Skip to content

[PM-20361] Signature keys #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 66 commits into
base: main
Choose a base branch
from
Open

[PM-20361] Signature keys #207

Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
66 commits
Select commit Hold shift + click to select a range
c9b80df
Implement signing keys and signing
quexten May 6, 2025
2ad9f59
Remove unused code
quexten May 6, 2025
b0c3dae
Add test vector
quexten May 6, 2025
2e8bd92
Cargo fmt
quexten May 6, 2025
f7f1e2e
Make ed25519 dependency version a range
quexten May 7, 2025
6deb284
Add signed object
quexten May 12, 2025
f42f719
Merge branch 'main' into km/cose-signatures
quexten May 13, 2025
61496cc
Merge branch 'main' into km/cose-signatures
quexten May 19, 2025
8354476
Replace magic value
quexten May 19, 2025
04d5329
Clean up crate::error reference
quexten May 19, 2025
efd23cc
Add comments to signing and verifying key
quexten May 19, 2025
d6737cf
Move and clarify comment, drop optional verifying key from signing key
quexten May 19, 2025
d2b829b
Change comment into docs
quexten May 19, 2025
9484a64
Move signature errors to separate enum
quexten May 20, 2025
7e39e9c
Update test vectors
quexten May 20, 2025
a37f3e1
Format
quexten May 20, 2025
e1642b6
[PM-20361] Expose signing key generation to mobile and wasm clients &โ€ฆ
quexten May 21, 2025
6c725d2
Remove incorrect login response change
quexten May 21, 2025
fc895d8
Fix comment
quexten May 21, 2025
0e33fee
Cleanup
quexten May 21, 2025
6308cc5
Add comments
quexten May 21, 2025
971eb17
Cleanup
quexten May 21, 2025
12387f8
Remove unrelated change
quexten May 21, 2025
f3eb525
Cleanup
quexten May 21, 2025
d6bbae0
Fix init
quexten May 21, 2025
2ab6620
Cleanup
quexten May 21, 2025
17e0a07
Fix sorting of dependencies
quexten May 21, 2025
8c9f00f
Attempt to fix build
quexten May 21, 2025
06b26ba
Add more default nil values for signing key to fix ios build
quexten May 21, 2025
a2e95e7
Fix docs
quexten May 21, 2025
e6ab5ef
Fix build
quexten May 21, 2025
4842309
Fix doc
quexten May 21, 2025
0e3bcb6
Merge branch 'main' into km/cose-signatures
quexten May 21, 2025
d6e6e99
Add tests to purecrypto
quexten May 21, 2025
0578743
Remove code to make test vectors
quexten May 21, 2025
4182ad4
Merge branch 'km/cose-signatures' of github.com:bitwarden/sdk-internaโ€ฆ
quexten May 21, 2025
38ec3eb
Cleanup
quexten May 21, 2025
4467b0d
Fix docs
quexten May 21, 2025
e373638
Merge branch 'main' into km/cose-signatures
quexten May 21, 2025
d17399d
Split up and simplify
quexten May 28, 2025
26bf715
Undo renames
quexten May 28, 2025
5846dbc
Undo changes
quexten May 28, 2025
d466ec7
Add examples
quexten May 28, 2025
b27ddf4
Cargo fmt
quexten May 28, 2025
5733baa
Fix build
quexten May 28, 2025
beb1251
Add comment
quexten May 28, 2025
af72a87
Address formatting issue
quexten May 28, 2025
bf9bea2
Merge branch 'main' into km/cose-signatures
quexten May 28, 2025
f18512c
Fix build
quexten May 28, 2025
17f8d09
Add signed public key test
quexten May 28, 2025
a8c6fa5
Cleanup
quexten May 28, 2025
55ddd0b
Add comment
quexten May 28, 2025
053d894
Cargo fmt
quexten May 28, 2025
c520046
Cleanup
quexten May 28, 2025
740584a
Cleanup
quexten May 29, 2025
621374d
Move in deprecated annotation
quexten May 29, 2025
d9c224b
Remove allow
quexten May 29, 2025
7717633
Cleanup
quexten May 29, 2025
6d8db7c
Clean up comment
quexten May 29, 2025
1236426
Cargo fmt
quexten May 29, 2025
ec2b153
Remove zeroize and pin signing key
quexten May 29, 2025
b738834
Fix build and impl zeroizeOnDrop for signingkey
quexten May 29, 2025
863ba33
Remove unused error
quexten May 29, 2025
8e61453
Add comment with link to follow-up task
quexten May 29, 2025
0bd07ce
Remove unnecessary pub(self)
quexten May 29, 2025
6475c07
Merge branch 'main' into km/cose-signatures
quexten May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 28 additions & 12 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 8 additions & 2 deletions crates/bitwarden-core/src/auth/auth_request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ mod tests {
let private_key ="2.yN7l00BOlUE0Sb0M//Q53w==|EwKG/BduQRQ33Izqc/ogoBROIoI5dmgrxSo82sgzgAMIBt3A2FZ9vPRMY+GWT85JiqytDitGR3TqwnFUBhKUpRRAq4x7rA6A1arHrFp5Tp1p21O3SfjtvB3quiOKbqWk6ZaU1Np9HwqwAecddFcB0YyBEiRX3VwF2pgpAdiPbSMuvo2qIgyob0CUoC/h4Bz1be7Qa7B0Xw9/fMKkB1LpOm925lzqosyMQM62YpMGkjMsbZz0uPopu32fxzDWSPr+kekNNyLt9InGhTpxLmq1go/pXR2uw5dfpXc5yuta7DB0EGBwnQ8Vl5HPdDooqOTD9I1jE0mRyuBpWTTI3FRnu3JUh3rIyGBJhUmHqGZvw2CKdqHCIrQeQkkEYqOeJRJVdBjhv5KGJifqT3BFRwX/YFJIChAQpebNQKXe/0kPivWokHWwXlDB7S7mBZzhaAPidZvnuIhalE2qmTypDwHy22FyqV58T8MGGMchcASDi/QXI6kcdpJzPXSeU9o+NC68QDlOIrMVxKFeE7w7PvVmAaxEo0YwmuAzzKy9QpdlK0aab/xEi8V4iXj4hGepqAvHkXIQd+r3FNeiLfllkb61p6WTjr5urcmDQMR94/wYoilpG5OlybHdbhsYHvIzYoLrC7fzl630gcO6t4nM24vdB6Ymg9BVpEgKRAxSbE62Tqacxqnz9AcmgItb48NiR/He3n3ydGjPYuKk/ihZMgEwAEZvSlNxYONSbYrIGDtOY+8Nbt6KiH3l06wjZW8tcmFeVlWv+tWotnTY9IqlAfvNVTjtsobqtQnvsiDjdEVtNy/s2ci5TH+NdZluca2OVEr91Wayxh70kpM6ib4UGbfdmGgCo74gtKvKSJU0rTHakQ5L9JlaSDD5FamBRyI0qfL43Ad9qOUZ8DaffDCyuaVyuqk7cz9HwmEmvWU3VQ+5t06n/5kRDXttcw8w+3qClEEdGo1KeENcnXCB32dQe3tDTFpuAIMLqwXs6FhpawfZ5kPYvLPczGWaqftIs/RXJ/EltGc0ugw2dmTLpoQhCqrcKEBDoYVk0LDZKsnzitOGdi9mOWse7Se8798ib1UsHFUjGzISEt6upestxOeupSTOh0v4+AjXbDzRUyogHww3V+Bqg71bkcMxtB+WM+pn1XNbVTyl9NR040nhP7KEf6e9ruXAtmrBC2ah5cFEpLIot77VFZ9ilLuitSz+7T8n1yAh1IEG6xxXxninAZIzi2qGbH69O5RSpOJuJTv17zTLJQIIc781JwQ2TTwTGnx5wZLbffhCasowJKd2EVcyMJyhz6ru0PvXWJ4hUdkARJs3Xu8dus9a86N8Xk6aAPzBDqzYb1vyFIfBxP0oO8xFHgd30Cgmz8UrSE3qeWRrF8ftrI6xQnFjHBGWD/JWSvd6YMcQED0aVuQkuNW9ST/DzQThPzRfPUoiL10yAmV7Ytu4fR3x2sF0Yfi87YhHFuCMpV/DsqxmUizyiJuD938eRcH8hzR/VO53Qo3UIsqOLcyXtTv6THjSlTopQ+JOLOnHm1w8dzYbLN44OG44rRsbihMUQp+wUZ6bsI8rrOnm9WErzkbQFbrfAINdoCiNa6cimYIjvvnMTaFWNymqY1vZxGztQiMiHiHYwTfwHTXrb9j0uPM=|09J28iXv9oWzYtzK2LBT6Yht4IT4MijEkk0fwFdrVQ4=".parse().unwrap();
client
.internal
.initialize_user_crypto_master_key(master_key, user_key, private_key)
.initialize_user_crypto_master_key(master_key, user_key, private_key, None)
.unwrap();

let public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyLRDUwXB4BfQ507D4meFPmwn5zwy3IqTPJO4plrrhnclWahXa240BzyFW9gHgYu+Jrgms5xBfRTBMcEsqqNm7+JpB6C1B6yvnik0DpJgWQw1rwvy4SUYidpR/AWbQi47n/hvnmzI/sQxGddVfvWu1iTKOlf5blbKYAXnUE5DZBGnrWfacNXwRRdtP06tFB0LwDgw+91CeLSJ9py6dm1qX5JIxoO8StJOQl65goLCdrTWlox+0Jh4xFUfCkb+s3px+OhSCzJbvG/hlrSRcUz5GnwlCEyF3v5lfUtV96MJD+78d8pmH6CfFAp2wxKRAbGdk+JccJYO6y6oIXd3Fm7twIDAQAB";
Expand Down Expand Up @@ -229,7 +229,12 @@ mod tests {

existing_device
.internal
.initialize_user_crypto_master_key(master_key, user_key, private_key.parse().unwrap())
.initialize_user_crypto_master_key(
master_key,
user_key,
private_key.parse().unwrap(),
None,
)
.unwrap();

// Initialize a new device which will request to be logged in
Expand All @@ -246,6 +251,7 @@ mod tests {
kdf_params: kdf,
email: email.to_owned(),
private_key: private_key.to_owned(),
signing_key: None,
method: InitUserCryptoMethod::AuthRequest {
request_private_key: auth_req.private_key,
method: AuthRequestMethod::UserKey {
Expand Down
9 changes: 6 additions & 3 deletions crates/bitwarden-core/src/auth/login/api_key.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,12 @@
let user_key: EncString = require!(r.key.as_deref()).parse()?;
let private_key: EncString = require!(r.private_key.as_deref()).parse()?;

client
.internal
.initialize_user_crypto_master_key(master_key, user_key, private_key)?;
client.internal.initialize_user_crypto_master_key(
master_key,
user_key,
private_key,
None,
)?;

Check warning on line 59 in crates/bitwarden-core/src/auth/login/api_key.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/login/api_key.rs#L54-L59 

Added lines #L54 - L59 were not covered by tests
}

Ok(ApiKeyLoginResponse::process_response(response))
Expand Down
1 change: 1 addition & 0 deletions crates/bitwarden-core/src/auth/login/auth_request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@
kdf_params: kdf,
email: auth_req.email,
private_key: require!(r.private_key),
signing_key: None,

Check warning on line 121 in crates/bitwarden-core/src/auth/login/auth_request.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/login/auth_request.rs#L121 

Added line #L121 was not covered by tests
method: InitUserCryptoMethod::AuthRequest {
request_private_key: auth_req.private_key,
method,
Expand Down
9 changes: 6 additions & 3 deletions crates/bitwarden-core/src/auth/login/password.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,12 @@
let user_key: EncString = require!(r.key.as_deref()).parse()?;
let private_key: EncString = require!(r.private_key.as_deref()).parse()?;

client
.internal
.initialize_user_crypto_master_key(master_key, user_key, private_key)?;
client.internal.initialize_user_crypto_master_key(
master_key,
user_key,
private_key,
None,
)?;

Check warning on line 61 in crates/bitwarden-core/src/auth/login/password.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/login/password.rs#L56-L61 

Added lines #L56 - L61 were not covered by tests
}

Ok(PasswordLoginResponse::process_response(response))
Expand Down
14 changes: 12 additions & 2 deletions crates/bitwarden-core/src/auth/password/validate.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,12 @@ mod tests {

client
.internal
.initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
.initialize_user_crypto_master_key(
master_key,
user_key.parse().unwrap(),
private_key,
None,
)
.unwrap();

let result =
Expand Down Expand Up @@ -183,7 +188,12 @@ mod tests {

client
.internal
.initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
.initialize_user_crypto_master_key(
master_key,
user_key.parse().unwrap(),
private_key,
None,
)
.unwrap();

let result =
Expand Down
7 changes: 6 additions & 1 deletion crates/bitwarden-core/src/auth/pin.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,12 @@ mod tests {

client
.internal
.initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
.initialize_user_crypto_master_key(
master_key,
user_key.parse().unwrap(),
private_key,
None,
)
.unwrap();

client
Expand Down
8 changes: 5 additions & 3 deletions crates/bitwarden-core/src/auth/tde.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,11 @@
kdf: Kdf::default(),
},
));
client
.internal
.initialize_user_crypto_decrypted_key(user_key.0, key_pair.private.clone())?;
client.internal.initialize_user_crypto_decrypted_key(
user_key.0,
key_pair.private.clone(),
None,
)?;

Check warning on line 44 in crates/bitwarden-core/src/auth/tde.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/auth/tde.rs#L40-L44 

Added lines #L40 - L44 were not covered by tests

Ok(RegisterTdeKeyResponse {
private_key: key_pair.private,
Expand Down
22 changes: 17 additions & 5 deletions crates/bitwarden-core/src/client/encryption_settings.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
use bitwarden_crypto::{AsymmetricCryptoKey, KeyStore, SymmetricCryptoKey};
#[cfg(feature = "internal")]
use bitwarden_crypto::{EncString, UnsignedSharedKey};
use bitwarden_crypto::{EncString, KeyStore, SymmetricCryptoKey, UnsignedSharedKey};
use bitwarden_error::bitwarden_error;
use thiserror::Error;
use uuid::Uuid;

use crate::{
key_management::{AsymmetricKeyId, KeyIds, SymmetricKeyId},
key_management::{KeyIds, SymmetricKeyId},
MissingPrivateKeyError, VaultLockedError,
};

Expand Down Expand Up @@ -40,12 +39,13 @@
pub(crate) fn new_decrypted_key(
user_key: SymmetricCryptoKey,
private_key: EncString,
signing_key: Option<EncString>,
store: &KeyStore<KeyIds>,
) -> Result<(), EncryptionSettingsError> {
use bitwarden_crypto::KeyDecryptable;
use bitwarden_crypto::{AsymmetricCryptoKey, KeyDecryptable, SigningKey};
use log::warn;

use crate::key_management::{AsymmetricKeyId, SymmetricKeyId};
use crate::key_management::{AsymmetricKeyId, SigningKeyId, SymmetricKeyId};

let private_key = {
let dec: Vec<u8> = private_key.decrypt_with_key(&user_key)?;
Expand All @@ -63,6 +63,12 @@
// .map_err(|_| EncryptionSettingsError::InvalidPrivateKey)?,
// )
};
let signing_key = signing_key
.map(|key| {
let dec: Vec<u8> = key.decrypt_with_key(&user_key)?;
SigningKey::from_cose(dec.as_slice())

Check warning on line 69 in crates/bitwarden-core/src/client/encryption_settings.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/client/encryption_settings.rs#L68-L69 

Added lines #L68 - L69 were not covered by tests
})
.transpose()?;

// FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
#[allow(deprecated)]
Expand All @@ -72,6 +78,10 @@
if let Some(private_key) = private_key {
ctx.set_asymmetric_key(AsymmetricKeyId::UserPrivateKey, private_key)?;
}

if let Some(signing_key) = signing_key {
ctx.set_signing_key(SigningKeyId::UserSigningKey, signing_key)?;

Check warning on line 83 in crates/bitwarden-core/src/client/encryption_settings.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-core/src/client/encryption_settings.rs#L83 

Added line #L83 was not covered by tests
}
}

Ok(())
Expand All @@ -98,6 +108,8 @@
org_enc_keys: Vec<(Uuid, UnsignedSharedKey)>,
store: &KeyStore<KeyIds>,
) -> Result<(), EncryptionSettingsError> {
use crate::key_management::AsymmetricKeyId;

let mut ctx = store.context_mut();

// FIXME: [PM-11690] - Early abort to handle private key being corrupt
Expand Down
Loading
Loading