -31,11 +31,9 @@ pub struct AuthRequestResponse {
 /// to another device. Where the user confirms the validity by confirming the fingerprint. The user
 /// key is then encrypted using the public key and returned to the initiating device.
 pub(crate) fn new_auth_request(email: &str) -> Result<AuthRequestResponse, CryptoError> {
-    let mut rng = rand::thread_rng();
+    let key = AsymmetricCryptoKey::make(PublicKeyEncryptionAlgorithm::RsaOaepSha1);
 
-    let key = AsymmetricCryptoKey::generate(&mut rng);
-
-    let spki = key.to_public_der()?;
+    let spki = key.to_public_key().to_der()?;
 
     let fingerprint = fingerprint(email, &spki)?;
     let b64 = STANDARD.encode(&spki);
@@ -124,7 +122,7 @@ fn test_auth_request() {
 
     let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(
         &SymmetricCryptoKey::try_from(secret.clone()).unwrap(),
-        &private_key,
+        &private_key.to_public_key(),
     )
     .unwrap();
 
@@ -165,7 +163,7 @@ mod tests {
         let private_key ="2.yN7l00BOlUE0Sb0M//Q53w==|EwKG/BduQRQ33Izqc/ogoBROIoI5dmgrxSo82sgzgAMIBt3A2FZ9vPRMY+GWT85JiqytDitGR3TqwnFUBhKUpRRAq4x7rA6A1arHrFp5Tp1p21O3SfjtvB3quiOKbqWk6ZaU1Np9HwqwAecddFcB0YyBEiRX3VwF2pgpAdiPbSMuvo2qIgyob0CUoC/h4Bz1be7Qa7B0Xw9/fMKkB1LpOm925lzqosyMQM62YpMGkjMsbZz0uPopu32fxzDWSPr+kekNNyLt9InGhTpxLmq1go/pXR2uw5dfpXc5yuta7DB0EGBwnQ8Vl5HPdDooqOTD9I1jE0mRyuBpWTTI3FRnu3JUh3rIyGBJhUmHqGZvw2CKdqHCIrQeQkkEYqOeJRJVdBjhv5KGJifqT3BFRwX/YFJIChAQpebNQKXe/0kPivWokHWwXlDB7S7mBZzhaAPidZvnuIhalE2qmTypDwHy22FyqV58T8MGGMchcASDi/QXI6kcdpJzPXSeU9o+NC68QDlOIrMVxKFeE7w7PvVmAaxEo0YwmuAzzKy9QpdlK0aab/xEi8V4iXj4hGepqAvHkXIQd+r3FNeiLfllkb61p6WTjr5urcmDQMR94/wYoilpG5OlybHdbhsYHvIzYoLrC7fzl630gcO6t4nM24vdB6Ymg9BVpEgKRAxSbE62Tqacxqnz9AcmgItb48NiR/He3n3ydGjPYuKk/ihZMgEwAEZvSlNxYONSbYrIGDtOY+8Nbt6KiH3l06wjZW8tcmFeVlWv+tWotnTY9IqlAfvNVTjtsobqtQnvsiDjdEVtNy/s2ci5TH+NdZluca2OVEr91Wayxh70kpM6ib4UGbfdmGgCo74gtKvKSJU0rTHakQ5L9JlaSDD5FamBRyI0qfL43Ad9qOUZ8DaffDCyuaVyuqk7cz9HwmEmvWU3VQ+5t06n/5kRDXttcw8w+3qClEEdGo1KeENcnXCB32dQe3tDTFpuAIMLqwXs6FhpawfZ5kPYvLPczGWaqftIs/RXJ/EltGc0ugw2dmTLpoQhCqrcKEBDoYVk0LDZKsnzitOGdi9mOWse7Se8798ib1UsHFUjGzISEt6upestxOeupSTOh0v4+AjXbDzRUyogHww3V+Bqg71bkcMxtB+WM+pn1XNbVTyl9NR040nhP7KEf6e9ruXAtmrBC2ah5cFEpLIot77VFZ9ilLuitSz+7T8n1yAh1IEG6xxXxninAZIzi2qGbH69O5RSpOJuJTv17zTLJQIIc781JwQ2TTwTGnx5wZLbffhCasowJKd2EVcyMJyhz6ru0PvXWJ4hUdkARJs3Xu8dus9a86N8Xk6aAPzBDqzYb1vyFIfBxP0oO8xFHgd30Cgmz8UrSE3qeWRrF8ftrI6xQnFjHBGWD/JWSvd6YMcQED0aVuQkuNW9ST/DzQThPzRfPUoiL10yAmV7Ytu4fR3x2sF0Yfi87YhHFuCMpV/DsqxmUizyiJuD938eRcH8hzR/VO53Qo3UIsqOLcyXtTv6THjSlTopQ+JOLOnHm1w8dzYbLN44OG44rRsbihMUQp+wUZ6bsI8rrOnm9WErzkbQFbrfAINdoCiNa6cimYIjvvnMTaFWNymqY1vZxGztQiMiHiHYwTfwHTXrb9j0uPM=|09J28iXv9oWzYtzK2LBT6Yht4IT4MijEkk0fwFdrVQ4=".parse().unwrap();
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key)
+            .initialize_user_crypto_master_key(master_key, user_key, private_key, None)
             .unwrap();
 
         let public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyLRDUwXB4BfQ507D4meFPmwn5zwy3IqTPJO4plrrhnclWahXa240BzyFW9gHgYu+Jrgms5xBfRTBMcEsqqNm7+JpB6C1B6yvnik0DpJgWQw1rwvy4SUYidpR/AWbQi47n/hvnmzI/sQxGddVfvWu1iTKOlf5blbKYAXnUE5DZBGnrWfacNXwRRdtP06tFB0LwDgw+91CeLSJ9py6dm1qX5JIxoO8StJOQl65goLCdrTWlox+0Jh4xFUfCkb+s3px+OhSCzJbvG/hlrSRcUz5GnwlCEyF3v5lfUtV96MJD+78d8pmH6CfFAp2wxKRAbGdk+JccJYO6y6oIXd3Fm7twIDAQAB";
@@ -232,7 +230,7 @@ mod tests {
 
         existing_device
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key.clone())
+            .initialize_user_crypto_master_key(master_key, user_key, private_key.clone(), None)
             .unwrap();
 
         // Initialize a new device which will request to be logged in
@@ -250,6 +248,7 @@ mod tests {
                 kdf_params: kdf,
                 email: email.to_owned(),
                 private_key,
+                signing_key: None,
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method: AuthRequestMethod::UserKey {

crates/bitwarden-core/src/auth/auth_request.rs

@@ -51,9 +51,12 @@ pub(crate) async fn login_api_key(
         let user_key: EncString = require!(r.key.as_deref()).parse()?;
         let private_key: EncString = require!(r.private_key.as_deref()).parse()?;
 
-        client
-            .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key)?;
+        client.internal.initialize_user_crypto_master_key(
+            master_key,
+            user_key,
+            private_key,
+            None,
+        )?;
     }
 
     Ok(ApiKeyLoginResponse::process_response(response))

crates/bitwarden-core/src/auth/login/api_key.rs

@@ -120,6 +120,7 @@ pub(crate) async fn complete_auth_request(
                 kdf_params: kdf,
                 email: auth_req.email,
                 private_key: require!(r.private_key).parse()?,
+                signing_key: None,
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method,

crates/bitwarden-core/src/auth/login/auth_request.rs

@@ -50,9 +50,12 @@ pub(crate) async fn login_password(
         let user_key: EncString = require!(r.key.as_deref()).parse()?;
         let private_key: EncString = require!(r.private_key.as_deref()).parse()?;
 
-        client
-            .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key)?;
+        client.internal.initialize_user_crypto_master_key(
+            master_key,
+            user_key,
+            private_key,
+            None,
+        )?;
     }
 
     Ok(PasswordLoginResponse::process_response(response))

crates/bitwarden-core/src/auth/login/password.rs

@@ -140,7 +140,12 @@ mod tests {
 
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
+            .initialize_user_crypto_master_key(
+                master_key,
+                user_key.parse().unwrap(),
+                private_key,
+                None,
+            )
             .unwrap();
 
         let result =
@@ -183,7 +188,12 @@ mod tests {
 
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
+            .initialize_user_crypto_master_key(
+                master_key,
+                user_key.parse().unwrap(),
+                private_key,
+                None,
+            )
             .unwrap();
 
         let result =

crates/bitwarden-core/src/auth/password/validate.rs

@@ -75,7 +75,12 @@ mod tests {
 
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
+            .initialize_user_crypto_master_key(
+                master_key,
+                user_key.parse().unwrap(),
+                private_key,
+                None,
+            )
             .unwrap();
 
         client