Typesafe base64 handling

quexten · quexten · commit 25d1907eb746 · 2025-06-25T13:07:26.000+02:00
diff --git a/crates/bitwarden-core/src/auth/auth_client.rs b/crates/bitwarden-core/src/auth/auth_client.rs
@@ -26,6 +26,7 @@ use crate::{
         RegisterRequest,
     },
     client::encryption_settings::EncryptionSettingsError,
+    Base64String,
 };
 use crate::{
     auth::{login::LoginError, renew::renew_token},
@@ -89,7 +90,7 @@ impl AuthClient {
     pub fn make_register_tde_keys(
         &self,
         email: String,
-        org_public_key: String,
+        org_public_key: Base64String,
         remember_device: bool,
     ) -> Result<RegisterTdeKeyResponse, EncryptionSettingsError> {
         make_register_tde_keys(&self.client, email, org_public_key, remember_device)
@@ -172,7 +173,7 @@ impl AuthClient {
     #[allow(missing_docs)]
     pub fn approve_auth_request(
         &self,
-        public_key: String,
+        public_key: Base64String,
     ) -> Result<UnsignedSharedKey, ApproveAuthRequestError> {
         approve_auth_request(&self.client, public_key)
     }
diff --git a/crates/bitwarden-core/src/auth/auth_request.rs b/crates/bitwarden-core/src/auth/auth_request.rs
@@ -8,7 +8,7 @@ use bitwarden_crypto::{EncString, SymmetricCryptoKey};
 use thiserror::Error;
 
 #[cfg(feature = "internal")]
-use crate::client::encryption_settings::EncryptionSettingsError;
+use crate::{client::encryption_settings::EncryptionSettingsError, Base64String};
 use crate::{key_management::SymmetricKeyId, Client, VaultLockedError};
 
 /// Response for `new_auth_request`.
@@ -49,25 +49,25 @@ pub(crate) fn new_auth_request(email: &str) -> Result<AuthRequestResponse, Crypt
 /// Decrypt the user key using the private key generated previously.
 #[cfg(feature = "internal")]
 pub(crate) fn auth_request_decrypt_user_key(
-    private_key: String,
+    private_key: Base64String,
     user_key: UnsignedSharedKey,
 ) -> Result<SymmetricCryptoKey, EncryptionSettingsError> {
-    let key = AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key)?.into())?;
-    let key: SymmetricCryptoKey = user_key.decapsulate_key_unsigned(&key)?;
+    let private_key = AsymmetricCryptoKey::from_der(&private_key.try_into()?)?;
+    let key: SymmetricCryptoKey = user_key.decapsulate_key_unsigned(&private_key)?;
     Ok(key)
 }
 
 /// Decrypt the user key using the private key generated previously.
 #[cfg(feature = "internal")]
 pub(crate) fn auth_request_decrypt_master_key(
-    private_key: String,
+    private_key: Base64String,
     master_key: UnsignedSharedKey,
     user_key: EncString,
 ) -> Result<SymmetricCryptoKey, EncryptionSettingsError> {
     use bitwarden_crypto::MasterKey;
 
-    let key = AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key)?.into())?;
-    let master_key: SymmetricCryptoKey = master_key.decapsulate_key_unsigned(&key)?;
+    let private_key = AsymmetricCryptoKey::from_der(&private_key.try_into()?)?;
+    let master_key: SymmetricCryptoKey = master_key.decapsulate_key_unsigned(&private_key)?;
     let master_key = MasterKey::try_from(&master_key)?;
 
     Ok(master_key.decrypt_user_key(user_key)?)
@@ -89,9 +89,9 @@ pub enum ApproveAuthRequestError {
 /// Encrypts the user key with a public key.
 pub(crate) fn approve_auth_request(
     client: &Client,
-    public_key: String,
+    public_key: Base64String,
 ) -> Result<UnsignedSharedKey, ApproveAuthRequestError> {
-    let public_key = AsymmetricPublicCryptoKey::from_der(&STANDARD.decode(public_key)?)?;
+    let public_key = AsymmetricPublicCryptoKey::from_der(&public_key.try_into()?)?;
 
     let key_store = client.internal.get_key_store();
     let ctx = key_store.context();
@@ -140,7 +140,8 @@ mod tests {
         )
         .unwrap();
 
-        let decrypted = auth_request_decrypt_user_key(request.private_key, encrypted).unwrap();
+        let decrypted =
+            auth_request_decrypt_user_key(request.private_key.into(), encrypted).unwrap();
 
         assert_eq!(decrypted.to_encoded().to_vec(), secret.to_vec());
     }
@@ -173,15 +174,16 @@ mod tests {
         let fingerprint = fingerprint("test@bitwarden.com", &pubkey).unwrap();
         assert_eq!(fingerprint, "childless-unfair-prowler-dropbox-designate");
 
-        approve_auth_request(&client, public_key.to_owned()).unwrap();
+        approve_auth_request(&client, public_key.to_owned().into()).unwrap();
     }
 
     #[tokio::test]
     async fn test_decrypt_user_key() {
         let private_key = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzLtEUdxfcLxDj84yaGFsVF5hZ8Hjlb08NMQDy1RnBma06I3ZESshLYzVz4r/gegMn9OOltfV/Yxlyvida8oW6qdlfJ7AVz6Oa8pV7BiL40C7b76+oqraQpyYw2HChANB1AhXL9SqWngKmLZwjA7qiCrmcc0kZHeOb4KnKtp9iVvPVs+8veFvKgYO4ba2AAOHKFdR0W55/agXfAy+fWUAkC8mc9ikyJdQWaPV6OZvC2XFkOseBQm9Rynudh3BQpoWiL6w620efe7t5k+02/EyOFJL9f/XEEjM/+Yo0t3LAfkuhHGeKiRST59Xc9hTEmyJTeVXROtz+0fjqOp3xkaObAgMBAAECggEACs4xhnO0HaZhh1/iH7zORMIRXKeyxP2LQiTR8xwN5JJ9wRWmGAR9VasS7EZFTDidIGVME2u/h4s5EqXnhxfO+0gGksVvgNXJ/qw87E8K2216g6ZNo6vSGA7H1GH2voWwejJ4/k/cJug6dz2S402rRAKh2Wong1arYHSkVlQp3diiMa5FHAOSE+Cy09O2ZsaF9IXQYUtlW6AVXFrBEPYH2kvkaPXchh8VETMijo6tbvoKLnUHe+wTaDMls7hy8exjtVyI59r3DNzjy1lNGaGb5QSnFMXR+eHhPZc844Wv02MxC15zKABADrl58gpJyjTl6XpDdHCYGsmGpVGH3X9TQQKBgQDz/9beFjzq59ve6rGwn+EtnQfSsyYT+jr7GN8lNEXb3YOFXBgPhfFIcHRh2R00Vm9w2ApfAx2cd8xm2I6HuvQ1Os7g26LWazvuWY0Qzb+KaCLQTEGH1RnTq6CCG+BTRq/a3J8M4t38GV5TWlzv8wr9U4dl6FR4efjb65HXs1GQ4QKBgQC7/uHfrOTEHrLeIeqEuSl0vWNqEotFKdKLV6xpOvNuxDGbgW4/r/zaxDqt0YBOXmRbQYSEhmO3oy9J6XfE1SUln0gbavZeW0HESCAmUIC88bDnspUwS9RxauqT5aF8ODKN/bNCWCnBM1xyonPOs1oT1nyparJVdQoG//Y7vkB3+wKBgBqLqPq8fKAp3XfhHLfUjREDVoiLyQa/YI9U42IOz9LdxKNLo6p8rgVthpvmnRDGnpUuS+KOWjhdqDVANjF6G3t3DG7WNl8Rh5Gk2H4NhFswfSkgQrjebFLlBy9gjQVCWXt8KSmjvPbiY6q52Aaa8IUjA0YJAregvXxfopxO+/7BAoGARicvEtDp7WWnSc1OPoj6N14VIxgYcI7SyrzE0d/1x3ffKzB5e7qomNpxKzvqrVP8DzG7ydh8jaKPmv1MfF8tpYRy3AhmN3/GYwCnPqT75YYrhcrWcVdax5gmQVqHkFtIQkRSCIftzPLlpMGKha/YBV8c1fvC4LD0NPh/Ynv0gtECgYEAyOZg95/kte0jpgUEgwuMrzkhY/AaUJULFuR5MkyvReEbtSBQwV5tx60+T95PHNiFooWWVXiLMsAgyI2IbkxVR1Pzdri3gWK5CTfqb7kLuaj/B7SGvBa2Sxo478KS5K8tBBBWkITqo+wLC0mn3uZi1dyMWO1zopTA+KtEGF2dtGQ=";
 
         let enc_user_key = "4.dxbd5OMwi/Avy7DQxvLV+Z7kDJgHBtg/jAbgYNO7QU0Zii4rLFNco2lS5aS9z42LTZHc2p5HYwn2ZwkZNfHsQ6//d5q40MDgGYJMKBXOZP62ZHhct1XsvYBmtcUtIOm5j2HSjt2pjEuGAc1LbyGIWRJJQ3Lp1ULbL2m71I+P23GF36JyOM8SUWvpvxE/3+qqVhRFPG2VqMCYa2kLLxwVfUmpV+KKjX1TXsrq6pfJIwHNwHw4h7MSfD8xTy2bx4MiBt638Z9Vt1pGsSQkh9RgPvCbnhuCpZQloUgJ8ByLVEcrlKx3yaaxiQXvte+ZhuOI7rGdjmoVoOzisooje4JgYw==".parse().unwrap();
-        let dec = auth_request_decrypt_user_key(private_key.to_owned(), enc_user_key).unwrap();
+        let dec =
+            auth_request_decrypt_user_key(private_key.to_owned().into(), enc_user_key).unwrap();
 
         assert_eq!(
             &dec.to_encoded().to_vec(),
@@ -198,9 +200,12 @@ mod tests {
 
         let enc_master_key = "4.dxbd5OMwi/Avy7DQxvLV+Z7kDJgHBtg/jAbgYNO7QU0Zii4rLFNco2lS5aS9z42LTZHc2p5HYwn2ZwkZNfHsQ6//d5q40MDgGYJMKBXOZP62ZHhct1XsvYBmtcUtIOm5j2HSjt2pjEuGAc1LbyGIWRJJQ3Lp1ULbL2m71I+P23GF36JyOM8SUWvpvxE/3+qqVhRFPG2VqMCYa2kLLxwVfUmpV+KKjX1TXsrq6pfJIwHNwHw4h7MSfD8xTy2bx4MiBt638Z9Vt1pGsSQkh9RgPvCbnhuCpZQloUgJ8ByLVEcrlKx3yaaxiQXvte+ZhuOI7rGdjmoVoOzisooje4JgYw==".parse().unwrap();
         let enc_user_key = "2.Q/2PhzcC7GdeiMHhWguYAQ==|GpqzVdr0go0ug5cZh1n+uixeBC3oC90CIe0hd/HWA/pTRDZ8ane4fmsEIcuc8eMKUt55Y2q/fbNzsYu41YTZzzsJUSeqVjT8/iTQtgnNdpo=|dwI+uyvZ1h/iZ03VQ+/wrGEFYVewBUUl/syYgjsNMbE=".parse().unwrap();
-        let dec =
-            auth_request_decrypt_master_key(private_key.to_owned(), enc_master_key, enc_user_key)
-                .unwrap();
+        let dec = auth_request_decrypt_master_key(
+            private_key.to_owned().into(),
+            enc_master_key,
+            enc_user_key,
+        )
+        .unwrap();
 
         assert_eq!(
             &dec.to_encoded().to_vec(),
@@ -238,7 +243,8 @@ mod tests {
 
         // Initialize an auth request, and approve it on the existing device
         let auth_req = new_auth_request(email).unwrap();
-        let approved_req = approve_auth_request(&existing_device, auth_req.public_key).unwrap();
+        let approved_req =
+            approve_auth_request(&existing_device, auth_req.public_key.into()).unwrap();
 
         // Unlock the vault using the approved request
         new_device
diff --git a/crates/bitwarden-core/src/auth/tde.rs b/crates/bitwarden-core/src/auth/tde.rs
@@ -1,21 +1,20 @@
-use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
     AsymmetricPublicCryptoKey, DeviceKey, EncString, Kdf, SymmetricCryptoKey, TrustDeviceResponse,
     UnsignedSharedKey, UserKey,
 };
 
-use crate::{client::encryption_settings::EncryptionSettingsError, Client};
+use crate::{client::encryption_settings::EncryptionSettingsError, Base64String, Client};
 
 /// This function generates a new user key and key pair, initializes the client's crypto with the
 /// generated user key, and encrypts the user key with the organization public key for admin
 /// password reset. If remember_device is true, it also generates a device key.
 pub(super) fn make_register_tde_keys(
     client: &Client,
     email: String,
-    org_public_key: String,
+    org_public_key: Base64String,
     remember_device: bool,
 ) -> Result<RegisterTdeKeyResponse, EncryptionSettingsError> {
-    let public_key = AsymmetricPublicCryptoKey::from_der(&STANDARD.decode(org_public_key)?)?;
+    let public_key = AsymmetricPublicCryptoKey::from_der(&org_public_key.try_into()?)?;
 
     let user_key = UserKey::new(SymmetricCryptoKey::make_aes256_cbc_hmac_key());
     let key_pair = user_key.make_key_pair()?;
diff --git a/crates/bitwarden-core/src/key_management/crypto.rs b/crates/bitwarden-core/src/key_management/crypto.rs
@@ -10,7 +10,8 @@ use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
     AsymmetricCryptoKey, CoseSerializable, CryptoError, EncString, Kdf, KeyDecryptable,
     KeyEncryptable, MasterKey, Pkcs8PrivateKeyBytes, PrimitiveEncryptable, SignatureAlgorithm,
-    SignedPublicKey, SigningKey, SymmetricCryptoKey, UnsignedSharedKey, UserKey,
+    SignedPublicKey, SigningKey, SpkiPublicKeyBytes, SymmetricCryptoKey, UnsignedSharedKey,
+    UserKey,
 };
 use bitwarden_error::bitwarden_error;
 use schemars::JsonSchema;
@@ -21,7 +22,7 @@ use {tsify_next::Tsify, wasm_bindgen::prelude::*};
 use crate::{
     client::{encryption_settings::EncryptionSettingsError, LoginMethod, UserLoginMethod},
     key_management::{AsymmetricKeyId, SigningKeyId, SymmetricKeyId},
-    Client, NotAuthenticatedError, VaultLockedError, WrongPasswordError,
+    Base64String, Client, NotAuthenticatedError, VaultLockedError, WrongPasswordError,
 };
 
 /// Catch all error for mobile crypto operations.
@@ -177,13 +178,13 @@ pub(super) async fn initialize_user_crypto(
         } => {
             let user_key = match method {
                 AuthRequestMethod::UserKey { protected_user_key } => {
-                    auth_request_decrypt_user_key(request_private_key, protected_user_key)?
+                    auth_request_decrypt_user_key(request_private_key.into(), protected_user_key)?
                 }
                 AuthRequestMethod::MasterKey {
                     protected_master_key,
                     auth_request_key,
                 } => auth_request_decrypt_master_key(
-                    request_private_key,
+                    request_private_key.into(),
                     protected_master_key,
                     auth_request_key,
                 )?,
@@ -407,12 +408,11 @@ pub enum EnrollAdminPasswordResetError {
 
 pub(super) fn enroll_admin_password_reset(
     client: &Client,
-    public_key: String,
+    public_key: Base64String,
 ) -> Result<UnsignedSharedKey, EnrollAdminPasswordResetError> {
-    use base64::{engine::general_purpose::STANDARD, Engine};
     use bitwarden_crypto::AsymmetricPublicCryptoKey;
 
-    let public_key = AsymmetricPublicCryptoKey::from_der(&STANDARD.decode(public_key)?)?;
+    let public_key = AsymmetricPublicCryptoKey::from_der(&public_key.try_into()?)?;
     let key_store = client.internal.get_key_store();
     let ctx = key_store.context();
     // FIXME: [PM-18110] This should be removed once the key store can handle public key encryption
@@ -841,7 +841,7 @@ mod tests {
 
         let public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy7RFHcX3C8Q4/OMmhhbFReYWfB45W9PDTEA8tUZwZmtOiN2RErIS2M1c+K/4HoDJ/TjpbX1f2MZcr4nWvKFuqnZXyewFc+jmvKVewYi+NAu2++vqKq2kKcmMNhwoQDQdQIVy/Uqlp4Cpi2cIwO6ogq5nHNJGR3jm+CpyrafYlbz1bPvL3hbyoGDuG2tgADhyhXUdFuef2oF3wMvn1lAJAvJnPYpMiXUFmj1ejmbwtlxZDrHgUJvUcp7nYdwUKaFoi+sOttHn3u7eZPtNvxMjhSS/X/1xBIzP/mKNLdywH5LoRxniokUk+fV3PYUxJsiU3lV0Trc/tH46jqd8ZGjmwIDAQAB";
 
-        let encrypted = enroll_admin_password_reset(&client, public_key.to_owned()).unwrap();
+        let encrypted = enroll_admin_password_reset(&client, public_key.to_owned().into()).unwrap();
 
         let private_key = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzLtEUdxfcLxDj84yaGFsVF5hZ8Hjlb08NMQDy1RnBma06I3ZESshLYzVz4r/gegMn9OOltfV/Yxlyvida8oW6qdlfJ7AVz6Oa8pV7BiL40C7b76+oqraQpyYw2HChANB1AhXL9SqWngKmLZwjA7qiCrmcc0kZHeOb4KnKtp9iVvPVs+8veFvKgYO4ba2AAOHKFdR0W55/agXfAy+fWUAkC8mc9ikyJdQWaPV6OZvC2XFkOseBQm9Rynudh3BQpoWiL6w620efe7t5k+02/EyOFJL9f/XEEjM/+Yo0t3LAfkuhHGeKiRST59Xc9hTEmyJTeVXROtz+0fjqOp3xkaObAgMBAAECggEACs4xhnO0HaZhh1/iH7zORMIRXKeyxP2LQiTR8xwN5JJ9wRWmGAR9VasS7EZFTDidIGVME2u/h4s5EqXnhxfO+0gGksVvgNXJ/qw87E8K2216g6ZNo6vSGA7H1GH2voWwejJ4/k/cJug6dz2S402rRAKh2Wong1arYHSkVlQp3diiMa5FHAOSE+Cy09O2ZsaF9IXQYUtlW6AVXFrBEPYH2kvkaPXchh8VETMijo6tbvoKLnUHe+wTaDMls7hy8exjtVyI59r3DNzjy1lNGaGb5QSnFMXR+eHhPZc844Wv02MxC15zKABADrl58gpJyjTl6XpDdHCYGsmGpVGH3X9TQQKBgQDz/9beFjzq59ve6rGwn+EtnQfSsyYT+jr7GN8lNEXb3YOFXBgPhfFIcHRh2R00Vm9w2ApfAx2cd8xm2I6HuvQ1Os7g26LWazvuWY0Qzb+KaCLQTEGH1RnTq6CCG+BTRq/a3J8M4t38GV5TWlzv8wr9U4dl6FR4efjb65HXs1GQ4QKBgQC7/uHfrOTEHrLeIeqEuSl0vWNqEotFKdKLV6xpOvNuxDGbgW4/r/zaxDqt0YBOXmRbQYSEhmO3oy9J6XfE1SUln0gbavZeW0HESCAmUIC88bDnspUwS9RxauqT5aF8ODKN/bNCWCnBM1xyonPOs1oT1nyparJVdQoG//Y7vkB3+wKBgBqLqPq8fKAp3XfhHLfUjREDVoiLyQa/YI9U42IOz9LdxKNLo6p8rgVthpvmnRDGnpUuS+KOWjhdqDVANjF6G3t3DG7WNl8Rh5Gk2H4NhFswfSkgQrjebFLlBy9gjQVCWXt8KSmjvPbiY6q52Aaa8IUjA0YJAregvXxfopxO+/7BAoGARicvEtDp7WWnSc1OPoj6N14VIxgYcI7SyrzE0d/1x3ffKzB5e7qomNpxKzvqrVP8DzG7ydh8jaKPmv1MfF8tpYRy3AhmN3/GYwCnPqT75YYrhcrWcVdax5gmQVqHkFtIQkRSCIftzPLlpMGKha/YBV8c1fvC4LD0NPh/Ynv0gtECgYEAyOZg95/kte0jpgUEgwuMrzkhY/AaUJULFuR5MkyvReEbtSBQwV5tx60+T95PHNiFooWWVXiLMsAgyI2IbkxVR1Pzdri3gWK5CTfqb7kLuaj/B7SGvBa2Sxo478KS5K8tBBBWkITqo+wLC0mn3uZi1dyMWO1zopTA+KtEGF2dtGQ=";
         let private_key = STANDARD.decode(private_key).unwrap();
diff --git a/crates/bitwarden-core/src/key_management/crypto_client.rs b/crates/bitwarden-core/src/key_management/crypto_client.rs
@@ -109,7 +109,7 @@ impl CryptoClient {
         &self,
         public_key: String,
     ) -> Result<UnsignedSharedKey, EnrollAdminPasswordResetError> {
-        enroll_admin_password_reset(&self.client, public_key)
+        enroll_admin_password_reset(&self.client, public_key.into())
     }
 
     /// Derive the master key for migrating to the key connector
diff --git a/crates/bitwarden-core/src/lib.rs b/crates/bitwarden-core/src/lib.rs
@@ -28,3 +28,5 @@ pub use client::{Client, ClientSettings, DeviceType};
 
 mod ids;
 pub use ids::*;
+mod types;
+pub use types::*;
diff --git a/crates/bitwarden-core/src/types.rs b/crates/bitwarden-core/src/types.rs
@@ -0,0 +1,45 @@
+use base64::{engine::general_purpose::STANDARD, Engine};
+use bitwarden_crypto::{Pkcs8PrivateKeyBytes, SpkiPublicKeyBytes};
+
+/// A wrapper around a Base64-encoded string that can be used to decode it into a byte vector.
+/// This is useful for handling Base64-encoded strings in a type-safe manner,
+/// ensuring that the string is always treated as Base64 data.
+pub struct Base64String(String);
+
+impl From<String> for Base64String {
+    fn from(val: String) -> Self {
+        Base64String(val)
+    }
+}
+
+impl TryInto<Vec<u8>> for Base64String {
+    type Error = base64::DecodeError;
+
+    fn try_into(self) -> Result<Vec<u8>, Self::Error> {
+        STANDARD.decode(&self.0)
+    }
+}
+
+impl From<Vec<u8>> for Base64String {
+    fn from(val: Vec<u8>) -> Self {
+        Base64String(STANDARD.encode(val))
+    }
+}
+
+impl TryInto<SpkiPublicKeyBytes> for Base64String {
+    type Error = base64::DecodeError;
+
+    fn try_into(self) -> Result<SpkiPublicKeyBytes, Self::Error> {
+        let bytes: Vec<u8> = self.try_into()?;
+        Ok(SpkiPublicKeyBytes::from(bytes))
+    }
+}
+
+impl TryInto<Pkcs8PrivateKeyBytes> for Base64String {
+    type Error = base64::DecodeError;
+
+    fn try_into(self) -> Result<Pkcs8PrivateKeyBytes, Self::Error> {
+        let bytes: Vec<u8> = self.try_into()?;
+        Ok(Pkcs8PrivateKeyBytes::from(bytes))
+    }
+}
diff --git a/crates/bitwarden-crypto/src/fingerprint.rs b/crates/bitwarden-crypto/src/fingerprint.rs
@@ -64,7 +64,7 @@ pub enum FingerprintError {
 #[cfg(test)]
 mod tests {
     use super::fingerprint;
-    use crate::{Bytes, SpkiPublicKeyBytes};
+    use crate::SpkiPublicKeyBytes;
 
     #[test]
     fn test_fingerprint() {
diff --git a/crates/bitwarden-crypto/src/keys/asymmetric_crypto_key.rs b/crates/bitwarden-crypto/src/keys/asymmetric_crypto_key.rs
@@ -35,10 +35,11 @@ impl AsymmetricPublicCryptoKey {
     }
 
     /// Build a public key from the SubjectPublicKeyInfo DER.
-    pub fn from_der(der: &[u8]) -> Result<Self> {
+    pub fn from_der(der: &SpkiPublicKeyBytes) -> Result<Self> {
         Ok(AsymmetricPublicCryptoKey {
             inner: RawPublicKey::RsaOaepSha1(
-                RsaPublicKey::from_public_key_der(der).map_err(|_| CryptoError::InvalidKey)?,
+                RsaPublicKey::from_public_key_der(der.as_ref())
+                    .map_err(|_| CryptoError::InvalidKey)?,
             ),
         })
     }
@@ -263,7 +264,7 @@ DnqOsltgPomWZ7xVfMkm9niL2OA=
 
         let private_key = Pkcs8PrivateKeyBytes::from(private_key);
         let private_key = AsymmetricCryptoKey::from_der(&private_key).unwrap();
-        let public_key = AsymmetricPublicCryptoKey::from_der(&public_key).unwrap();
+        let public_key = AsymmetricPublicCryptoKey::from_der(&public_key.into()).unwrap();
 
         let raw_key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
         let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(&raw_key, &public_key).unwrap();
diff --git a/crates/bitwarden-crypto/src/keys/pin_key.rs b/crates/bitwarden-crypto/src/keys/pin_key.rs
@@ -20,7 +20,7 @@ impl PinKey {
 
     /// Encrypt the users user key
     pub fn encrypt_user_key(&self, user_key: &SymmetricCryptoKey) -> Result<EncString> {
-        user_key.encrypt_with_key(&self)
+        user_key.encrypt_with_key(self)
     }
 
     /// Decrypt the users user key
diff --git a/crates/bitwarden-crypto/src/keys/signed_public_key.rs b/crates/bitwarden-crypto/src/keys/signed_public_key.rs
@@ -13,7 +13,7 @@ use super::AsymmetricPublicCryptoKey;
 use crate::{
     cose::CoseSerializable, error::EncodingError, util::FromStrVisitor, CoseSign1Bytes,
     CryptoError, PublicKeyEncryptionAlgorithm, RawPublicKey, SignedObject, SigningKey,
-    SigningNamespace, VerifyingKey,
+    SigningNamespace, SpkiPublicKeyBytes, VerifyingKey,
 };
 
 #[cfg(feature = "wasm")]
@@ -114,8 +114,10 @@ impl SignedPublicKey {
             public_key_message.content_format,
         ) {
             (PublicKeyEncryptionAlgorithm::RsaOaepSha1, PublicKeyFormat::Spki) => Ok(
-                AsymmetricPublicCryptoKey::from_der(&public_key_message.public_key.into_vec())
-                    .map_err(|_| EncodingError::InvalidValue("public key"))?,
+                AsymmetricPublicCryptoKey::from_der(&SpkiPublicKeyBytes::from(
+                    public_key_message.public_key.into_vec(),
+                ))
+                .map_err(|_| EncodingError::InvalidValue("public key"))?,
             ),
         }
     }
diff --git a/crates/bitwarden-uniffi/src/auth/mod.rs b/crates/bitwarden-uniffi/src/auth/mod.rs
@@ -73,7 +73,7 @@ impl AuthClient {
         Ok(self
             .0
             .auth()
-            .make_register_tde_keys(email, org_public_key, remember_device)
+            .make_register_tde_keys(email, org_public_key.into(), remember_device)
             .map_err(Error::EncryptionSettings)?)
     }
 
@@ -146,7 +146,7 @@ impl AuthClient {
         Ok(self
             .0
             .auth()
-            .approve_auth_request(public_key)
+            .approve_auth_request(public_key.into())
             .map_err(Error::ApproveAuthRequest)?)
     }
 
diff --git a/crates/bitwarden-wasm-internal/src/pure_crypto.rs b/crates/bitwarden-wasm-internal/src/pure_crypto.rs
@@ -251,7 +251,8 @@ impl PureCrypto {
         shared_key: Vec<u8>,
         encapsulation_key: Vec<u8>,
     ) -> Result<String, CryptoError> {
-        let encapsulation_key = AsymmetricPublicCryptoKey::from_der(encapsulation_key.as_slice())?;
+        let encapsulation_key =
+            AsymmetricPublicCryptoKey::from_der(&SpkiPublicKeyBytes::from(encapsulation_key))?;
         Ok(UnsignedSharedKey::encapsulate_key_unsigned(
             &SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(shared_key))?,
             &encapsulation_key,

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ impl CryptoClient {`
`109`	`109`	`&self,`
`110`	`110`	`public_key: String,`
`111`	`111`	`) -> Result<UnsignedSharedKey, EnrollAdminPasswordResetError> {`
`112`		`- enroll_admin_password_reset(&self.client, public_key)`
	`112`	`+ enroll_admin_password_reset(&self.client, public_key.into())`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`/// Derive the master key for migrating to the key connector`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ impl PinKey {`
`20`	`20`
`21`	`21`	`/// Encrypt the users user key`
`22`	`22`	`pub fn encrypt_user_key(&self, user_key: &SymmetricCryptoKey) -> Result<EncString> {`
`23`		`- user_key.encrypt_with_key(&self)`
	`23`	`+ user_key.encrypt_with_key(self)`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`/// Decrypt the users user key`