[PM-20361] Signature keys (#207)

## 🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-20361

## 📔 Objective

### Signing operations
This PR adds signing/verifying operations, and keys, including
serialization to COSE for both the keys, and for the signatures. We
enforce strong domain separation by adding a namespace. This ensures not
having to worry about cross-protocol attacks / swapping messages between
contexts.

Two signing operations are provided; sign and sign detached. The former
signs an object and returns a signedobject, containing the payload. To
get the payload, the signature *must* be verified (guaranteed by the
interface). The latter returns signature and serialized message. This is
useful when multiple signatures are needed for one message; in this case
a countersignature can be created, so that we can have multiple
signatures for the same object, in case a trust relationship needs to be
proven in multiple directions.

Signing is implemented in 3 layers documented at the top of `sign.rs`. 

The high level layer accepts a struct that is serializable and
namespace, and returns a signature and the serialized representation, or
the signedobject. The serialization may not be canonical, so the
consumer should store the serialized representation instead of their
input struct. The reverse operation - verify / getverifiedpayload -
returns the deserialized struct.

The middle layer accepts byte array plus namespace.

The low layer is the direct implementation of the signature, and accepts
byte array (no namespace). This ensures that implementing a new
signature scheme only requires implementing this low level operation.

The one implemented algorithm type is ed25519.

Keys are represented as enums such that it is easy to add other signing
key types (ML-DSA for post-quantum crypto, PoC here:
#216) later on.

The signature is represented as a Cose Sign1 message
(https://www.rfc-editor.org/rfc/rfc9052.html#name-signing-with-one-signer).

The namespace is separated by setting the protected header. Since this
is included in the signed data, and since this is validated on verifying
the signature, and since the values are unique, domain separation is
enforced. We only ever want to expose the safe function outside of the
crate (if we even expose it out of the crate).

### SignedPublicKey
Public encryption keys should have their owner identity verified. Thus,
a new SignedPublicKey that is a signed object containing the public key
is created. Consumers must verify the signature before being able to
access the public encryption key.

### Public key changes
Public keys are hardcoded at the moment to expect DER encoding and
RSA-OAEP encryption. This is not the case long-term, and the signature
format above makes this clear by including format types.

This PR also includes some prep-work, applying the same
per-encryption-time enum variant split in the asymmetric encryption
keys. Follow-up work can further clean this up, and clean up the folder
structure / file split.

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes

---------

Co-authored-by: Matt Gibson <[email protected]>
Co-authored-by: Daniel García <[email protected]>
Co-authored-by: Oscar Hinton <[email protected]>

Author: 4 people

Cargo.lock

@@ -1,7 +1,7 @@
 use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
     fingerprint, generate_random_alphanumeric, AsymmetricCryptoKey, AsymmetricPublicCryptoKey,
-    CryptoError, UnsignedSharedKey,
+    CryptoError, PublicKeyEncryptionAlgorithm, UnsignedSharedKey,
 };
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, SymmetricCryptoKey};
@@ -31,11 +31,9 @@ pub struct AuthRequestResponse {
 /// to another device. Where the user confirms the validity by confirming the fingerprint. The user
 /// key is then encrypted using the public key and returned to the initiating device.
 pub(crate) fn new_auth_request(email: &str) -> Result<AuthRequestResponse, CryptoError> {
-    let mut rng = rand::thread_rng();
+    let key = AsymmetricCryptoKey::make(PublicKeyEncryptionAlgorithm::RsaOaepSha1);
 
-    let key = AsymmetricCryptoKey::generate(&mut rng);
-
-    let spki = key.to_public_der()?;
+    let spki = key.to_public_key().to_der()?;
 
     let fingerprint = fingerprint(email, &spki)?;
     let b64 = STANDARD.encode(&spki);
@@ -124,7 +122,7 @@ fn test_auth_request() {
 
     let encrypted = UnsignedSharedKey::encapsulate_key_unsigned(
         &SymmetricCryptoKey::try_from(secret.clone()).unwrap(),
-        &private_key,
+        &private_key.to_public_key(),
     )
     .unwrap();
 
@@ -162,7 +160,7 @@ mod tests {
         let private_key ="2.yN7l00BOlUE0Sb0M//Q53w==|EwKG/BduQRQ33Izqc/ogoBROIoI5dmgrxSo82sgzgAMIBt3A2FZ9vPRMY+GWT85JiqytDitGR3TqwnFUBhKUpRRAq4x7rA6A1arHrFp5Tp1p21O3SfjtvB3quiOKbqWk6ZaU1Np9HwqwAecddFcB0YyBEiRX3VwF2pgpAdiPbSMuvo2qIgyob0CUoC/h4Bz1be7Qa7B0Xw9/fMKkB1LpOm925lzqosyMQM62YpMGkjMsbZz0uPopu32fxzDWSPr+kekNNyLt9InGhTpxLmq1go/pXR2uw5dfpXc5yuta7DB0EGBwnQ8Vl5HPdDooqOTD9I1jE0mRyuBpWTTI3FRnu3JUh3rIyGBJhUmHqGZvw2CKdqHCIrQeQkkEYqOeJRJVdBjhv5KGJifqT3BFRwX/YFJIChAQpebNQKXe/0kPivWokHWwXlDB7S7mBZzhaAPidZvnuIhalE2qmTypDwHy22FyqV58T8MGGMchcASDi/QXI6kcdpJzPXSeU9o+NC68QDlOIrMVxKFeE7w7PvVmAaxEo0YwmuAzzKy9QpdlK0aab/xEi8V4iXj4hGepqAvHkXIQd+r3FNeiLfllkb61p6WTjr5urcmDQMR94/wYoilpG5OlybHdbhsYHvIzYoLrC7fzl630gcO6t4nM24vdB6Ymg9BVpEgKRAxSbE62Tqacxqnz9AcmgItb48NiR/He3n3ydGjPYuKk/ihZMgEwAEZvSlNxYONSbYrIGDtOY+8Nbt6KiH3l06wjZW8tcmFeVlWv+tWotnTY9IqlAfvNVTjtsobqtQnvsiDjdEVtNy/s2ci5TH+NdZluca2OVEr91Wayxh70kpM6ib4UGbfdmGgCo74gtKvKSJU0rTHakQ5L9JlaSDD5FamBRyI0qfL43Ad9qOUZ8DaffDCyuaVyuqk7cz9HwmEmvWU3VQ+5t06n/5kRDXttcw8w+3qClEEdGo1KeENcnXCB32dQe3tDTFpuAIMLqwXs6FhpawfZ5kPYvLPczGWaqftIs/RXJ/EltGc0ugw2dmTLpoQhCqrcKEBDoYVk0LDZKsnzitOGdi9mOWse7Se8798ib1UsHFUjGzISEt6upestxOeupSTOh0v4+AjXbDzRUyogHww3V+Bqg71bkcMxtB+WM+pn1XNbVTyl9NR040nhP7KEf6e9ruXAtmrBC2ah5cFEpLIot77VFZ9ilLuitSz+7T8n1yAh1IEG6xxXxninAZIzi2qGbH69O5RSpOJuJTv17zTLJQIIc781JwQ2TTwTGnx5wZLbffhCasowJKd2EVcyMJyhz6ru0PvXWJ4hUdkARJs3Xu8dus9a86N8Xk6aAPzBDqzYb1vyFIfBxP0oO8xFHgd30Cgmz8UrSE3qeWRrF8ftrI6xQnFjHBGWD/JWSvd6YMcQED0aVuQkuNW9ST/DzQThPzRfPUoiL10yAmV7Ytu4fR3x2sF0Yfi87YhHFuCMpV/DsqxmUizyiJuD938eRcH8hzR/VO53Qo3UIsqOLcyXtTv6THjSlTopQ+JOLOnHm1w8dzYbLN44OG44rRsbihMUQp+wUZ6bsI8rrOnm9WErzkbQFbrfAINdoCiNa6cimYIjvvnMTaFWNymqY1vZxGztQiMiHiHYwTfwHTXrb9j0uPM=|09J28iXv9oWzYtzK2LBT6Yht4IT4MijEkk0fwFdrVQ4=".parse().unwrap();
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key)
+            .initialize_user_crypto_master_key(master_key, user_key, private_key, None)
             .unwrap();
 
         let public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyLRDUwXB4BfQ507D4meFPmwn5zwy3IqTPJO4plrrhnclWahXa240BzyFW9gHgYu+Jrgms5xBfRTBMcEsqqNm7+JpB6C1B6yvnik0DpJgWQw1rwvy4SUYidpR/AWbQi47n/hvnmzI/sQxGddVfvWu1iTKOlf5blbKYAXnUE5DZBGnrWfacNXwRRdtP06tFB0LwDgw+91CeLSJ9py6dm1qX5JIxoO8StJOQl65goLCdrTWlox+0Jh4xFUfCkb+s3px+OhSCzJbvG/hlrSRcUz5GnwlCEyF3v5lfUtV96MJD+78d8pmH6CfFAp2wxKRAbGdk+JccJYO6y6oIXd3Fm7twIDAQAB";
@@ -229,7 +227,7 @@ mod tests {
 
         existing_device
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key.clone())
+            .initialize_user_crypto_master_key(master_key, user_key, private_key.clone(), None)
             .unwrap();
 
         // Initialize a new device which will request to be logged in
@@ -247,6 +245,7 @@ mod tests {
                 kdf_params: kdf,
                 email: email.to_owned(),
                 private_key,
+                signing_key: None,
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method: AuthRequestMethod::UserKey {

crates/bitwarden-core/src/auth/auth_request.rs

@@ -51,9 +51,12 @@ pub(crate) async fn login_api_key(
         let user_key: EncString = require!(r.key.as_deref()).parse()?;
         let private_key: EncString = require!(r.private_key.as_deref()).parse()?;
 
-        client
-            .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key)?;
+        client.internal.initialize_user_crypto_master_key(
+            master_key,
+            user_key,
+            private_key,
+            None,
+        )?;
     }
 
     Ok(ApiKeyLoginResponse::process_response(response))

crates/bitwarden-core/src/auth/login/api_key.rs

@@ -120,6 +120,7 @@ pub(crate) async fn complete_auth_request(
                 kdf_params: kdf,
                 email: auth_req.email,
                 private_key: require!(r.private_key).parse()?,
+                signing_key: None,
                 method: InitUserCryptoMethod::AuthRequest {
                     request_private_key: auth_req.private_key,
                     method,

crates/bitwarden-core/src/auth/login/auth_request.rs

@@ -50,9 +50,12 @@ pub(crate) async fn login_password(
         let user_key: EncString = require!(r.key.as_deref()).parse()?;
         let private_key: EncString = require!(r.private_key.as_deref()).parse()?;
 
-        client
-            .internal
-            .initialize_user_crypto_master_key(master_key, user_key, private_key)?;
+        client.internal.initialize_user_crypto_master_key(
+            master_key,
+            user_key,
+            private_key,
+            None,
+        )?;
     }
 
     Ok(PasswordLoginResponse::process_response(response))

crates/bitwarden-core/src/auth/login/password.rs

@@ -140,7 +140,12 @@ mod tests {
 
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
+            .initialize_user_crypto_master_key(
+                master_key,
+                user_key.parse().unwrap(),
+                private_key,
+                None,
+            )
             .unwrap();
 
         let result =
@@ -183,7 +188,12 @@ mod tests {
 
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
+            .initialize_user_crypto_master_key(
+                master_key,
+                user_key.parse().unwrap(),
+                private_key,
+                None,
+            )
             .unwrap();
 
         let result =

crates/bitwarden-core/src/auth/password/validate.rs

@@ -75,7 +75,12 @@ mod tests {
 
         client
             .internal
-            .initialize_user_crypto_master_key(master_key, user_key.parse().unwrap(), private_key)
+            .initialize_user_crypto_master_key(
+                master_key,
+                user_key.parse().unwrap(),
+                private_key,
+                None,
+            )
             .unwrap();
 
         client

crates/bitwarden-core/src/auth/pin.rs

@@ -37,9 +37,13 @@ pub(super) fn make_register_tde_keys(
                 kdf: Kdf::default(),
             },
         ));
-    client
-        .internal
-        .initialize_user_crypto_decrypted_key(user_key.0, key_pair.private.clone())?;
+    client.internal.initialize_user_crypto_decrypted_key(
+        user_key.0,
+        key_pair.private.clone(),
+        // Note: Signing keys are not supported on registration yet. This needs to be changed as
+        // soon as registration is supported.
+        None,
+    )?;
 
     Ok(RegisterTdeKeyResponse {
         private_key: key_pair.private,

crates/bitwarden-core/src/auth/tde.rs

@@ -1,14 +1,12 @@
 #[cfg(feature = "internal")]
-use bitwarden_crypto::{AsymmetricCryptoKey, EncString, UnsignedSharedKey};
+use bitwarden_crypto::{EncString, UnsignedSharedKey};
 #[cfg(any(feature = "internal", feature = "secrets"))]
 use bitwarden_crypto::{KeyStore, SymmetricCryptoKey};
 use bitwarden_error::bitwarden_error;
 use thiserror::Error;
 #[cfg(any(feature = "internal", feature = "secrets"))]
 use uuid::Uuid;
 
-#[cfg(feature = "internal")]
-use crate::key_management::AsymmetricKeyId;
 #[cfg(any(feature = "internal", feature = "secrets"))]
 use crate::key_management::{KeyIds, SymmetricKeyId};
 use crate::{error::UserIdAlreadySetError, MissingPrivateKeyError, VaultLockedError};
@@ -48,12 +46,15 @@ impl EncryptionSettings {
     pub(crate) fn new_decrypted_key(
         user_key: SymmetricCryptoKey,
         private_key: EncString,
+        signing_key: Option<EncString>,
         store: &KeyStore<KeyIds>,
     ) -> Result<(), EncryptionSettingsError> {
-        use bitwarden_crypto::KeyDecryptable;
+        use bitwarden_crypto::{
+            AsymmetricCryptoKey, CoseSerializable, CryptoError, KeyDecryptable, SigningKey,
+        };
         use log::warn;
 
-        use crate::key_management::{AsymmetricKeyId, SymmetricKeyId};
+        use crate::key_management::{AsymmetricKeyId, SigningKeyId, SymmetricKeyId};
 
         let private_key = {
             let dec: Vec<u8> = private_key.decrypt_with_key(&user_key)?;
@@ -71,6 +72,12 @@ impl EncryptionSettings {
             //         .map_err(|_| EncryptionSettingsError::InvalidPrivateKey)?,
             // )
         };
+        let signing_key = signing_key
+            .map(|key| {
+                let dec: Vec<u8> = key.decrypt_with_key(&user_key)?;
+                SigningKey::from_cose(dec.as_slice()).map_err(Into::<CryptoError>::into)
+            })
+            .transpose()?;
 
         // FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
         #[allow(deprecated)]
@@ -80,6 +87,10 @@ impl EncryptionSettings {
             if let Some(private_key) = private_key {
                 ctx.set_asymmetric_key(AsymmetricKeyId::UserPrivateKey, private_key)?;
             }
+
+            if let Some(signing_key) = signing_key {
+                ctx.set_signing_key(SigningKeyId::UserSigningKey, signing_key)?;
+            }
         }
 
         Ok(())
@@ -106,6 +117,8 @@ impl EncryptionSettings {
         org_enc_keys: Vec<(Uuid, UnsignedSharedKey)>,
         store: &KeyStore<KeyIds>,
     ) -> Result<(), EncryptionSettingsError> {
+        use crate::key_management::AsymmetricKeyId;
+
         let mut ctx = store.context_mut();
 
         // FIXME: [PM-11690] - Early abort to handle private key being corrupt

crates/bitwarden-core/src/client/encryption_settings.rs

@@ -8,10 +8,9 @@ use bitwarden_crypto::{EncString, Kdf, MasterKey, PinKey, UnsignedSharedKey};
 use chrono::Utc;
 use uuid::Uuid;
 
+use super::encryption_settings::EncryptionSettings;
 #[cfg(feature = "secrets")]
 use super::login_method::ServiceAccountLoginMethod;
-#[cfg(any(feature = "internal", feature = "secrets"))]
-use crate::client::encryption_settings::EncryptionSettings;
 use crate::{
     auth::renew::renew_token, client::login_method::LoginMethod, error::UserIdAlreadySetError,
     key_management::KeyIds, DeviceType,
@@ -199,9 +198,10 @@ impl InternalClient {
         master_key: MasterKey,
         user_key: EncString,
         private_key: EncString,
+        signing_key: Option<EncString>,
     ) -> Result<(), EncryptionSettingsError> {
         let user_key = master_key.decrypt_user_key(user_key)?;
-        EncryptionSettings::new_decrypted_key(user_key, private_key, &self.key_store)?;
+        EncryptionSettings::new_decrypted_key(user_key, private_key, signing_key, &self.key_store)?;
 
         Ok(())
     }
@@ -211,8 +211,9 @@ impl InternalClient {
         &self,
         user_key: SymmetricCryptoKey,
         private_key: EncString,
+        signing_key: Option<EncString>,
     ) -> Result<(), EncryptionSettingsError> {
-        EncryptionSettings::new_decrypted_key(user_key, private_key, &self.key_store)?;
+        EncryptionSettings::new_decrypted_key(user_key, private_key, signing_key, &self.key_store)?;
 
         Ok(())
     }
@@ -223,9 +224,10 @@ impl InternalClient {
         pin_key: PinKey,
         pin_protected_user_key: EncString,
         private_key: EncString,
+        signing_key: Option<EncString>,
     ) -> Result<(), EncryptionSettingsError> {
         let decrypted_user_key = pin_key.decrypt_user_key(pin_protected_user_key)?;
-        self.initialize_user_crypto_decrypted_key(decrypted_user_key, private_key)
+        self.initialize_user_crypto_decrypted_key(decrypted_user_key, private_key, signing_key)
     }
 
     #[cfg(feature = "secrets")]