Switch bitwarden symmetric crypto key bytes to serialized bytes generic

Author: quexten

crates/bitwarden-core/src/auth/auth_request.rs

@@ -106,44 +106,48 @@ pub(crate) fn approve_auth_request(
     )?)
 }
 
-#[test]
-fn test_auth_request() {
-    let request = new_auth_request("[email protected]").unwrap();
-
-    let secret = vec![
-        111, 32, 97, 169, 4, 241, 174, 74, 239, 206, 113, 86, 174, 68, 216, 238, 52, 85, 156, 27,
-        134, 149, 54, 55, 91, 147, 45, 130, 131, 237, 51, 31, 191, 106, 155, 14, 160, 82, 47, 40,
-        96, 31, 114, 127, 212, 187, 167, 110, 205, 116, 198, 243, 218, 72, 137, 53, 248, 43, 255,
-        67, 35, 61, 245, 93,
-    ];
-
-    let private_key =
-        AsymmetricCryptoKey::from_der(&STANDARD.decode(&request.private_key).unwrap().into())
-            .unwrap();
-
-    let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(
-        &SymmetricCryptoKey::try_from(secret.clone()).unwrap(),
-        &private_key.to_public_key(),
-    )
-    .unwrap();
-
-    let decrypted = auth_request_decrypt_user_key(request.private_key, encrypted).unwrap();
-
-    assert_eq!(decrypted.to_encoded(), secret);
-}
-
 #[cfg(test)]
 mod tests {
     use std::num::NonZeroU32;
 
-    use bitwarden_crypto::{Kdf, MasterKey, SerializedBytes, SpkiPublicKeyDerContentFormat};
+    use bitwarden_crypto::{
+        BitwardenLegacyKeyContentFormat, Kdf, MasterKey, SerializedBytes,
+        SpkiPublicKeyDerContentFormat,
+    };
 
     use super::*;
     use crate::key_management::{
         crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
         SymmetricKeyId,
     };
 
+    #[test]
+    fn test_auth_request() {
+        let request = new_auth_request("[email protected]").unwrap();
+
+        let secret = vec![
+            111, 32, 97, 169, 4, 241, 174, 74, 239, 206, 113, 86, 174, 68, 216, 238, 52, 85, 156,
+            27, 134, 149, 54, 55, 91, 147, 45, 130, 131, 237, 51, 31, 191, 106, 155, 14, 160, 82,
+            47, 40, 96, 31, 114, 127, 212, 187, 167, 110, 205, 116, 198, 243, 218, 72, 137, 53,
+            248, 43, 255, 67, 35, 61, 245, 93,
+        ];
+
+        let private_key =
+            AsymmetricCryptoKey::from_der(&STANDARD.decode(&request.private_key).unwrap().into())
+                .unwrap();
+
+        let secret = SerializedBytes::<BitwardenLegacyKeyContentFormat>::from(secret);
+        let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(
+            &SymmetricCryptoKey::try_from(&secret).unwrap(),
+            &private_key.to_public_key(),
+        )
+        .unwrap();
+
+        let decrypted = auth_request_decrypt_user_key(request.private_key, encrypted).unwrap();
+
+        assert_eq!(decrypted.to_encoded().to_vec(), secret.to_vec());
+    }
+
     #[test]
     fn test_approve() {
         let client = Client::new(None);
@@ -183,7 +187,7 @@ mod tests {
         let dec = auth_request_decrypt_user_key(private_key.to_owned(), enc_user_key).unwrap();
 
         assert_eq!(
-            &dec.to_encoded(),
+            &dec.to_encoded().to_vec(),
             &[
                 201, 37, 234, 213, 21, 75, 40, 70, 149, 213, 234, 16, 19, 251, 162, 245, 161, 74,
                 34, 245, 211, 151, 211, 192, 95, 10, 117, 50, 88, 223, 23, 157
@@ -202,7 +206,7 @@ mod tests {
                 .unwrap();
 
         assert_eq!(
-            &dec.to_encoded(),
+            &dec.to_encoded().to_vec(),
             &[
                 109, 128, 172, 147, 206, 123, 134, 95, 16, 36, 155, 113, 201, 18, 186, 230, 216,
                 212, 173, 188, 74, 11, 134, 131, 137, 242, 105, 178, 105, 126, 52, 139, 248, 91,

crates/bitwarden-core/src/auth/login/access_token.rs

@@ -1,7 +1,9 @@
 use std::path::{Path, PathBuf};
 
 use base64::{engine::general_purpose::STANDARD, Engine};
-use bitwarden_crypto::{EncString, KeyDecryptable, SymmetricCryptoKey};
+use bitwarden_crypto::{
+    BitwardenLegacyKeyContentFormat, EncString, KeyDecryptable, SerializedBytes, SymmetricCryptoKey,
+};
 use chrono::Utc;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -67,7 +69,9 @@ pub(crate) async fn login_access_token(
 
         let payload: Payload = serde_json::from_slice(&decrypted_payload)?;
         let encryption_key = STANDARD.decode(&payload.encryption_key)?;
-        let encryption_key = SymmetricCryptoKey::try_from(encryption_key)?;
+        let encryption_key =
+            SerializedBytes::<BitwardenLegacyKeyContentFormat>::from(encryption_key);
+        let encryption_key = SymmetricCryptoKey::try_from(&encryption_key)?;
 
         let access_token_obj: JwtToken = r.access_token.parse()?;
 

crates/bitwarden-crypto/src/content_format.rs

@@ -79,6 +79,13 @@ impl<C: ConstContentFormat> AsRef<[u8]> for SerializedBytes<C> {
     }
 }
 
+impl<C: ConstContentFormat> SerializedBytes<C> {
+    /// Returns the serialized bytes as a `Vec<u8>`.
+    pub fn to_vec(&self) -> Vec<u8> {
+        self.inner.clone()
+    }
+}
+
 /// Content format for UTF-8 encoded text. Used for most text messages.
 #[derive(PartialEq, Eq, Clone, Debug)]
 pub(crate) struct Utf8ContentFormat;
@@ -128,7 +135,7 @@ impl CoseContentFormat for CoseKeyContentFormat {}
 /// A legacy content format for Bitwarden keys. See `ContentFormat::BitwardenLegacyKey`
 #[allow(unused)]
 #[derive(PartialEq, Eq, Clone, Debug)]
-pub(crate) struct BitwardenLegacyKeyContentFormat;
+pub struct BitwardenLegacyKeyContentFormat;
 impl ConstContentFormat for BitwardenLegacyKeyContentFormat {
     fn content_format() -> ContentFormat {
         ContentFormat::BitwardenLegacyKey

crates/bitwarden-crypto/src/enc_string/asymmetric.rs

@@ -10,8 +10,8 @@ use crate::{
     error::{CryptoError, EncStringParseError, Result},
     rsa::encrypt_rsa2048_oaep_sha1,
     util::FromStrVisitor,
-    AsymmetricCryptoKey, AsymmetricPublicCryptoKey, RawPrivateKey, RawPublicKey,
-    SymmetricCryptoKey,
+    AsymmetricCryptoKey, AsymmetricPublicCryptoKey, BitwardenLegacyKeyContentFormat, RawPrivateKey,
+    RawPublicKey, SerializedBytes, SymmetricCryptoKey,
 };
 // This module is a workaround to avoid deprecated warnings that come from the ZeroizeOnDrop
 // macro expansion
@@ -169,7 +169,7 @@ impl UnsignedSharedKey {
                 Ok(UnsignedSharedKey::Rsa2048_OaepSha1_B64 {
                     data: encrypt_rsa2048_oaep_sha1(
                         rsa_public_key,
-                        &encapsulated_key.to_encoded(),
+                        &encapsulated_key.to_encoded().as_ref().to_vec(),
                     )?,
                 })
             }
@@ -200,7 +200,7 @@ impl UnsignedSharedKey {
         match decapsulation_key.inner() {
             RawPrivateKey::RsaOaepSha1(rsa_private_key) => {
                 use UnsignedSharedKey::*;
-                let mut key_data = match self {
+                let key_data = match self {
                     Rsa2048_OaepSha256_B64 { data } => {
                         rsa_private_key.decrypt(Oaep::new::<sha2::Sha256>(), data)
                     }
@@ -217,7 +217,9 @@ impl UnsignedSharedKey {
                     }
                 }
                 .map_err(|_| CryptoError::KeyDecrypt)?;
-                SymmetricCryptoKey::try_from(key_data.as_mut_slice())
+                SymmetricCryptoKey::try_from(
+                    &SerializedBytes::<BitwardenLegacyKeyContentFormat>::from(key_data),
+                )
             }
         }
     }

crates/bitwarden-crypto/src/keys/device_key.rs

@@ -91,7 +91,7 @@ impl TryFrom<String> for DeviceKey {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::derive_symmetric_key;
+    use crate::{derive_symmetric_key, BitwardenLegacyKeyContentFormat};
 
     #[test]
     fn test_trust_device() {
@@ -114,21 +114,29 @@ mod tests {
     #[test]
     fn test_decrypt_user_key() {
         // Example keys from desktop app
-        let user_key: &mut [u8] = &mut [
+        let user_key: &[u8] = &[
             109, 128, 172, 147, 206, 123, 134, 95, 16, 36, 155, 113, 201, 18, 186, 230, 216, 212,
             173, 188, 74, 11, 134, 131, 137, 242, 105, 178, 105, 126, 52, 139, 248, 91, 215, 21,
             128, 91, 226, 222, 165, 67, 251, 34, 83, 81, 77, 147, 225, 76, 13, 41, 102, 45, 183,
             218, 106, 89, 254, 208, 251, 101, 130, 10,
         ];
-        let user_key = SymmetricCryptoKey::try_from(user_key).unwrap();
+        let user_key = SymmetricCryptoKey::try_from(&SerializedBytes::<
+            BitwardenLegacyKeyContentFormat,
+        >::from(user_key))
+        .unwrap();
 
-        let key_data: &mut [u8] = &mut [
+        let key_data: &[u8] = &[
             114, 235, 60, 115, 172, 156, 203, 145, 195, 130, 215, 250, 88, 146, 215, 230, 12, 109,
             245, 222, 54, 217, 255, 211, 221, 105, 230, 236, 65, 52, 209, 133, 76, 208, 113, 254,
             194, 216, 156, 19, 230, 62, 32, 93, 87, 7, 144, 156, 117, 142, 250, 32, 182, 118, 187,
             8, 247, 7, 203, 201, 65, 147, 206, 247,
         ];
-        let device_key = DeviceKey(key_data.try_into().unwrap());
+        let device_key = DeviceKey(
+            SymmetricCryptoKey::try_from(
+                &SerializedBytes::<BitwardenLegacyKeyContentFormat>::from(key_data),
+            )
+            .unwrap(),
+        );
 
         let protected_user_key: UnsignedSharedKey = "4.f+VbbacRhO2q4MOUSdt1AIjQ2FuLAvg4aDxJMXAh3VxvbmUADj8Ct/R7XEpPUqApmbRS566jS0eRVy8Sk08ogoCdj1IFN9VsIky2i2X1WHK1fUnr3UBmXE3tl2NPBbx56U+h73S2jNTSyet2W18Jg2q7/w8KIhR3J41QrG9aGoOTN93to3hb5W4z6rdrSI0e7GkizbwcIA0NH7Z1JyAhrjPm9+tjRjg060YbEbGaWTAOkZWfgbLjr8bY455DteO2xxG139cOx7EBo66N+YhjsLi0ozkeUyPQkoWBdKMcQllS7jCfB4fDyJA05ALTbk74syKkvqFxqwmQbg+aVn+dcw==".parse().unwrap();
 

crates/bitwarden-crypto/src/keys/master_key.rs

@@ -4,15 +4,16 @@ use base64::{engine::general_purpose::STANDARD, Engine};
 use generic_array::GenericArray;
 use rand::Rng;
 use typenum::U32;
-use zeroize::{Zeroize, Zeroizing};
+use zeroize::Zeroize;
 
 use super::{
     kdf::{Kdf, KdfDerivedKeyMaterial},
     utils::stretch_key,
 };
 use crate::{
     util::{self},
-    CryptoError, EncString, KeyDecryptable, Result, SymmetricCryptoKey, UserKey,
+    BitwardenLegacyKeyContentFormat, CryptoError, EncString, KeyDecryptable, Result,
+    SerializedBytes, SymmetricCryptoKey, UserKey,
 };
 
 #[allow(missing_docs)]
@@ -129,16 +130,16 @@ pub(super) fn encrypt_user_key(
     user_key: &SymmetricCryptoKey,
 ) -> Result<EncString> {
     let stretched_master_key = stretch_key(master_key)?;
-    let user_key_bytes = Zeroizing::new(user_key.to_encoded());
-    EncString::encrypt_aes256_hmac(&user_key_bytes, &stretched_master_key)
+    let user_key_bytes = user_key.to_encoded();
+    EncString::encrypt_aes256_hmac(user_key_bytes.as_ref(), &stretched_master_key)
 }
 
 /// Helper function to decrypt a user key with a master or pin key or key-connector-key.
 pub(super) fn decrypt_user_key(
     key: &Pin<Box<GenericArray<u8, U32>>>,
     user_key: EncString,
 ) -> Result<SymmetricCryptoKey> {
-    let mut dec: Vec<u8> = match user_key {
+    let dec: Vec<u8> = match user_key {
         // Legacy. user_keys were encrypted using `Aes256Cbc_B64` a long time ago. We've since
         // moved to using `Aes256Cbc_HmacSha256_B64`. However, we still need to support
         // decrypting these old keys.
@@ -159,7 +160,9 @@ pub(super) fn decrypt_user_key(
         }
     };
 
-    SymmetricCryptoKey::try_from(dec.as_mut_slice())
+    SymmetricCryptoKey::try_from(&SerializedBytes::<BitwardenLegacyKeyContentFormat>::from(
+        dec,
+    ))
 }
 
 /// Generate a new random user key and encrypt it with the master key.