[PM-26177] Derive rotateable key set from PRF (3/3)

[iinuwa]

🎟️ Tracking

PM-26177

📔 Objective

In order to set up PRF passkeys on mobile clients, this adds a method to the SDK that derives the rotateable key set from a PRF value received by a passkey.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – a36acabf-84c9-4cc3-a2c0-6062e645246e

Great job! No new security vulnerabilities introduced in this pull request

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 71.11111% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.38%. Comparing base (e74f17c) to head (27125fe).

Files with missing lines	Patch %	Lines
crates/bitwarden-core/src/key_management/crypto.rs	0.00%	7 Missing ⚠️
...bitwarden-core/src/key_management/crypto_client.rs	0.00%	3 Missing ⚠️
crates/bitwarden-uniffi/src/crypto.rs	0.00%	3 Missing ⚠️

Additional details and impacted files

@@                        Coverage Diff                         @@
##           km/PM-26177/rotateable-key-set     #487      +/-   ##
==================================================================
- Coverage                           78.39%   78.38%   -0.02%     
==================================================================
  Files                                 283      284       +1     
  Lines                               27800    27845      +45     
==================================================================
+ Hits                                21793    21825      +32     
- Misses                               6007     6020      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[quexten]

Suggested change

	pub fn derive_prf_key(&self, prf: B64) -> Result<RotateableKeySet, CryptoClientError> {
	pub fn derive_prf_rotateable_keyset_for_user(&self, prf: B64) -> Result<RotateableKeySet, CryptoClientError> {

My suggestion here is very verbose, but "PRF key" alone suggests the "external key" (prf key) not the entire keyset.

[iinuwa]

Yes, that's clearer. (I'll tweak the docs to be clearer too.)

If we wanted it shorter, we could establish a convention that keyset refers to a rotateable key set and name it derive_prf_user_keyset(), which means a user [rotateable] key set protected by PRF, just like derive_pin_user_key() above refers to a user key protected by a PIN. Thoughts?

[quexten]

Seems good to me.

[iinuwa]

Converting to draft pending further discussion with KM team.