Make content format trait sealed and add type aliases

Author: quexten

crates/bitwarden-core/src/auth/auth_request.rs

@@ -111,7 +111,7 @@ mod tests {
     use std::num::NonZeroU32;
 
     use bitwarden_crypto::{
-        BitwardenLegacyKeyContentFormat, Bytes, Kdf, MasterKey, SpkiPublicKeyDerContentFormat,
+        BitwardenLegacyKeyBytes, Bytes, Kdf, MasterKey, SpkiPublicKeyDerContentFormat,
     };
 
     use super::*;
@@ -135,7 +135,7 @@ mod tests {
             AsymmetricCryptoKey::from_der(&STANDARD.decode(&request.private_key).unwrap().into())
                 .unwrap();
 
-        let secret = Bytes::<BitwardenLegacyKeyContentFormat>::from(secret);
+        let secret = BitwardenLegacyKeyBytes::from(secret);
         let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(
             &SymmetricCryptoKey::try_from(&secret).unwrap(),
             &private_key.to_public_key(),

crates/bitwarden-core/src/auth/login/access_token.rs

@@ -1,9 +1,7 @@
 use std::path::{Path, PathBuf};
 
 use base64::{engine::general_purpose::STANDARD, Engine};
-use bitwarden_crypto::{
-    BitwardenLegacyKeyContentFormat, Bytes, EncString, KeyDecryptable, SymmetricCryptoKey,
-};
+use bitwarden_crypto::{BitwardenLegacyKeyBytes, EncString, KeyDecryptable, SymmetricCryptoKey};
 use chrono::Utc;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -69,7 +67,7 @@ pub(crate) async fn login_access_token(
 
         let payload: Payload = serde_json::from_slice(&decrypted_payload)?;
         let encryption_key = STANDARD.decode(&payload.encryption_key)?;
-        let encryption_key = Bytes::<BitwardenLegacyKeyContentFormat>::from(encryption_key);
+        let encryption_key = BitwardenLegacyKeyBytes::from(encryption_key);
         let encryption_key = SymmetricCryptoKey::try_from(&encryption_key)?;
 
         let access_token_obj: JwtToken = r.access_token.parse()?;

crates/bitwarden-core/src/client/encryption_settings.rs

@@ -58,13 +58,12 @@ impl EncryptionSettings {
         use crate::key_management::{AsymmetricKeyId, SigningKeyId, SymmetricKeyId};
 
         let private_key = {
-            use bitwarden_crypto::{Bytes, Pkcs8PrivateKeyDerContentFormat};
+            use bitwarden_crypto::Bytes;
 
             let dec: Vec<u8> = private_key.decrypt_with_key(&user_key)?;
-            let dec: Bytes<Pkcs8PrivateKeyDerContentFormat> = Bytes::from(dec);
             // FIXME: [PM-11690] - Temporarily ignore invalid private keys until we have a recovery
             // process in place.
-            AsymmetricCryptoKey::from_der(&dec)
+            AsymmetricCryptoKey::from_der(&Bytes::from(dec))
                 .map_err(|_| {
                     warn!("Invalid private key");
                 })

crates/bitwarden-core/src/key_management/crypto.rs

@@ -9,9 +9,8 @@ use std::collections::HashMap;
 use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
     AsymmetricCryptoKey, Bytes, CoseSerializable, CryptoError, EncString, Kdf, KeyDecryptable,
-    KeyEncryptable, MasterKey, Pkcs8PrivateKeyDerContentFormat, PrimitiveEncryptable,
-    SignatureAlgorithm, SignedPublicKey, SigningKey, SymmetricCryptoKey, UnsignedSharedKey,
-    UserKey,
+    KeyEncryptable, MasterKey, Pkcs8PrivateKeyBytes, PrimitiveEncryptable, SignatureAlgorithm,
+    SignedPublicKey, SigningKey, SymmetricCryptoKey, UnsignedSharedKey, UserKey,
 };
 use bitwarden_error::bitwarden_error;
 use schemars::JsonSchema;
@@ -537,8 +536,7 @@ pub(super) fn verify_asymmetric_keys(
             .decrypt_with_key(user_key)
             .map_err(VerifyError::DecryptFailed)?;
 
-        let decrypted_private_key: Bytes<Pkcs8PrivateKeyDerContentFormat> =
-            Bytes::from(decrypted_private_key);
+        let decrypted_private_key: Pkcs8PrivateKeyBytes = Bytes::from(decrypted_private_key);
         let private_key = AsymmetricCryptoKey::from_der(&decrypted_private_key)
             .map_err(VerifyError::ParseFailed)?;
 
@@ -616,7 +614,7 @@ pub fn make_user_signing_keys_for_enrollment(
 mod tests {
     use std::num::NonZeroU32;
 
-    use bitwarden_crypto::RsaKeyPair;
+    use bitwarden_crypto::{Pkcs8PrivateKeyDerContentFormat, RsaKeyPair};
 
     use super::*;
     use crate::Client;
@@ -844,7 +842,7 @@ mod tests {
 
         let private_key = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzLtEUdxfcLxDj84yaGFsVF5hZ8Hjlb08NMQDy1RnBma06I3ZESshLYzVz4r/gegMn9OOltfV/Yxlyvida8oW6qdlfJ7AVz6Oa8pV7BiL40C7b76+oqraQpyYw2HChANB1AhXL9SqWngKmLZwjA7qiCrmcc0kZHeOb4KnKtp9iVvPVs+8veFvKgYO4ba2AAOHKFdR0W55/agXfAy+fWUAkC8mc9ikyJdQWaPV6OZvC2XFkOseBQm9Rynudh3BQpoWiL6w620efe7t5k+02/EyOFJL9f/XEEjM/+Yo0t3LAfkuhHGeKiRST59Xc9hTEmyJTeVXROtz+0fjqOp3xkaObAgMBAAECggEACs4xhnO0HaZhh1/iH7zORMIRXKeyxP2LQiTR8xwN5JJ9wRWmGAR9VasS7EZFTDidIGVME2u/h4s5EqXnhxfO+0gGksVvgNXJ/qw87E8K2216g6ZNo6vSGA7H1GH2voWwejJ4/k/cJug6dz2S402rRAKh2Wong1arYHSkVlQp3diiMa5FHAOSE+Cy09O2ZsaF9IXQYUtlW6AVXFrBEPYH2kvkaPXchh8VETMijo6tbvoKLnUHe+wTaDMls7hy8exjtVyI59r3DNzjy1lNGaGb5QSnFMXR+eHhPZc844Wv02MxC15zKABADrl58gpJyjTl6XpDdHCYGsmGpVGH3X9TQQKBgQDz/9beFjzq59ve6rGwn+EtnQfSsyYT+jr7GN8lNEXb3YOFXBgPhfFIcHRh2R00Vm9w2ApfAx2cd8xm2I6HuvQ1Os7g26LWazvuWY0Qzb+KaCLQTEGH1RnTq6CCG+BTRq/a3J8M4t38GV5TWlzv8wr9U4dl6FR4efjb65HXs1GQ4QKBgQC7/uHfrOTEHrLeIeqEuSl0vWNqEotFKdKLV6xpOvNuxDGbgW4/r/zaxDqt0YBOXmRbQYSEhmO3oy9J6XfE1SUln0gbavZeW0HESCAmUIC88bDnspUwS9RxauqT5aF8ODKN/bNCWCnBM1xyonPOs1oT1nyparJVdQoG//Y7vkB3+wKBgBqLqPq8fKAp3XfhHLfUjREDVoiLyQa/YI9U42IOz9LdxKNLo6p8rgVthpvmnRDGnpUuS+KOWjhdqDVANjF6G3t3DG7WNl8Rh5Gk2H4NhFswfSkgQrjebFLlBy9gjQVCWXt8KSmjvPbiY6q52Aaa8IUjA0YJAregvXxfopxO+/7BAoGARicvEtDp7WWnSc1OPoj6N14VIxgYcI7SyrzE0d/1x3ffKzB5e7qomNpxKzvqrVP8DzG7ydh8jaKPmv1MfF8tpYRy3AhmN3/GYwCnPqT75YYrhcrWcVdax5gmQVqHkFtIQkRSCIftzPLlpMGKha/YBV8c1fvC4LD0NPh/Ynv0gtECgYEAyOZg95/kte0jpgUEgwuMrzkhY/AaUJULFuR5MkyvReEbtSBQwV5tx60+T95PHNiFooWWVXiLMsAgyI2IbkxVR1Pzdri3gWK5CTfqb7kLuaj/B7SGvBa2Sxo478KS5K8tBBBWkITqo+wLC0mn3uZi1dyMWO1zopTA+KtEGF2dtGQ=";
         let private_key = STANDARD.decode(private_key).unwrap();
-        let private_key = Bytes::<Pkcs8PrivateKeyDerContentFormat>::from(private_key);
+        let private_key = Pkcs8PrivateKeyBytes::from(private_key);
         let private_key = AsymmetricCryptoKey::from_der(&private_key).unwrap();
         let decrypted: SymmetricCryptoKey =
             encrypted.decapsulate_key_unsigned(&private_key).unwrap();

crates/bitwarden-crypto/src/content_format.rs

@@ -39,11 +39,17 @@ pub enum ContentFormat {
     Cbor,
 }
 
+mod private {
+    /// This trait is used to seal the `ConstContentFormat` trait, preventing external
+    /// implementations.
+    pub trait Sealed {}
+}
+
 /// This trait is used to instantiate different typed byte vectors with a specific content format,
 /// using `SerializedBytes<C>`. This allows for compile-time guarantees about the content format
 /// of the serialized bytes. The exception here is the escape hatch using e.g. `from(Vec<u8>)`,
 /// which can still be mis-used, but has to be misused explicitly.
-pub trait ConstContentFormat {
+pub trait ConstContentFormat: private::Sealed {
     /// Returns the content format as a `ContentFormat` enum.
     fn content_format() -> ContentFormat;
 }
@@ -89,68 +95,90 @@ impl<C: ConstContentFormat> Bytes<C> {
 /// Content format for UTF-8 encoded text. Used for most text messages.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub(crate) struct Utf8ContentFormat;
+impl private::Sealed for Utf8ContentFormat {}
 impl ConstContentFormat for Utf8ContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::Utf8
     }
 }
+/// Utf8Bytes is a type alias for Bytes with `Utf8ContentFormat`, which is used for any textual data.
+pub(crate) type Utf8Bytes = Bytes<Utf8ContentFormat>;
 
 /// Content format for raw bytes. Used for attachments and send seed keys.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub struct OctetStreamContentFormat;
+impl private::Sealed for OctetStreamContentFormat {}
 impl ConstContentFormat for OctetStreamContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::OctetStream
     }
 }
+/// OctetStreamBytes is a type alias for Bytes with `OctetStreamContentFormat`. This should be used for e.g. attachments and other data without an
+/// explicit content format.
+pub type OctetStreamBytes = Bytes<OctetStreamContentFormat>;
 
 /// Content format for PKCS8 private keys in DER format.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub struct Pkcs8PrivateKeyDerContentFormat;
+impl private::Sealed for Pkcs8PrivateKeyDerContentFormat {}
 impl ConstContentFormat for Pkcs8PrivateKeyDerContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::Pkcs8PrivateKey
     }
 }
+/// Pkcs8PrivateKeyBytes is a type alias for Bytes with `Pkcs8PrivateKeyDerContentFormat`. This is used for PKCS8 private keys in DER format.
+pub type Pkcs8PrivateKeyBytes = Bytes<Pkcs8PrivateKeyDerContentFormat>;
 
 /// Content format for SPKI public keys in DER format.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub struct SpkiPublicKeyDerContentFormat;
+impl private::Sealed for SpkiPublicKeyDerContentFormat {}
 impl ConstContentFormat for SpkiPublicKeyDerContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::SPKIPublicKeyDer
     }
 }
+/// SpkiPublicKeyBytes is a type alias for Bytes with `SpkiPublicKeyDerContentFormat`. This is used for SPKI public keys in DER format.
+pub type SpkiPublicKeyBytes = Bytes<SpkiPublicKeyDerContentFormat>;
 
 /// Content format for COSE keys.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub struct CoseKeyContentFormat;
+impl private::Sealed for CoseKeyContentFormat {}
 impl ConstContentFormat for CoseKeyContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::CoseKey
     }
 }
 impl CoseContentFormat for CoseKeyContentFormat {}
+/// CoseKeyBytes is a type alias for Bytes with `CoseKeyContentFormat`. This is used for serialized CoseKey objects.
+pub type CoseKeyBytes = Bytes<CoseKeyContentFormat>;
 
 /// A legacy content format for Bitwarden keys. See `ContentFormat::BitwardenLegacyKey`
-#[allow(unused)]
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub struct BitwardenLegacyKeyContentFormat;
+impl private::Sealed for BitwardenLegacyKeyContentFormat {}
 impl ConstContentFormat for BitwardenLegacyKeyContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::BitwardenLegacyKey
     }
 }
+/// BitwardenLegacyKeyBytes is a type alias for Bytes with `BitwardenLegacyKeyContentFormat`. This is used for the legacy format for symmetric keys.
+/// A description of the format is available in the `ContentFormat::BitwardenLegacyKey` documentation.
+pub type BitwardenLegacyKeyBytes = Bytes<BitwardenLegacyKeyContentFormat>;
 
 /// Content format for COSE Sign1 messages.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub struct CoseSign1ContentFormat;
+impl private::Sealed for CoseSign1ContentFormat {}
 impl ConstContentFormat for CoseSign1ContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::CoseSign1
     }
 }
 impl CoseContentFormat for CoseSign1ContentFormat {}
+/// CoseSign1Bytes is a type alias for Bytes with `CoseSign1ContentFormat`. This is used for serialized COSE Sign1 messages.
+pub type CoseSign1Bytes = Bytes<CoseSign1ContentFormat>;
 
 /// A marker trait for COSE content formats.
 pub trait CoseContentFormat {}

crates/bitwarden-crypto/src/enc_string/asymmetric.rs

@@ -10,8 +10,8 @@ use crate::{
     error::{CryptoError, EncStringParseError, Result},
     rsa::encrypt_rsa2048_oaep_sha1,
     util::FromStrVisitor,
-    AsymmetricCryptoKey, AsymmetricPublicCryptoKey, BitwardenLegacyKeyContentFormat, Bytes,
-    RawPrivateKey, RawPublicKey, SymmetricCryptoKey,
+    AsymmetricCryptoKey, AsymmetricPublicCryptoKey, BitwardenLegacyKeyBytes, RawPrivateKey,
+    RawPublicKey, SymmetricCryptoKey,
 };
 // This module is a workaround to avoid deprecated warnings that come from the ZeroizeOnDrop
 // macro expansion
@@ -217,9 +217,7 @@ impl UnsignedSharedKey {
                     }
                 }
                 .map_err(|_| CryptoError::KeyDecrypt)?;
-                SymmetricCryptoKey::try_from(&Bytes::<BitwardenLegacyKeyContentFormat>::from(
-                    key_data,
-                ))
+                SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(key_data))
             }
         }
     }

crates/bitwarden-crypto/src/enc_string/symmetric.rs

@@ -6,11 +6,10 @@ use serde::Deserialize;
 
 use super::{check_length, from_b64, from_b64_vec, split_enc_string};
 use crate::{
-    content_format::{Bytes, Utf8ContentFormat},
     error::{CryptoError, EncStringParseError, Result, UnsupportedOperation},
     util::FromStrVisitor,
     Aes256CbcHmacKey, ContentFormat, KeyDecryptable, KeyEncryptable, KeyEncryptableWithContentType,
-    SymmetricCryptoKey, XChaCha20Poly1305Key,
+    SymmetricCryptoKey, Utf8Bytes, XChaCha20Poly1305Key,
 };
 
 #[cfg(feature = "wasm")]
@@ -323,13 +322,13 @@ impl KeyDecryptable<SymmetricCryptoKey, Vec<u8>> for EncString {
 
 impl KeyEncryptable<SymmetricCryptoKey, EncString> for String {
     fn encrypt_with_key(self, key: &SymmetricCryptoKey) -> Result<EncString> {
-        Into::<Bytes<Utf8ContentFormat>>::into(self).encrypt_with_key(key)
+        Into::<Utf8Bytes>::into(self).encrypt_with_key(key)
     }
 }
 
 impl KeyEncryptable<SymmetricCryptoKey, EncString> for &str {
     fn encrypt_with_key(self, key: &SymmetricCryptoKey) -> Result<EncString> {
-        Into::<Bytes<Utf8ContentFormat>>::into(self).encrypt_with_key(key)
+        Into::<Utf8Bytes>::into(self).encrypt_with_key(key)
     }
 }
 

crates/bitwarden-crypto/src/keys/asymmetric_crypto_key.rs

@@ -5,8 +5,9 @@ use serde_repr::{Deserialize_repr, Serialize_repr};
 
 use super::key_encryptable::CryptoKey;
 use crate::{
-    content_format::{Bytes, Pkcs8PrivateKeyDerContentFormat, SpkiPublicKeyDerContentFormat},
+    content_format::{Bytes, SpkiPublicKeyDerContentFormat},
     error::{CryptoError, Result},
+    Pkcs8PrivateKeyBytes,
 };
 
 /// Algorithm / public key encryption scheme used for encryption/decryption.
@@ -114,7 +115,7 @@ impl AsymmetricCryptoKey {
     }
 
     #[allow(missing_docs)]
-    pub fn from_der(der: &Bytes<Pkcs8PrivateKeyDerContentFormat>) -> Result<Self> {
+    pub fn from_der(der: &Pkcs8PrivateKeyBytes) -> Result<Self> {
         use rsa::pkcs8::DecodePrivateKey;
         Ok(Self {
             inner: RawPrivateKey::RsaOaepSha1(Box::pin(
@@ -124,7 +125,7 @@ impl AsymmetricCryptoKey {
     }
 
     #[allow(missing_docs)]
-    pub fn to_der(&self) -> Result<Bytes<Pkcs8PrivateKeyDerContentFormat>> {
+    pub fn to_der(&self) -> Result<Pkcs8PrivateKeyBytes> {
         match &self.inner {
             RawPrivateKey::RsaOaepSha1(private_key) => {
                 use rsa::pkcs8::EncodePrivateKey;

crates/bitwarden-crypto/src/keys/device_key.rs

@@ -1,8 +1,7 @@
 use super::{AsymmetricCryptoKey, PublicKeyEncryptionAlgorithm};
 use crate::{
-    content_format::{Bytes, Pkcs8PrivateKeyDerContentFormat},
-    error::Result,
-    CryptoError, EncString, KeyDecryptable, KeyEncryptable, SymmetricCryptoKey, UnsignedSharedKey,
+    content_format::Bytes, error::Result, CryptoError, EncString, KeyDecryptable, KeyEncryptable,
+    Pkcs8PrivateKeyBytes, SymmetricCryptoKey, UnsignedSharedKey,
 };
 
 /// Device Key
@@ -66,8 +65,7 @@ impl DeviceKey {
         protected_user_key: UnsignedSharedKey,
     ) -> Result<SymmetricCryptoKey> {
         let device_private_key: Vec<u8> = protected_device_private_key.decrypt_with_key(&self.0)?;
-        let device_private_key: Bytes<Pkcs8PrivateKeyDerContentFormat> =
-            Bytes::from(device_private_key);
+        let device_private_key: Pkcs8PrivateKeyBytes = Bytes::from(device_private_key);
         let device_private_key = AsymmetricCryptoKey::from_der(&device_private_key)?;
 
         let user_key: SymmetricCryptoKey =
@@ -91,7 +89,7 @@ impl TryFrom<String> for DeviceKey {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::{derive_symmetric_key, BitwardenLegacyKeyContentFormat};
+    use crate::{derive_symmetric_key, BitwardenLegacyKeyBytes, BitwardenLegacyKeyContentFormat};
 
     #[test]
     fn test_trust_device() {
@@ -121,8 +119,7 @@ mod tests {
             218, 106, 89, 254, 208, 251, 101, 130, 10,
         ];
         let user_key =
-            SymmetricCryptoKey::try_from(&Bytes::<BitwardenLegacyKeyContentFormat>::from(user_key))
-                .unwrap();
+            SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(user_key)).unwrap();
 
         let key_data: &[u8] = &[
             114, 235, 60, 115, 172, 156, 203, 145, 195, 130, 215, 250, 88, 146, 215, 230, 12, 109,
@@ -131,8 +128,7 @@ mod tests {
             8, 247, 7, 203, 201, 65, 147, 206, 247,
         ];
         let device_key = DeviceKey(
-            SymmetricCryptoKey::try_from(&Bytes::<BitwardenLegacyKeyContentFormat>::from(key_data))
-                .unwrap(),
+            SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(key_data)).unwrap(),
         );
 
         let protected_user_key: UnsignedSharedKey = "4.f+VbbacRhO2q4MOUSdt1AIjQ2FuLAvg4aDxJMXAh3VxvbmUADj8Ct/R7XEpPUqApmbRS566jS0eRVy8Sk08ogoCdj1IFN9VsIky2i2X1WHK1fUnr3UBmXE3tl2NPBbx56U+h73S2jNTSyet2W18Jg2q7/w8KIhR3J41QrG9aGoOTN93to3hb5W4z6rdrSI0e7GkizbwcIA0NH7Z1JyAhrjPm9+tjRjg060YbEbGaWTAOkZWfgbLjr8bY455DteO2xxG139cOx7EBo66N+YhjsLi0ozkeUyPQkoWBdKMcQllS7jCfB4fDyJA05ALTbk74syKkvqFxqwmQbg+aVn+dcw==".parse().unwrap();

crates/bitwarden-crypto/src/keys/master_key.rs

@@ -12,8 +12,8 @@ use super::{
 };
 use crate::{
     util::{self},
-    BitwardenLegacyKeyContentFormat, Bytes, CryptoError, EncString, KeyDecryptable, Result,
-    SymmetricCryptoKey, UserKey,
+    BitwardenLegacyKeyBytes, CryptoError, EncString, KeyDecryptable, Result, SymmetricCryptoKey,
+    UserKey,
 };
 
 #[allow(missing_docs)]
@@ -160,7 +160,7 @@ pub(super) fn decrypt_user_key(
         }
     };
 
-    SymmetricCryptoKey::try_from(&Bytes::<BitwardenLegacyKeyContentFormat>::from(dec))
+    SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(dec))
 }
 
 /// Generate a new random user key and encrypt it with the master key.