Implement new key format

Author: quexten

Cargo.lock

@@ -97,7 +97,7 @@ mod tests {
             "ec2c1d46-6a4b-4751-a310-af9601317f2d"
         );
         assert_eq!(token.client_secret, "C2IgxjjLF7qSshsbwe8JGcbM075YXw");
-        assert_eq!(token.encryption_key.to_base64(), "H9/oIRLtL9nGCQOVDjSMoEbJsjWXSOCb3qeyDt6ckzS3FhyboEDWyTP/CQfbIszNmAVg2ExFganG1FVFGXO/Jg==");
+        assert_eq!(token.encryption_key.to_base64().unwrap(), "H9/oIRLtL9nGCQOVDjSMoEbJsjWXSOCb3qeyDt6ckzS3FhyboEDWyTP/CQfbIszNmAVg2ExFganG1FVFGXO/Jg==");
     }
 
     #[test]

crates/bitwarden-core/src/auth/access_token.rs

@@ -102,7 +102,7 @@ pub(crate) fn approve_auth_request(
     let key = ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)?;
 
     Ok(AsymmetricEncString::encrypt_rsa2048_oaep_sha1(
-        &key.to_vec(),
+        &key.to_encoded(false).unwrap(),
         &public_key,
     )?)
 }
@@ -125,7 +125,7 @@ fn test_auth_request() {
 
     let decrypted = auth_request_decrypt_user_key(request.private_key, encrypted).unwrap();
 
-    assert_eq!(&decrypted.to_vec(), secret);
+    assert_eq!(&decrypted.to_encoded(false).unwrap(), secret);
 }
 
 #[cfg(test)]
@@ -178,7 +178,7 @@ mod tests {
         let dec = auth_request_decrypt_user_key(private_key.to_owned(), enc_user_key).unwrap();
 
         assert_eq!(
-            &dec.to_vec(),
+            &dec.to_encoded(false).unwrap(),
             &[
                 201, 37, 234, 213, 21, 75, 40, 70, 149, 213, 234, 16, 19, 251, 162, 245, 161, 74,
                 34, 245, 211, 151, 211, 192, 95, 10, 117, 50, 88, 223, 23, 157
@@ -197,7 +197,7 @@ mod tests {
                 .unwrap();
 
         assert_eq!(
-            &dec.to_vec(),
+            &dec.to_encoded(false).unwrap(),
             &[
                 109, 128, 172, 147, 206, 123, 134, 95, 16, 36, 155, 113, 201, 18, 186, 230, 216,
                 212, 173, 188, 74, 11, 134, 131, 137, 242, 105, 178, 105, 126, 52, 139, 248, 91,
@@ -272,6 +272,6 @@ mod tests {
                 .to_base64()
         };
 
-        assert_eq!(existing_key, new_key);
+        assert_eq!(existing_key.unwrap(), new_key.unwrap());
     }
 }

crates/bitwarden-core/src/auth/auth_request.rs

@@ -65,7 +65,7 @@ pub(crate) fn validate_password_user_key(
                 #[allow(deprecated)]
                 let existing_key = ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)?;
 
-                if user_key.to_vec() != existing_key.to_vec() {
+                if user_key.to_encoded(false).ok() != existing_key.to_encoded(false).ok() {
                     return Err(AuthValidateError::WrongUserKey);
                 }
 

crates/bitwarden-core/src/auth/password/validate.rs

@@ -37,7 +37,7 @@ pub(crate) fn validate_pin(
                 return Ok(false);
             };
 
-            Ok(user_key.to_vec() == decrypted_key.to_vec())
+            Ok(user_key.to_encoded(false).ok() == decrypted_key.to_encoded(false).ok())
         }
     }
 }

crates/bitwarden-core/src/auth/pin.rs

@@ -23,7 +23,7 @@ pub(super) fn make_register_tde_keys(
     let key_pair = user_key.make_key_pair()?;
 
     let admin_reset =
-        AsymmetricEncString::encrypt_rsa2048_oaep_sha1(&user_key.0.to_vec(), &public_key)?;
+        AsymmetricEncString::encrypt_rsa2048_oaep_sha1(&user_key.0.to_encoded(false)?, &public_key)?;
 
     let device_key = if remember_device {
         Some(DeviceKey::trust_device(&user_key.0)?)

crates/bitwarden-core/src/auth/tde.rs

@@ -227,7 +227,7 @@ pub async fn get_user_encryption_key(client: &Client) -> Result<String, MobileCr
     #[allow(deprecated)]
     let user_key = ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)?;
 
-    Ok(user_key.to_base64())
+    user_key.to_base64().map_err(Into::into)
 }
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
@@ -375,7 +375,7 @@ pub(super) fn enroll_admin_password_reset(
     let key = ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)?;
 
     Ok(AsymmetricEncString::encrypt_rsa2048_oaep_sha1(
-        &key.to_vec(),
+        &key.to_encoded(false)?,
         &public_key,
     )?)
 }
@@ -586,6 +586,7 @@ mod tests {
             ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)
                 .unwrap()
                 .to_base64()
+                .unwrap()
         };
 
         let client2_key = {
@@ -595,6 +596,7 @@ mod tests {
             ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)
                 .unwrap()
                 .to_base64()
+                .unwrap()
         };
 
         assert_eq!(client_key, client2_key);
@@ -651,6 +653,7 @@ mod tests {
             ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)
                 .unwrap()
                 .to_base64()
+                .unwrap()
         };
 
         let client2_key = {
@@ -660,6 +663,7 @@ mod tests {
             ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)
                 .unwrap()
                 .to_base64()
+                .unwrap()
         };
 
         assert_eq!(client_key, client2_key);
@@ -704,7 +708,7 @@ mod tests {
                 .to_base64()
         };
 
-        assert_eq!(client_key, client3_key);
+        assert_eq!(client_key.unwrap(), client3_key.unwrap());
     }
 
     #[test]
@@ -746,7 +750,7 @@ mod tests {
             .dangerous_get_symmetric_key(SymmetricKeyId::User)
             .unwrap();
 
-        assert_eq!(&decrypted, &expected.to_vec());
+        assert_eq!(&decrypted, &expected.to_encoded(false).unwrap())
     }
 
     #[test]
@@ -784,7 +788,7 @@ mod tests {
     fn test_make_key_pair() {
         let (user_key, _) = setup_asymmetric_keys_test();
 
-        let response = make_key_pair(user_key.0.to_base64()).unwrap();
+        let response = make_key_pair(user_key.0.to_base64().unwrap()).unwrap();
 
         assert!(!response.user_public_key.is_empty());
         let encrypted_private_key = response.user_key_encrypted_private_key;
@@ -797,7 +801,7 @@ mod tests {
         let (user_key, key_pair) = setup_asymmetric_keys_test();
 
         let request = VerifyAsymmetricKeysRequest {
-            user_key: user_key.0.to_base64(),
+            user_key: user_key.0.to_base64().unwrap(),
             user_public_key: key_pair.public,
             user_key_encrypted_private_key: key_pair.private,
         };
@@ -813,7 +817,7 @@ mod tests {
         let undecryptable_private_key = "2.cqD39M4erPZ3tWaz2Fng9w==|+Bsp/xvM30oo+HThKN12qirK0A63EjMadcwethCX7kEgfL5nEXgAFsSgRBMpByc1djgpGDMXzUTLOE+FejXRsrEHH/ICZ7jPMgSR+lV64Mlvw3fgvDPQdJ6w3MCmjPueGQtrlPj1K78BkRomN3vQwwRBFUIJhLAnLshTOIFrSghoyG78na7McqVMMD0gmC0zmRaSs2YWu/46ES+2Rp8V5OC4qdeeoJM9MQfaOtmaqv7NRVDeDM3DwoyTJAOcon8eovMKE4jbFPUboiXjNQBkBgjvLhco3lVJnFcQuYgmjqrwuUQRsfAtZjxFXg/RQSH2D+SI5uRaTNQwkL4iJqIw7BIKtI0gxDz6eCVdq/+DLhpImgCV/aaIhF/jkpGqLCceFsYMbuqdULMM1VYKgV+IAuyC65R+wxOaKS+1IevvPnNp7tgKAvT5+shFg8piusj+rQ49daX2SmV2OImwdWMmmX93bcVV0xJ/WYB1yrqmyRUcTwyvX3RQF25P5okIIzFasRp8jXFZe8C6f93yzkn1TPQbp95zF4OsWjfPFVH4hzca07ACt2HjbAB75JakWbFA5MbCF8aOIwIfeLVhVlquQXCldOHCsl22U/f3HTGLB9OS8F83CDAy7qZqpKha9Im8RUhHoyf+lXrky0gyd6un7Ky8NSkVOGd8CEG7bvZfutxv/qtAjEM9/lV78fh8TQIy9GNgioMzplpuzPIJOgMaY/ZFZj6a8H9OMPneN5Je0H/DwHEglSyWy7CMgwcbQgXYGXc8rXTTxL71GUAFHzDr4bAJvf40YnjndoL9tf+oBw8vVNUccoD4cjyOT5w8h7M3Liaxk9/0O8JR98PKxxpv1Xw6XjFCSEHeG2y9FgDUASFR4ZwG1qQBiiLMnJ7e9kvxsdnmasBux9H0tOdhDhAM16Afk3NPPKA8eztJVHJBAfQiaNiUA4LIJ48d8EpUAe2Tvz0WW/gQThplUINDTpvPf+FojLwc5lFwNIPb4CVN1Ui8jOJI5nsOw4BSWJvLzJLxawHxX/sBuK96iXza+4aMH+FqYKt/twpTJtiVXo26sPtHe6xXtp7uO4b+bL9yYUcaAci69L0W8aNdu8iF0lVX6kFn2lOL8dBLRleGvixX9gYEVEsiI7BQBjxEBHW/YMr5F4M4smqCpleZIAxkse1r2fQ33BSOJVQKInt4zzgdKwrxDzuVR7RyiIUuNXHsprKtRHNJrSc4x5kWFUeivahed2hON+Ir/ZvrxYN6nJJPeYYH4uEm1Nn4osUzzfWILlqpmDPK1yYy365T38W8wT0cbdcJrI87ycS37HeB8bzpFJZSY/Dzv48Yy19mDZJHLJLCRqyxNeIlBPsVC8fvxQhzr+ZyS3Wi8Dsa2Sgjt/wd0xPULLCJlb37s+1aWgYYylr9QR1uhXheYfkXFED+saGWwY1jlYL5e2Oo9n3sviBYwJxIZ+RTKFgwlXV5S+Jx/MbDpgnVHP1KaoU6vvzdWYwMChdHV/6PhZVbeT2txq7Qt+zQN59IGrOWf6vlMkHxfUzMTD58CE+xAaz/D05ljHMesLj9hb3MSrymw0PcwoFGWUMIzIQE73pUVYNE7fVHa8HqUOdoxZ5dRZqXRVox1xd9siIPE3e6CuVQIMabTp1YLno=|Y38qtTuCwNLDqFnzJ3Cgbjm1SE15OnhDm9iAMABaQBA=".parse().unwrap();
 
         let request = VerifyAsymmetricKeysRequest {
-            user_key: user_key.0.to_base64(),
+            user_key: user_key.0.to_base64().unwrap(),
             user_public_key: key_pair.public,
             user_key_encrypted_private_key: undecryptable_private_key,
         };
@@ -834,7 +838,7 @@ mod tests {
             .unwrap();
 
         let request = VerifyAsymmetricKeysRequest {
-            user_key: user_key.0.to_base64(),
+            user_key: user_key.0.to_base64().unwrap(),
             user_public_key: key_pair.public,
             user_key_encrypted_private_key: invalid_private_key,
         };
@@ -850,7 +854,7 @@ mod tests {
         let new_key_pair = user_key.make_key_pair().unwrap();
 
         let request = VerifyAsymmetricKeysRequest {
-            user_key: user_key.0.to_base64(),
+            user_key: user_key.0.to_base64().unwrap(),
             user_public_key: key_pair.public,
             user_key_encrypted_private_key: new_key_pair.private,
         };

crates/bitwarden-core/src/mobile/crypto.rs

@@ -29,6 +29,7 @@ argon2 = { version = ">=0.5.0, <0.6", features = [
 base64 = ">=0.22.1, <0.23"
 bitwarden-error = { workspace = true }
 cbc = { version = ">=0.1.2, <0.2", features = ["alloc", "zeroize"] }
+ciborium = "0.2.2"
 generic-array = { version = ">=0.14.7, <1.0", features = ["zeroize"] }
 hkdf = ">=0.12.3, <0.13"
 hmac = ">=0.12.1, <0.13"
@@ -40,6 +41,7 @@ rayon = ">=1.8.1, <2.0"
 rsa = ">=0.9.2, <0.10"
 schemars = { workspace = true }
 serde = { workspace = true }
+serde_bytes = "0.11.15"
 sha1 = ">=0.10.5, <0.11"
 sha2 = ">=0.10.6, <0.11"
 subtle = ">=2.5.0, <3.0"

crates/bitwarden-crypto/Cargo.toml

@@ -53,6 +53,9 @@ pub enum CryptoError {
 
     #[error("Key algorithm does not match encrypted data type")]
     WrongKeyType,
+
+    #[error("Encoding error")]
+    EncodingError,
 }
 
 #[derive(Debug, Error)]

crates/bitwarden-crypto/src/error.rs

@@ -35,7 +35,7 @@ impl DeviceKey {
         let device_private_key = AsymmetricCryptoKey::generate(&mut rng);
 
         // Encrypt both the key and mac_key of the user key
-        let data = user_key.to_vec();
+        let data = user_key.to_encoded(false)?;
 
         let protected_user_key =
             AsymmetricEncString::encrypt_rsa2048_oaep_sha1(&data, &device_private_key)?;
@@ -49,7 +49,7 @@ impl DeviceKey {
             .encrypt_with_key(&device_key.0)?;
 
         Ok(TrustDeviceResponse {
-            device_key: device_key.to_base64(),
+            device_key: device_key.to_base64()?,
             protected_user_key,
             protected_device_private_key,
             protected_device_public_key,
@@ -71,7 +71,7 @@ impl DeviceKey {
         Ok(user_key)
     }
 
-    fn to_base64(&self) -> String {
+    fn to_base64(&self) -> Result<String> {
         self.0.to_base64()
     }
 }

crates/bitwarden-crypto/src/keys/device_key.rs

@@ -60,7 +60,7 @@ impl MasterKey {
 
     /// Derive the master key hash, used for local and remote password validation.
     pub fn derive_master_key_hash(&self, password: &[u8], purpose: HashPurpose) -> Result<String> {
-        let hash = util::pbkdf2(self.inner_bytes(), password, purpose as u32);
+        let hash = util::pbkdf2(self.inner_bytes().as_slice(), password, purpose as u32);
 
         Ok(STANDARD.encode(hash))
     }
@@ -113,7 +113,7 @@ pub(super) fn encrypt_user_key(
     user_key: &SymmetricCryptoKey,
 ) -> Result<EncString> {
     let stretched_master_key = stretch_key(master_key)?;
-    let user_key_bytes = Zeroizing::new(user_key.to_vec());
+    let user_key_bytes = Zeroizing::new(user_key.to_encoded(false)?);
     EncString::encrypt_aes256_hmac(&user_key_bytes, &stretched_master_key)
 }
 

crates/bitwarden-crypto/src/keys/master_key.rs

@@ -44,13 +44,13 @@ mod tests {
     #[test]
     fn test_derive_shareable_key() {
         let key = derive_shareable_key(Zeroizing::new(*b"&/$%F1a895g67HlX"), "test_key", None);
-        assert_eq!(SymmetricCryptoKey::Aes256CbcHmacKey(key).to_base64(), "4PV6+PcmF2w7YHRatvyMcVQtI7zvCyssv/wFWmzjiH6Iv9altjmDkuBD1aagLVaLezbthbSe+ktR+U6qswxNnQ==");
+        assert_eq!(SymmetricCryptoKey::Aes256CbcHmacKey(key).to_base64().unwrap(), "4PV6+PcmF2w7YHRatvyMcVQtI7zvCyssv/wFWmzjiH6Iv9altjmDkuBD1aagLVaLezbthbSe+ktR+U6qswxNnQ==");
 
         let key = derive_shareable_key(
             Zeroizing::new(*b"67t9b5g67$%Dh89n"),
             "test_key",
             Some("test"),
         );
-        assert_eq!(SymmetricCryptoKey::Aes256CbcHmacKey(key).to_base64(), "F9jVQmrACGx9VUPjuzfMYDjr726JtL300Y3Yg+VYUnVQtQ1s8oImJ5xtp1KALC9h2nav04++1LDW4iFD+infng==");
+        assert_eq!(SymmetricCryptoKey::Aes256CbcHmacKey(key).to_base64().unwrap(), "F9jVQmrACGx9VUPjuzfMYDjr726JtL300Y3Yg+VYUnVQtQ1s8oImJ5xtp1KALC9h2nav04++1LDW4iFD+infng==");
     }
 }