Cleanup and add tests

Author: quexten

.vscode/settings.json

@@ -15,6 +15,7 @@
     "encryptable",
     "Hkdf",
     "Hmac",
+    "keyslot",
     "Maybeable",
     "Oaep",
     "Pbkdf",

crates/bitwarden-crypto/examples/protect_key_with_password.rs

@@ -2,8 +2,9 @@
 //! [PasswordProtectedKeyEnvelope].
 
 use bitwarden_crypto::{
-    key_ids, KeyStore, KeyStoreContext, PasswordProtectedKeyEnvelope,
-    PasswordProtectedKeyEnvelopeError,
+    key_ids,
+    safe::{PasswordProtectedKeyEnvelope, PasswordProtectedKeyEnvelopeError},
+    KeyStore, KeyStoreContext,
 };
 
 fn main() {

crates/bitwarden-crypto/src/cose.rs

@@ -5,9 +5,10 @@
 
 use coset::{
     iana::{self, CoapContentFormat},
-    CborSerializable, ContentType, Label,
+    CborSerializable, ContentType, Header, Label,
 };
 use generic_array::GenericArray;
+use thiserror::Error;
 use typenum::U32;
 
 use crate::{
@@ -227,6 +228,52 @@ pub trait CoseSerializable<T: CoseContentFormat + ConstContentFormat> {
     where
         Self: Sized;
 }
+
+pub(crate) fn extract_integer(
+    header: &Header,
+    target_label: i64,
+    value_name: &str,
+) -> Result<i128, CoseExtractError> {
+    Ok(header
+        .rest
+        .iter()
+        .find_map(|(label, value)| match (label, value) {
+            (Label::Int(label_value), ciborium::Value::Integer(int_value))
+                if *label_value == target_label =>
+            {
+                Some(*int_value)
+            }
+            _ => None,
+        })
+        .ok_or(CoseExtractError::MissingValue(value_name.to_string()))?
+        .into())
+}
+
+pub(crate) fn extract_bytes(
+    header: &Header,
+    target_label: i64,
+    value_name: &str,
+) -> Result<Vec<u8>, CoseExtractError> {
+    header
+        .rest
+        .iter()
+        .find_map(|(label, value)| match (label, value) {
+            (Label::Int(label_value), ciborium::Value::Bytes(byte_value))
+                if *label_value == target_label =>
+            {
+                Some(byte_value.clone())
+            }
+            _ => None,
+        })
+        .ok_or(CoseExtractError::MissingValue(value_name.to_string()))
+}
+
+#[derive(Debug, Error)]
+pub(crate) enum CoseExtractError {
+    #[error("Missing value {0}")]
+    MissingValue(String),
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

crates/bitwarden-crypto/src/lib.rs

@@ -36,8 +36,7 @@ pub use store::{
 };
 mod cose;
 pub use cose::CoseSerializable;
-mod safe;
-pub use safe::*;
+pub mod safe;
 mod signing;
 pub use signing::*;
 mod traits;

crates/bitwarden-crypto/src/safe/README.md

@@ -0,0 +1,12 @@
+# Bitwarden-crypto safe module
+
+The safe module contains a high-level set of tools used in building protocols and features involving
+cryptography. Whenever possible, a feature should be build with features from this module, before
+opting to build with any other, more lower-level primitives in the `bitwarden-crypto` crate.
+
+## Password-protected key envelope
+
+The password protected key envelope should be used, when the goal is to protect a symmetric key with
+a password, for example for locking a vault with a PIN/Password, for protecting exports with a
+password, etc. Internally, a KDF is used to protect against brute-forcing, but this is not exposed
+to the consumer. The consumer only provides a password and key.

crates/bitwarden-crypto/src/safe/mod.rs

@@ -1,2 +1,4 @@
+#![doc = include_str!("./README.md")]
+
 mod password_protected_key_envelope;
 pub use password_protected_key_envelope::*;