Add rsa extract public key (#572)

quexten · web-flow · commit efed963c6b45 · 2025-11-25T13:11:01.000+01:00
## 🎟️ Tracking  ## 📔 Objective  Webcrypto provides non-useful errors when private keys are corrupt (invalid content on undecryptable wrapping decryption). This PR introduces a temporary function to immediately replace the derive_public_key function in `clients` so that the error logs become useful. ## 🚨 Breaking Changes  ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines  - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes
diff --git a/crates/bitwarden-crypto/src/enc_string/symmetric.rs b/crates/bitwarden-crypto/src/enc_string/symmetric.rs
@@ -3,6 +3,8 @@ use std::{borrow::Cow, str::FromStr};
 use bitwarden_encoding::{B64, FromStrVisitor};
 use coset::{CborSerializable, iana::KeyOperation};
 use serde::Deserialize;
+#[cfg(feature = "wasm")]
+use wasm_bindgen::convert::FromWasmAbi;
 
 use super::{check_length, from_b64, from_b64_vec, split_enc_string};
 use crate::{
@@ -75,6 +77,25 @@ pub enum EncString {
     },
 }
 
+#[cfg(feature = "wasm")]
+impl wasm_bindgen::describe::WasmDescribe for EncString {
+    fn describe() {
+        <String as wasm_bindgen::describe::WasmDescribe>::describe();
+    }
+}
+
+#[cfg(feature = "wasm")]
+impl FromWasmAbi for EncString {
+    type Abi = <String as FromWasmAbi>::Abi;
+
+    unsafe fn from_abi(abi: Self::Abi) -> Self {
+        use wasm_bindgen::UnwrapThrowExt;
+
+        let s = unsafe { String::from_abi(abi) };
+        Self::from_str(&s).unwrap_throw()
+    }
+}
+
 /// Deserializes an [EncString] from a string.
 impl FromStr for EncString {
     type Err = CryptoError;
diff --git a/crates/bitwarden-wasm-internal/src/pure_crypto.rs b/crates/bitwarden-wasm-internal/src/pure_crypto.rs
@@ -318,6 +318,22 @@ impl PureCrypto {
             .map_err(|_| CryptoError::InvalidKey)?;
         Ok(result.to_encoded().to_vec())
     }
+
+    /// Given an encrypted private RSA key and the symmetric key it is wrapped with, this returns
+    /// the corresponding public RSA key in DER format.
+    pub fn rsa_extract_public_key(
+        encrypted_private_key: EncString,
+        wrapping_key: Vec<u8>,
+    ) -> Result<Vec<u8>, CryptoError> {
+        let wrapping_key =
+            SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(wrapping_key))?;
+        let decrypted_private_key: Vec<u8> =
+            encrypted_private_key.decrypt_with_key(&wrapping_key)?;
+        let private_key =
+            AsymmetricCryptoKey::from_der(&Pkcs8PrivateKeyBytes::from(decrypted_private_key))?;
+        let public_key = private_key.to_public_key();
+        Ok(public_key.to_der()?.to_vec())
+    }
 }
 
 #[cfg(test)]
