Cherry-picked [PM-115] Cipher key encryption update (#2421)

bitwarden · Sep 29, 2023 · ee1cbae · ee1cbae
1 parent 4cc5e13
commit ee1cbae
Show file tree

Hide file tree

Showing 26 changed files with 241 additions and 85 deletions.
diff --git a/src/App/Pages/Vault/AttachmentsPageViewModel.cs b/src/App/Pages/Vault/AttachmentsPageViewModel.cs
@@ -123,7 +123,7 @@ await _platformUtilsService.ShowDialogAsync(AppResources.MaxFileSize,
             {
                 await _deviceActionService.ShowLoadingAsync(AppResources.Saving);
                 _cipherDomain = await _cipherService.SaveAttachmentRawWithServerAsync(
-                    _cipherDomain, FileName, FileData);
+                    _cipherDomain, Cipher, FileName, FileData);
                 Cipher = await _cipherDomain.DecryptAsync();
                 await _deviceActionService.HideLoadingAsync();
                 _platformUtilsService.ShowToast("success", null, AppResources.AttachementAdded);

diff --git a/src/Core/Abstractions/ICipherService.cs b/src/Core/Abstractions/ICipherService.cs
@@ -33,7 +33,7 @@ Task<Tuple<List<CipherView>, List<CipherView>, List<CipherView>>> GetAllDecrypte
         Task<Cipher> GetAsync(string id);
         Task<CipherView> GetLastUsedForUrlAsync(string url);
         Task ReplaceAsync(Dictionary<string, CipherData> ciphers);
-        Task<Cipher> SaveAttachmentRawWithServerAsync(Cipher cipher, string filename, byte[] data);
+        Task<Cipher> SaveAttachmentRawWithServerAsync(Cipher cipher, CipherView cipherView, string filename, byte[] data);
         Task SaveCollectionsWithServerAsync(Cipher cipher);
         Task SaveWithServerAsync(Cipher cipher);
         Task<ShareWithServerError> ShareWithServerAsync(CipherView cipher, string organizationId, HashSet<string> collectionIds);

diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
@@ -67,6 +67,8 @@ public static class Constants
         public const int Argon2MemoryInMB = 64;
         public const int Argon2Parallelism = 4;
         public const int MasterPasswordMinimumChars = 12;
+        public const int CipherKeyRandomBytesLength = 64;
+        public const string CipherKeyEncryptionMinServerVersion = "2023.9.1";
         public const string DefaultFido2KeyType = "public-key";
         public const string DefaultFido2KeyAlgorithm = "ECDSA";
         public const string DefaultFido2KeyCurve = "P-256";

diff --git a/src/Core/Models/Data/CipherData.cs b/src/Core/Models/Data/CipherData.cs
@@ -28,6 +28,7 @@ public CipherData(CipherResponse response, string userId = null, HashSet<string>
             Notes = response.Notes;
             CollectionIds = collectionIds?.ToList() ?? response.CollectionIds;
             Reprompt = response.Reprompt;
+            Key = response.Key;
 
             try // Added to address Issue (https://github.com/bitwarden/mobile/issues/1006)
             {
@@ -92,5 +93,6 @@ public CipherData(CipherResponse response, string userId = null, HashSet<string>
         public List<PasswordHistoryData> PasswordHistory { get; set; }
         public List<string> CollectionIds { get; set; }
         public Enums.CipherRepromptType Reprompt { get; set; }
+        public string Key { get; set; }
     }
 }
diff --git a/src/Core/Models/Domain/Attachment.cs b/src/Core/Models/Domain/Attachment.cs
@@ -1,8 +1,10 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.View;
+using Bit.Core.Services;
 using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.Domain
@@ -11,19 +13,19 @@ public class Attachment : Domain
     {
         private HashSet<string> _map = new HashSet<string>
         {
-            "Id",
-            "Url",
-            "SizeName",
-            "FileName",
-            "Key"
+            nameof(Id),
+            nameof(Url),
+            nameof(SizeName),
+            nameof(FileName),
+            nameof(Key)
         };
 
         public Attachment() { }
 
         public Attachment(AttachmentData obj, bool alreadyEncrypted = false)
         {
             Size = obj.Size;
-            BuildDomainModel(this, obj, _map, alreadyEncrypted, new HashSet<string> { "Id", "Url", "SizeName" });
+            BuildDomainModel(this, obj, _map, alreadyEncrypted, new HashSet<string> { nameof(Id), nameof(Url), nameof(SizeName) });
         }
 
         public string Id { get; set; }
@@ -33,25 +35,26 @@ public Attachment(AttachmentData obj, bool alreadyEncrypted = false)
         public EncString Key { get; set; }
         public EncString FileName { get; set; }
 
-        public async Task<AttachmentView> DecryptAsync(string orgId)
+        public async Task<AttachmentView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
             var view = await DecryptObjAsync(new AttachmentView(this), this, new HashSet<string>
             {
-                "FileName"
-            }, orgId);
+                nameof(FileName)
+            }, orgId, key);
 
             if (Key != null)
             {
-                var cryptoService = ServiceContainer.Resolve<ICryptoService>("cryptoService");
                 try
                 {
-                    var orgKey = await cryptoService.GetOrgKeyAsync(orgId);
-                    var decValue = await cryptoService.DecryptToBytesAsync(Key, orgKey);
+                    var cryptoService = ServiceContainer.Resolve<ICryptoService>();
+
+                    var decryptKey = key ?? await cryptoService.GetOrgKeyAsync(orgId);
+                    var decValue = await cryptoService.DecryptToBytesAsync(Key, decryptKey);
                     view.Key = new SymmetricCryptoKey(decValue);
                 }
-                catch
+                catch (Exception ex)
                 {
-                    // TODO: error?
+                    LoggerHelper.LogEvenIfCantBeResolved(ex);
                 }
             }
             return view;
@@ -61,7 +64,7 @@ public AttachmentData ToAttachmentData()
         {
             var a = new AttachmentData();
             a.Size = Size;
-            BuildDataModel(this, a, _map, new HashSet<string> { "Id", "Url", "SizeName" });
+            BuildDataModel(this, a, _map, new HashSet<string> { nameof(Id), nameof(Url), nameof(SizeName) });
             return a;
         }
     }

diff --git a/src/Core/Models/Domain/Card.cs b/src/Core/Models/Domain/Card.cs
@@ -31,9 +31,9 @@ public Card(CardData obj, bool alreadyEncrypted = false)
         public EncString ExpYear { get; set; }
         public EncString Code { get; set; }
 
-        public Task<CardView> DecryptAsync(string orgId)
+        public Task<CardView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new CardView(this), this, _map, orgId);
+            return DecryptObjAsync(new CardView(this), this, _map, orgId, key);
         }
 
         public CardData ToCardData()

diff --git a/src/Core/Models/Domain/Cipher.cs b/src/Core/Models/Domain/Cipher.cs
@@ -2,9 +2,11 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using Bit.Core.Abstractions;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.View;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.Domain
 {
@@ -16,12 +18,12 @@ public Cipher(CipherData obj, bool alreadyEncrypted = false, Dictionary<string,
         {
             BuildDomainModel(this, obj, new HashSet<string>
             {
-                "Id",
-                "OrganizationId",
-                "FolderId",
-                "Name",
-                "Notes"
-            }, alreadyEncrypted, new HashSet<string> { "Id", "OrganizationId", "FolderId" });
+                nameof(Id),
+                nameof(OrganizationId),
+                nameof(FolderId),
+                nameof(Name),
+                nameof(Notes)
+            }, alreadyEncrypted, new HashSet<string> { nameof(Id), nameof(OrganizationId), nameof(FolderId) });
 
             Type = obj.Type;
             Favorite = obj.Favorite;
@@ -34,6 +36,11 @@ public Cipher(CipherData obj, bool alreadyEncrypted = false, Dictionary<string,
             LocalData = localData;
             Reprompt = obj.Reprompt;
 
+            if (obj.Key != null)
+            {
+                Key = new EncString(obj.Key);
+            }
+
             switch (Type)
             {
                 case Enums.CipherType.Login:
@@ -85,29 +92,43 @@ public Cipher(CipherData obj, bool alreadyEncrypted = false, Dictionary<string,
         public List<PasswordHistory> PasswordHistory { get; set; }
         public HashSet<string> CollectionIds { get; set; }
         public CipherRepromptType Reprompt { get; set; }
+        public EncString Key { get; set; }
 
         public async Task<CipherView> DecryptAsync()
         {
             var model = new CipherView(this);
+
+            if (Key != null)
+            {
+                // HACK: I don't like resolving this here but I can't see a better way without
+                // refactoring a lot of things.
+                var cryptoService = ServiceContainer.Resolve<ICryptoService>();
+
+                var orgKey = await cryptoService.GetOrgKeyAsync(OrganizationId);
+
+                var key = await cryptoService.DecryptToBytesAsync(Key, orgKey);
+                model.Key = new CipherKey(key);
+            }
+
             await DecryptObjAsync(model, this, new HashSet<string>
             {
-                "Name",
-                "Notes"
-            }, OrganizationId);
+                nameof(Name),
+                nameof(Notes)
+            }, OrganizationId, model.Key);
 
             switch (Type)
             {
                 case Enums.CipherType.Login:
-                    model.Login = await Login.DecryptAsync(OrganizationId);
+                    model.Login = await Login.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.SecureNote:
-                    model.SecureNote = await SecureNote.DecryptAsync(OrganizationId);
+                    model.SecureNote = await SecureNote.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.Card:
-                    model.Card = await Card.DecryptAsync(OrganizationId);
+                    model.Card = await Card.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.Identity:
-                    model.Identity = await Identity.DecryptAsync(OrganizationId);
+                    model.Identity = await Identity.DecryptAsync(OrganizationId, model.Key);
                     break;
                 case Enums.CipherType.Fido2Key:
                     model.Fido2Key = await Fido2Key.DecryptAsync(OrganizationId);
@@ -122,7 +143,7 @@ public async Task<CipherView> DecryptAsync()
                 var tasks = new List<Task>();
                 async Task decryptAndAddAttachmentAsync(Attachment attachment)
                 {
-                    var decAttachment = await attachment.DecryptAsync(OrganizationId);
+                    var decAttachment = await attachment.DecryptAsync(OrganizationId, model.Key);
                     model.Attachments.Add(decAttachment);
                 }
                 foreach (var attachment in Attachments)
@@ -137,7 +158,7 @@ async Task decryptAndAddAttachmentAsync(Attachment attachment)
                 var tasks = new List<Task>();
                 async Task decryptAndAddFieldAsync(Field field)
                 {
-                    var decField = await field.DecryptAsync(OrganizationId);
+                    var decField = await field.DecryptAsync(OrganizationId, model.Key);
                     model.Fields.Add(decField);
                 }
                 foreach (var field in Fields)
@@ -152,7 +173,7 @@ async Task decryptAndAddFieldAsync(Field field)
                 var tasks = new List<Task>();
                 async Task decryptAndAddHistoryAsync(PasswordHistory ph)
                 {
-                    var decPh = await ph.DecryptAsync(OrganizationId);
+                    var decPh = await ph.DecryptAsync(OrganizationId, model.Key);
                     model.PasswordHistory.Add(decPh);
                 }
                 foreach (var ph in PasswordHistory)
@@ -181,11 +202,12 @@ public CipherData ToCipherData(string userId)
                 CollectionIds = CollectionIds.ToList(),
                 DeletedDate = DeletedDate,
                 Reprompt = Reprompt,
+                Key = Key?.EncryptedString
             };
             BuildDataModel(this, c, new HashSet<string>
             {
-                "Name",
-                "Notes"
+                nameof(Name),
+                nameof(Notes)
             });
             switch (c.Type)
             {

diff --git a/src/Core/Models/Domain/Fido2Key.cs b/src/Core/Models/Domain/Fido2Key.cs
@@ -39,9 +39,9 @@ public Fido2Key(Fido2KeyData data, bool alreadyEncrypted = false)
         public EncString UserName { get; set; }
         public EncString Counter { get; set; }
 
-        public async Task<Fido2KeyView> DecryptAsync(string orgId)
+        public async Task<Fido2KeyView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return await DecryptObjAsync(new Fido2KeyView(), this, EncryptableProperties, orgId);
+            return await DecryptObjAsync(new Fido2KeyView(), this, EncryptableProperties, orgId, key);
         }
 
         public Fido2KeyData ToFido2KeyData()

diff --git a/src/Core/Models/Domain/Field.cs b/src/Core/Models/Domain/Field.cs
@@ -28,9 +28,9 @@ public Field(FieldData obj, bool alreadyEncrypted = false)
         public FieldType Type { get; set; }
         public LinkedIdType? LinkedId { get; set; }
 
-        public Task<FieldView> DecryptAsync(string orgId)
+        public Task<FieldView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new FieldView(this), this, _map, orgId);
+            return DecryptObjAsync(new FieldView(this), this, _map, orgId, key);
         }
 
         public FieldData ToFieldData()

diff --git a/src/Core/Models/Domain/Identity.cs b/src/Core/Models/Domain/Identity.cs
@@ -55,9 +55,9 @@ public Identity(IdentityData obj, bool alreadyEncrypted = false)
         public EncString PassportNumber { get; set; }
         public EncString LicenseNumber { get; set; }
 
-        public Task<IdentityView> DecryptAsync(string orgId)
+        public Task<IdentityView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new IdentityView(this), this, _map, orgId);
+            return DecryptObjAsync(new IdentityView(this), this, _map, orgId, key);
         }
 
         public IdentityData ToIdentityData()

diff --git a/src/Core/Models/Domain/Login.cs b/src/Core/Models/Domain/Login.cs
@@ -31,25 +31,25 @@ public Login(LoginData obj, bool alreadyEncrypted = false)
         public EncString Totp { get; set; }
         public Fido2Key Fido2Key { get; set; }
 
-        public async Task<LoginView> DecryptAsync(string orgId)
+        public async Task<LoginView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
             var view = await DecryptObjAsync(new LoginView(this), this, new HashSet<string>
             {
                 "Username",
                 "Password",
                 "Totp"
-            }, orgId);
+            }, orgId, key);
             if (Uris != null)
             {
                 view.Uris = new List<LoginUriView>();
                 foreach (var uri in Uris)
                 {
-                    view.Uris.Add(await uri.DecryptAsync(orgId));
+                    view.Uris.Add(await uri.DecryptAsync(orgId, key));
                 }
             }
             if (Fido2Key != null)
             {
-                view.Fido2Key = await Fido2Key.DecryptAsync(orgId);
+                view.Fido2Key = await Fido2Key.DecryptAsync(orgId, key);
             }
             return view;
         }

diff --git a/src/Core/Models/Domain/LoginUri.cs b/src/Core/Models/Domain/LoginUri.cs
@@ -24,9 +24,9 @@ public LoginUri(LoginUriData obj, bool alreadyEncrypted = false)
         public EncString Uri { get; set; }
         public UriMatchType? Match { get; set; }
 
-        public Task<LoginUriView> DecryptAsync(string orgId)
+        public Task<LoginUriView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new LoginUriView(this), this, _map, orgId);
+            return DecryptObjAsync(new LoginUriView(this), this, _map, orgId, key);
         }
 
         public LoginUriData ToLoginUriData()

diff --git a/src/Core/Models/Domain/PasswordHistory.cs b/src/Core/Models/Domain/PasswordHistory.cs
@@ -24,9 +24,9 @@ public PasswordHistory(PasswordHistoryData obj, bool alreadyEncrypted = false)
         public EncString Password { get; set; }
         public DateTime LastUsedDate { get; set; }
 
-        public Task<PasswordHistoryView> DecryptAsync(string orgId)
+        public Task<PasswordHistoryView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
-            return DecryptObjAsync(new PasswordHistoryView(this), this, _map, orgId);
+            return DecryptObjAsync(new PasswordHistoryView(this), this, _map, orgId, key);
         }
 
         public PasswordHistoryData ToPasswordHistoryData()

diff --git a/src/Core/Models/Domain/SecureNote.cs b/src/Core/Models/Domain/SecureNote.cs
@@ -16,7 +16,7 @@ public SecureNote(SecureNoteData obj, bool alreadyEncrypted = false)
 
         public SecureNoteType Type { get; set; }
 
-        public Task<SecureNoteView> DecryptAsync(string orgId)
+        public Task<SecureNoteView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
         {
             return Task.FromResult(new SecureNoteView(this));
         }

diff --git a/src/Core/Models/Domain/SymmetricCryptoKey.cs b/src/Core/Models/Domain/SymmetricCryptoKey.cs
@@ -1,5 +1,4 @@
 using System;
-using System.Linq;
 using Bit.Core.Enums;
 
 namespace Bit.Core.Models.Domain
@@ -102,4 +101,11 @@ public OrgKey(byte[] key, EncryptionType? encType = null)
             : base(key, encType)
         { }
     }
+
+    public class CipherKey : SymmetricCryptoKey
+    {
+        public CipherKey(byte[] key, EncryptionType? encType = null)
+            : base(key, encType)
+        { }
+    }
 }