[PM-27230] Introduce Account Cryptographic State

crates/bitwarden-collections/src/collection.rs

@@ -152,7 +152,7 @@ impl From<bitwarden_api_api::models::CollectionType> for CollectionType {
 #[cfg(test)]
 mod tests {
     use bitwarden_core::key_management::{KeyIds, SymmetricKeyId};
-    use bitwarden_crypto::{KeyStore, PrimitiveEncryptable, SymmetricCryptoKey};
+    use bitwarden_crypto::{KeyStore, PrimitiveEncryptable, SymmetricKeyAlgorithm};
 
     use super::*;
 
@@ -162,14 +162,14 @@ mod tests {
     // Helper function to create a test key store with a symmetric key
     fn create_test_key_store() -> KeyStore<KeyIds> {
         let store = KeyStore::<KeyIds>::default();
-        let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
         let org_id = ORGANIZATION_ID.parse().unwrap();
 
-        #[allow(deprecated)]
-        store
-            .context_mut()
-            .set_symmetric_key(SymmetricKeyId::Organization(org_id), key)
+        let mut ctx = store.context_mut();
+
+        let local_key_id = ctx.make_symmetric_key(SymmetricKeyAlgorithm::Aes256CbcHmac);
+        ctx.persist_symmetric_key(local_key_id, SymmetricKeyId::Organization(org_id))
             .unwrap();
+        drop(ctx);
 
         store
     }

crates/bitwarden-core/src/auth/auth_request.rs

@@ -112,9 +112,9 @@ mod tests {
     use super::*;
     use crate::{
         UserId,
-        client::internal::UserKeyState,
         key_management::{
             SymmetricKeyId,
+            account_cryptographic_state::WrappedUserAccountCryptographicState,
             crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
         },
     };
@@ -165,11 +165,7 @@ mod tests {
             .initialize_user_crypto_master_key(
                 master_key,
                 user_key,
-                UserKeyState {
-                    private_key,
-                    signing_key: None,
-                    security_state: None,
-                },
+                WrappedUserAccountCryptographicState::V1 { private_key },
             )
             .unwrap();
 
@@ -240,10 +236,8 @@ mod tests {
             .initialize_user_crypto_master_key(
                 master_key,
                 user_key,
-                UserKeyState {
+                WrappedUserAccountCryptographicState::V1 {
                     private_key: private_key.clone(),
-                    signing_key: None,
-                    security_state: None,
                 },
             )
             .unwrap();
@@ -262,9 +256,9 @@ mod tests {
                 user_id: Some(UserId::new_v4()),
                 kdf_params: kdf,
                 email: email.to_owned(),
-                private_key,
-                signing_key: None,
-                security_state: None,
+                account_cryptographic_state: WrappedUserAccountCryptographicState::V1 {
+                    private_key,
+                },
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method: AuthRequestMethod::UserKey {

crates/bitwarden-core/src/auth/login/api_key.rs

@@ -8,8 +8,10 @@ use crate::{
         api::{request::ApiTokenRequest, response::IdentityTokenResponse},
         login::{LoginError, PasswordLoginResponse, response::two_factor::TwoFactorProviders},
     },
-    client::{LoginMethod, UserLoginMethod, internal::UserKeyState},
-    key_management::UserDecryptionData,
+    client::{LoginMethod, UserLoginMethod},
+    key_management::{
+        UserDecryptionData, account_cryptographic_state::WrappedUserAccountCryptographicState,
+    },
     require,
 };
 
@@ -31,11 +33,7 @@ pub(crate) async fn login_api_key(
 
         let private_key: EncString = require!(&r.private_key).parse()?;
 
-        let user_key_state = UserKeyState {
-            private_key,
-            signing_key: None,
-            security_state: None,
-        };
+        let user_key_state = WrappedUserAccountCryptographicState::V1 { private_key };
 
         let master_password_unlock = r
             .user_decryption_options

crates/bitwarden-core/src/auth/login/auth_request.rs

@@ -12,6 +12,7 @@ use crate::{
     },
     key_management::{
         UserDecryptionData,
+        account_cryptographic_state::WrappedUserAccountCryptographicState,
         crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
     },
     require,
@@ -127,9 +128,9 @@ pub(crate) async fn complete_auth_request(
                 user_id: None,
                 kdf_params: kdf,
                 email: salt,
-                private_key: require!(r.private_key).parse()?,
-                signing_key: None,
-                security_state: None,
+                account_cryptographic_state: WrappedUserAccountCryptographicState::V1 {
+                    private_key: require!(r.private_key).parse()?,
+                },
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method,

crates/bitwarden-core/src/auth/login/password.rs

@@ -21,10 +21,7 @@ pub(crate) async fn login_password(
 ) -> Result<PasswordLoginResponse, LoginError> {
     use bitwarden_crypto::EncString;
 
-    use crate::{
-        client::{UserLoginMethod, internal::UserKeyState},
-        require,
-    };
+    use crate::{client::UserLoginMethod, require};
 
     info!("password logging in");
 
@@ -40,6 +37,8 @@ pub(crate) async fn login_password(
     let response = request_identity_tokens(client, input, &password_hash).await?;
 
     if let IdentityTokenResponse::Authenticated(r) = &response {
+        use crate::key_management::account_cryptographic_state::WrappedUserAccountCryptographicState;
+
         client.internal.set_tokens(
             r.access_token.clone(),
             r.refresh_token.clone(),
@@ -48,11 +47,7 @@ pub(crate) async fn login_password(
 
         let private_key: EncString = require!(&r.private_key).parse()?;
 
-        let user_key_state = UserKeyState {
-            private_key,
-            signing_key: None,
-            security_state: None,
-        };
+        let user_key_state = WrappedUserAccountCryptographicState::V1 { private_key };
 
         let master_password_unlock = r
             .user_decryption_options

crates/bitwarden-core/src/auth/password/validate.rs

@@ -85,7 +85,7 @@ mod tests {
 
     use crate::{
         auth::password::{validate::validate_password_user_key, validate_password},
-        client::internal::UserKeyState,
+        key_management::account_cryptographic_state::WrappedUserAccountCryptographicState,
     };
 
     #[test]
@@ -149,11 +149,7 @@ mod tests {
             .initialize_user_crypto_master_key(
                 master_key,
                 user_key.clone(),
-                UserKeyState {
-                    private_key,
-                    signing_key: None,
-                    security_state: None,
-                },
+                WrappedUserAccountCryptographicState::V1 { private_key },
             )
             .unwrap();
 
@@ -203,11 +199,7 @@ mod tests {
             .initialize_user_crypto_master_key(
                 master_key,
                 user_key.parse().unwrap(),
-                UserKeyState {
-                    private_key,
-                    signing_key: None,
-                    security_state: None,
-                },
+                WrappedUserAccountCryptographicState::V1 { private_key },
             )
             .unwrap();
 

crates/bitwarden-core/src/auth/pin.rs

@@ -49,7 +49,10 @@ mod tests {
     use bitwarden_crypto::{Kdf, MasterKey};
 
     use super::*;
-    use crate::client::{Client, LoginMethod, UserLoginMethod, internal::UserKeyState};
+    use crate::{
+        client::{Client, LoginMethod, UserLoginMethod},
+        key_management::account_cryptographic_state::WrappedUserAccountCryptographicState,
+    };
 
     fn init_client() -> Client {
         let client = Client::new(None);
@@ -78,11 +81,7 @@ mod tests {
             .initialize_user_crypto_master_key(
                 master_key,
                 user_key.parse().unwrap(),
-                UserKeyState {
-                    private_key,
-                    signing_key: None,
-                    security_state: None,
-                },
+                WrappedUserAccountCryptographicState::V1 { private_key },
             )
             .unwrap();
 

crates/bitwarden-core/src/auth/tde.rs

@@ -5,8 +5,8 @@ use bitwarden_crypto::{
 use bitwarden_encoding::B64;
 
 use crate::{
-    Client,
-    client::{encryption_settings::EncryptionSettingsError, internal::UserKeyState},
+    Client, client::encryption_settings::EncryptionSettingsError,
+    key_management::account_cryptographic_state::WrappedUserAccountCryptographicState,
 };
 
 /// This function generates a new user key and key pair, initializes the client's crypto with the
@@ -34,12 +34,10 @@ pub(super) fn make_register_tde_keys(
 
     client.internal.initialize_user_crypto_decrypted_key(
         user_key.0,
-        UserKeyState {
+        // TODO (https://bitwarden.atlassian.net/browse/PM-21771) Signing keys are not supported on registration yet. This needs to be changed as
+        // soon as registration is supported.
+        WrappedUserAccountCryptographicState::V1 {
             private_key: key_pair.private.clone(),
-            // TODO (https://bitwarden.atlassian.net/browse/PM-21771) Signing keys are not supported on registration yet. This needs to be changed as
-            // soon as registration is supported.
-            signing_key: None,
-            security_state: None,
         },
     )?;