[PM-21586] Return null in decryptUserKeyWithMasterKey if decrypt fails (#14756)

* Return null in decryptUserKeyWithMasterKey if decrypt fails

* Show error on invalid master password

* Add logs

libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts

@@ -37,13 +37,13 @@ export abstract class MasterPasswordServiceAbstraction {
    * @param userKey The user's encrypted symmetric key
    * @throws If either the MasterKey or UserKey are not resolved, or if the UserKey encryption type
    *         is neither AesCbc256_B64 nor AesCbc256_HmacSha256_B64
-   * @returns The user key
+   * @returns The user key or null if the masterkey is wrong
    */
   abstract decryptUserKeyWithMasterKey: (
     masterKey: MasterKey,
     userId: string,
     userKey?: EncString,
-  ) => Promise<UserKey>;
+  ) => Promise<UserKey | null>;
 }
 
 export abstract class InternalMasterPasswordServiceAbstraction extends MasterPasswordServiceAbstraction {

libs/common/src/key-management/master-password/services/master-password.service.ts

@@ -166,7 +166,7 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
     masterKey: MasterKey,
     userId: UserId,
     userKey?: EncString,
-  ): Promise<UserKey> {
+  ): Promise<UserKey | null> {
     userKey ??= await this.getMasterKeyEncryptedUserKey(userId);
     masterKey ??= await firstValueFrom(this.masterKey$(userId));
 
@@ -177,16 +177,26 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
     let decUserKey: SymmetricCryptoKey;
 
     if (userKey.encryptionType === EncryptionType.AesCbc256_B64) {
-      decUserKey = await this.encryptService.unwrapSymmetricKey(userKey, masterKey);
+      try {
+        decUserKey = await this.encryptService.unwrapSymmetricKey(userKey, masterKey);
+      } catch {
+        this.logService.warning("Failed to decrypt user key with master key.");
+        return null;
+      }
     } else if (userKey.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
-      const newKey = await this.keyGenerationService.stretchKey(masterKey);
-      decUserKey = await this.encryptService.unwrapSymmetricKey(userKey, newKey);
+      try {
+        const newKey = await this.keyGenerationService.stretchKey(masterKey);
+        decUserKey = await this.encryptService.unwrapSymmetricKey(userKey, newKey);
+      } catch {
+        this.logService.warning("Failed to decrypt user key with stretched master key.");
+        return null;
+      }
     } else {
       throw new Error("Unsupported encryption type.");
     }
 
     if (decUserKey == null) {
-      this.logService.warning("Failed to decrypt user key with master key.");
+      this.logService.warning("Failed to decrypt user key with master key, user key is null.");
       return null;
     }
 

libs/key-management-ui/src/lock/components/lock.component.ts

@@ -556,6 +556,15 @@ export class LockComponent implements OnInit, OnDestroy {
       masterPasswordVerificationResponse!.masterKey,
       this.activeAccount.id,
     );
+    if (userKey == null) {
+      this.toastService.showToast({
+        variant: "error",
+        title: this.i18nService.t("errorOccurred"),
+        message: this.i18nService.t("invalidMasterPassword"),
+      });
+      return;
+    }
+
     await this.setUserKeyAndContinue(userKey, true);
   }