Typed byte arrays

Author: quexten

bitwarden_license/bitwarden-sm/src/projects/create.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::ProjectCreateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::PrimitiveEncryptableWithContentType;
+use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

bitwarden_license/bitwarden-sm/src/projects/update.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::ProjectUpdateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::PrimitiveEncryptableWithContentType;
+use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

bitwarden_license/bitwarden-sm/src/secrets/create.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::SecretCreateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::PrimitiveEncryptableWithContentType;
+use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

bitwarden_license/bitwarden-sm/src/secrets/update.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::SecretUpdateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::PrimitiveEncryptableWithContentType;
+use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

crates/bitwarden-core/src/auth/auth_request.rs

@@ -52,7 +52,7 @@ pub(crate) fn auth_request_decrypt_user_key(
     private_key: String,
     user_key: UnsignedSharedKey,
 ) -> Result<SymmetricCryptoKey, EncryptionSettingsError> {
-    let key = AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key)?)?;
+    let key = AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key)?.into())?;
     let key: SymmetricCryptoKey = user_key.decapsulate_key_unsigned(&key)?;
     Ok(key)
 }
@@ -66,7 +66,7 @@ pub(crate) fn auth_request_decrypt_master_key(
 ) -> Result<SymmetricCryptoKey, EncryptionSettingsError> {
     use bitwarden_crypto::MasterKey;
 
-    let key = AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key)?)?;
+    let key = AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key)?.into())?;
     let master_key: SymmetricCryptoKey = master_key.decapsulate_key_unsigned(&key)?;
     let master_key = MasterKey::try_from(&master_key)?;
 
@@ -118,7 +118,8 @@ fn test_auth_request() {
     ];
 
     let private_key =
-        AsymmetricCryptoKey::from_der(&STANDARD.decode(&request.private_key).unwrap()).unwrap();
+        AsymmetricCryptoKey::from_der(&STANDARD.decode(&request.private_key).unwrap().into())
+            .unwrap();
 
     let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(
         &SymmetricCryptoKey::try_from(secret.clone()).unwrap(),
@@ -135,7 +136,7 @@ fn test_auth_request() {
 mod tests {
     use std::num::NonZeroU32;
 
-    use bitwarden_crypto::{Kdf, MasterKey};
+    use bitwarden_crypto::{Kdf, MasterKey, SerializedBytes, SpkiPublicKeyDerContentFormat};
 
     use super::*;
     use crate::key_management::{
@@ -166,8 +167,9 @@ mod tests {
         let public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyLRDUwXB4BfQ507D4meFPmwn5zwy3IqTPJO4plrrhnclWahXa240BzyFW9gHgYu+Jrgms5xBfRTBMcEsqqNm7+JpB6C1B6yvnik0DpJgWQw1rwvy4SUYidpR/AWbQi47n/hvnmzI/sQxGddVfvWu1iTKOlf5blbKYAXnUE5DZBGnrWfacNXwRRdtP06tFB0LwDgw+91CeLSJ9py6dm1qX5JIxoO8StJOQl65goLCdrTWlox+0Jh4xFUfCkb+s3px+OhSCzJbvG/hlrSRcUz5GnwlCEyF3v5lfUtV96MJD+78d8pmH6CfFAp2wxKRAbGdk+JccJYO6y6oIXd3Fm7twIDAQAB";
 
         // Verify fingerprint
-        let pbkey = STANDARD.decode(public_key).unwrap();
-        let fingerprint = fingerprint("[email protected]", &pbkey).unwrap();
+        let pubkey = STANDARD.decode(public_key).unwrap();
+        let pubkey = SerializedBytes::<SpkiPublicKeyDerContentFormat>::from(pubkey.clone());
+        let fingerprint = fingerprint("[email protected]", &pubkey).unwrap();
         assert_eq!(fingerprint, "childless-unfair-prowler-dropbox-designate");
 
         approve_auth_request(&client, public_key.to_owned()).unwrap();

crates/bitwarden-core/src/client/encryption_settings.rs

@@ -49,16 +49,16 @@ impl EncryptionSettings {
         signing_key: Option<EncString>,
         store: &KeyStore<KeyIds>,
     ) -> Result<(), EncryptionSettingsError> {
-        use bitwarden_crypto::{
-            AsymmetricCryptoKey, CoseSerializable, CryptoError, KeyDecryptable, SigningKey,
-        };
+        use bitwarden_crypto::{AsymmetricCryptoKey, CoseSerializable, KeyDecryptable, SigningKey};
         use log::warn;
 
         use crate::key_management::{AsymmetricKeyId, SigningKeyId, SymmetricKeyId};
 
         let private_key = {
-            let dec: Vec<u8> = private_key.decrypt_with_key(&user_key)?;
+            use bitwarden_crypto::{Pkcs8PrivateKeyDerContentFormat, SerializedBytes};
 
+            let dec: Vec<u8> = private_key.decrypt_with_key(&user_key)?;
+            let dec: SerializedBytes<Pkcs8PrivateKeyDerContentFormat> = SerializedBytes::from(dec);
             // FIXME: [PM-11690] - Temporarily ignore invalid private keys until we have a recovery
             // process in place.
             AsymmetricCryptoKey::from_der(&dec)
@@ -72,12 +72,13 @@ impl EncryptionSettings {
             //         .map_err(|_| EncryptionSettingsError::InvalidPrivateKey)?,
             // )
         };
-        let signing_key = signing_key
-            .map(|key| {
-                let dec: Vec<u8> = key.decrypt_with_key(&user_key)?;
-                SigningKey::from_cose(dec.as_slice()).map_err(Into::<CryptoError>::into)
-            })
-            .transpose()?;
+        let signing_key = signing_key.map(|key| {
+            use bitwarden_crypto::{CoseKeyContentFormat, SerializedBytes};
+
+            let dec: Vec<u8> = key.decrypt_with_key(&user_key).unwrap();
+            let dec: SerializedBytes<CoseKeyContentFormat> = SerializedBytes::from(dec);
+            SigningKey::from_cose(&dec).unwrap()
+        });
 
         // FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
         #[allow(deprecated)]

crates/bitwarden-core/src/key_management/crypto.rs

@@ -8,9 +8,10 @@ use std::collections::HashMap;
 
 use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
-    AsymmetricCryptoKey, ContentFormat, CoseSerializable, CryptoError, EncString, Kdf,
-    KeyDecryptable, KeyEncryptable, MasterKey, PrimitiveEncryptable, SignatureAlgorithm,
-    SignedPublicKey, SigningKey, SymmetricCryptoKey, UnsignedSharedKey, UserKey,
+    AsymmetricCryptoKey, CoseSerializable, CryptoError, EncString, Kdf, KeyDecryptable,
+    KeyEncryptable, MasterKey, Pkcs8PrivateKeyDerContentFormat, PrimitiveEncryptable,
+    SerializedBytes, SignatureAlgorithm, SignedPublicKey, SigningKey, SymmetricCryptoKey,
+    UnsignedSharedKey, UserKey,
 };
 use bitwarden_error::bitwarden_error;
 use schemars::JsonSchema;
@@ -351,7 +352,7 @@ pub(super) fn derive_pin_key(
 
     Ok(DerivePinKeyResponse {
         pin_protected_user_key,
-        encrypted_pin: pin.encrypt_with_key(user_key, ContentFormat::Utf8)?,
+        encrypted_pin: pin.encrypt_with_key(user_key)?,
     })
 }
 
@@ -536,6 +537,8 @@ pub(super) fn verify_asymmetric_keys(
             .decrypt_with_key(user_key)
             .map_err(VerifyError::DecryptFailed)?;
 
+        let decrypted_private_key: SerializedBytes<Pkcs8PrivateKeyDerContentFormat> =
+            SerializedBytes::from(decrypted_private_key);
         let private_key = AsymmetricCryptoKey::from_der(&decrypted_private_key)
             .map_err(VerifyError::ParseFailed)?;
 
@@ -602,13 +605,9 @@ pub fn make_user_signing_keys_for_enrollment(
 
     Ok(MakeUserSigningKeysResponse {
         verifying_key: STANDARD.encode(signature_keypair.to_verifying_key().to_cose()),
-        // This needs to be changed to use the correct COSE content format before rolling out to
-        // users: https://bitwarden.atlassian.net/browse/PM-22189
-        signing_key: signature_keypair.to_cose().encrypt(
-            &mut ctx,
-            SymmetricKeyId::User,
-            ContentFormat::CoseKey,
-        )?,
+        signing_key: signature_keypair
+            .to_cose()
+            .encrypt(&mut ctx, SymmetricKeyId::User)?,
         signed_public_key,
     })
 }
@@ -844,8 +843,9 @@ mod tests {
         let encrypted = enroll_admin_password_reset(&client, public_key.to_owned()).unwrap();
 
         let private_key = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzLtEUdxfcLxDj84yaGFsVF5hZ8Hjlb08NMQDy1RnBma06I3ZESshLYzVz4r/gegMn9OOltfV/Yxlyvida8oW6qdlfJ7AVz6Oa8pV7BiL40C7b76+oqraQpyYw2HChANB1AhXL9SqWngKmLZwjA7qiCrmcc0kZHeOb4KnKtp9iVvPVs+8veFvKgYO4ba2AAOHKFdR0W55/agXfAy+fWUAkC8mc9ikyJdQWaPV6OZvC2XFkOseBQm9Rynudh3BQpoWiL6w620efe7t5k+02/EyOFJL9f/XEEjM/+Yo0t3LAfkuhHGeKiRST59Xc9hTEmyJTeVXROtz+0fjqOp3xkaObAgMBAAECggEACs4xhnO0HaZhh1/iH7zORMIRXKeyxP2LQiTR8xwN5JJ9wRWmGAR9VasS7EZFTDidIGVME2u/h4s5EqXnhxfO+0gGksVvgNXJ/qw87E8K2216g6ZNo6vSGA7H1GH2voWwejJ4/k/cJug6dz2S402rRAKh2Wong1arYHSkVlQp3diiMa5FHAOSE+Cy09O2ZsaF9IXQYUtlW6AVXFrBEPYH2kvkaPXchh8VETMijo6tbvoKLnUHe+wTaDMls7hy8exjtVyI59r3DNzjy1lNGaGb5QSnFMXR+eHhPZc844Wv02MxC15zKABADrl58gpJyjTl6XpDdHCYGsmGpVGH3X9TQQKBgQDz/9beFjzq59ve6rGwn+EtnQfSsyYT+jr7GN8lNEXb3YOFXBgPhfFIcHRh2R00Vm9w2ApfAx2cd8xm2I6HuvQ1Os7g26LWazvuWY0Qzb+KaCLQTEGH1RnTq6CCG+BTRq/a3J8M4t38GV5TWlzv8wr9U4dl6FR4efjb65HXs1GQ4QKBgQC7/uHfrOTEHrLeIeqEuSl0vWNqEotFKdKLV6xpOvNuxDGbgW4/r/zaxDqt0YBOXmRbQYSEhmO3oy9J6XfE1SUln0gbavZeW0HESCAmUIC88bDnspUwS9RxauqT5aF8ODKN/bNCWCnBM1xyonPOs1oT1nyparJVdQoG//Y7vkB3+wKBgBqLqPq8fKAp3XfhHLfUjREDVoiLyQa/YI9U42IOz9LdxKNLo6p8rgVthpvmnRDGnpUuS+KOWjhdqDVANjF6G3t3DG7WNl8Rh5Gk2H4NhFswfSkgQrjebFLlBy9gjQVCWXt8KSmjvPbiY6q52Aaa8IUjA0YJAregvXxfopxO+/7BAoGARicvEtDp7WWnSc1OPoj6N14VIxgYcI7SyrzE0d/1x3ffKzB5e7qomNpxKzvqrVP8DzG7ydh8jaKPmv1MfF8tpYRy3AhmN3/GYwCnPqT75YYrhcrWcVdax5gmQVqHkFtIQkRSCIftzPLlpMGKha/YBV8c1fvC4LD0NPh/Ynv0gtECgYEAyOZg95/kte0jpgUEgwuMrzkhY/AaUJULFuR5MkyvReEbtSBQwV5tx60+T95PHNiFooWWVXiLMsAgyI2IbkxVR1Pzdri3gWK5CTfqb7kLuaj/B7SGvBa2Sxo478KS5K8tBBBWkITqo+wLC0mn3uZi1dyMWO1zopTA+KtEGF2dtGQ=";
-        let private_key =
-            AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key).unwrap()).unwrap();
+        let private_key = STANDARD.decode(private_key).unwrap();
+        let private_key = SerializedBytes::<Pkcs8PrivateKeyDerContentFormat>::from(private_key);
+        let private_key = AsymmetricCryptoKey::from_der(&private_key).unwrap();
         let decrypted: SymmetricCryptoKey =
             encrypted.decapsulate_key_unsigned(&private_key).unwrap();
 
@@ -937,11 +937,7 @@ mod tests {
     fn test_verify_asymmetric_keys_parse_failed() {
         let (user_key, key_pair) = setup_asymmetric_keys_test();
 
-        let invalid_private_key = "bad_key"
-            .to_string()
-            .into_bytes()
-            .encrypt_with_key(&user_key.0, ContentFormat::Utf8)
-            .unwrap();
+        let invalid_private_key = "bad_key".to_string().encrypt_with_key(&user_key.0).unwrap();
 
         let request = VerifyAsymmetricKeysRequest {
             user_key: user_key.0.to_base64(),

crates/bitwarden-core/src/platform/generate_fingerprint.rs

@@ -3,7 +3,7 @@
 //! This module contains the logic for generating fingerprints.
 
 use base64::{engine::general_purpose::STANDARD, Engine};
-use bitwarden_crypto::fingerprint;
+use bitwarden_crypto::{fingerprint, SerializedBytes, SpkiPublicKeyDerContentFormat};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
@@ -42,7 +42,7 @@ pub enum FingerprintError {
 
 pub(crate) fn generate_fingerprint(input: &FingerprintRequest) -> Result<String, FingerprintError> {
     let key = STANDARD.decode(&input.public_key)?;
-
+    let key = SerializedBytes::<SpkiPublicKeyDerContentFormat>::from(key);
     Ok(fingerprint(&input.fingerprint_material, &key)?)
 }
 

crates/bitwarden-core/src/secrets_manager/state.rs

@@ -5,7 +5,7 @@
 
 use std::{fmt::Debug, path::Path};
 
-use bitwarden_crypto::{ContentFormat, EncString, KeyDecryptable, KeyEncryptable};
+use bitwarden_crypto::{EncString, KeyDecryptable, KeyEncryptable};
 use serde::{Deserialize, Serialize};
 
 use crate::auth::AccessToken;
@@ -73,7 +73,7 @@ pub(crate) fn set(
 ) -> Result<(), StateFileError> {
     let serialized_state: String = serde_json::to_string(&state)?;
     let encrypted_state: EncString =
-        serialized_state.encrypt_with_key(&access_token.encryption_key, ContentFormat::Utf8)?;
+        serialized_state.encrypt_with_key(&access_token.encryption_key)?;
     let state_string: String = encrypted_state.to_string();
 
     Ok(std::fs::write(state_file, state_string)?)

crates/bitwarden-crypto/examples/signature.rs

@@ -1,7 +1,9 @@
 //! This example demonstrates how to create signatures and countersignatures for a message, and how
 //! to verify them.
 
-use bitwarden_crypto::{CoseSerializable, SigningNamespace};
+use bitwarden_crypto::{
+    CoseSerializable, CoseSign1ContentFormat, SerializedBytes, SigningNamespace,
+};
 use serde::{Deserialize, Serialize};
 
 const EXAMPLE_NAMESPACE: &SigningNamespace = &SigningNamespace::SignedPublicKey;
@@ -38,16 +40,18 @@ fn main() {
         .expect("Failed to sign message");
 
     // Alice sends the signed object to Bob
-    mock_server.upload("signature", signature.to_cose());
+    mock_server.upload("signature", signature.to_cose().as_ref().to_vec());
     mock_server.upload("serialized_message", serialized_message.as_bytes().to_vec());
 
     // Bob retrieves the signed object from the server
-    let retrieved_signature = bitwarden_crypto::Signature::from_cose(
-        mock_server
-            .download("signature")
-            .expect("Failed to download signature"),
-    )
-    .expect("Failed to deserialize signature");
+    let retrieved_signature =
+        bitwarden_crypto::Signature::from_cose(&SerializedBytes::<CoseSign1ContentFormat>::from(
+            mock_server
+                .download("signature")
+                .expect("Failed to download signature")
+                .clone(),
+        ))
+        .expect("Failed to deserialize signature");
     let retrieved_serialized_message = bitwarden_crypto::SerializedMessage::from_bytes(
         mock_server
             .download("serialized_message")
@@ -76,7 +80,7 @@ fn main() {
         )
         .expect("Failed to counter sign message");
     // Bob sends the counter signature to Charlie
-    mock_server.upload("bobs_signature", bobs_signature.to_cose());
+    mock_server.upload("bobs_signature", bobs_signature.to_cose().as_ref().to_vec());
 
     // Charlie retrieves the signatures, and the message
     let retrieved_serialized_message = bitwarden_crypto::SerializedMessage::from_bytes(
@@ -88,18 +92,22 @@ fn main() {
             .content_type()
             .expect("Failed to get content type from signature"),
     );
-    let retrieved_alice_signature = bitwarden_crypto::Signature::from_cose(
-        mock_server
-            .download("signature")
-            .expect("Failed to download Alice's signature"),
-    )
-    .expect("Failed to deserialize Alice's signature");
-    let retrieved_bobs_signature = bitwarden_crypto::Signature::from_cose(
-        mock_server
-            .download("bobs_signature")
-            .expect("Failed to download Bob's signature"),
-    )
-    .expect("Failed to deserialize Bob's signature");
+    let retrieved_alice_signature =
+        bitwarden_crypto::Signature::from_cose(&SerializedBytes::<CoseSign1ContentFormat>::from(
+            mock_server
+                .download("signature")
+                .expect("Failed to download Alice's signature")
+                .clone(),
+        ))
+        .expect("Failed to deserialize Alice's signature");
+    let retrieved_bobs_signature =
+        bitwarden_crypto::Signature::from_cose(&SerializedBytes::<CoseSign1ContentFormat>::from(
+            mock_server
+                .download("bobs_signature")
+                .expect("Failed to download Bob's signature")
+                .clone(),
+        ))
+        .expect("Failed to deserialize Bob's signature");
 
     // Charlie verifies Alice's signature
     if !retrieved_alice_signature.verify(