[PM-16541] Key rotation & enrollment trust for emergency access & organizations (#12655)

* Implement key rotation v2

* Pass through masterpassword hint

* Properly split old and new code

* Mark legacy rotation as deprecated

* Throw when data is null

* Cleanup

* Add tests

* Fix build

* Update libs/key-management/src/key.service.spec.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update apps/web/src/app/auth/settings/change-password.component.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Add documentation

* Centralize loading logic

* Implement trust dialogs

* Fix build and clean up

* Add tests for accept organization component

* Fix enrollment

* Update apps/web/src/app/admin-console/organizations/manage/organization-trust.component.html

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Cleanup according to feedback

* Change div to ng-container

* Init uninited strings

* Fix type errors on dialog config

* Fix typing

* Fix build

* Fix build

* Update libs/key-management-ui/src/key-rotation/key-rotation-trust-info.component.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Fix linting

* Undo legacy component import change

* Simplify dialog text

---------

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

libs/key-management/src/abstractions/key.service.ts

@@ -337,6 +337,17 @@ export abstract class KeyService {
     userId: UserId,
   ): Observable<{ privateKey: UserPrivateKey; publicKey: UserPublicKey } | null>;
 
+  /**
+   * Gets an observable stream of the given users decrypted private key and public key, guaranteed to be consistent.
+   * Will emit null if the user doesn't have a userkey to decrypt the encrypted private key, or null if the user doesn't have a private key
+   * at all.
+   *
+   * @param userId The user id of the user to get the data for.
+   */
+  abstract userEncryptionKeyPair$(
+    userId: UserId,
+  ): Observable<{ privateKey: UserPrivateKey; publicKey: UserPublicKey } | null>;
+
   /**
    * Generates a fingerprint phrase for the user based on their public key
    *

libs/key-management/src/abstractions/user-key-rotation-key-recovery-provider.abstraction.ts

@@ -0,0 +1,31 @@
+import { UserId } from "@bitwarden/common/types/guid";
+import { UserKey } from "@bitwarden/common/types/key";
+
+/**
+ * Constructs key rotation requests for key recovery encryption of the userkey.
+ * @typeparam TRequest A request model that contains the newly encrypted userkey must have an id property
+ */
+export interface UserKeyRotationKeyRecoveryProvider<
+  TRequest extends { id: string } | { organizationId: string },
+  TPublicKeyData,
+> {
+  /**
+   * Get the public keys for this recovery method from the server.
+   * WARNING these are NOT trusted, and need to either be manually trusted by the user, or compared against
+   * a signed trust database for the user. THE SERVER CAN SPOOF THESE.
+   */
+  getPublicKeys(userId: UserId): Promise<TPublicKeyData[]>;
+
+  /**
+   * Provides re-encrypted data for the user key rotation process
+   * @param newUserKey The new user key
+   * @param trustedPublicKeys The public keys that the user trusted
+   * @param userId The owner of the data, useful for fetching data
+   * @returns A list of data that has been re-encrypted with the new user key
+   */
+  getRotatedData(
+    newUserKey: UserKey,
+    trustedPublicKeys: Uint8Array[],
+    userId: UserId,
+  ): Promise<TRequest[]>;
+}

libs/key-management/src/index.ts

@@ -10,6 +10,7 @@ export * from "./biometrics/biometric.state";
 export { CipherDecryptionKeys, KeyService } from "./abstractions/key.service";
 export { DefaultKeyService } from "./key.service";
 export { UserKeyRotationDataProvider } from "./abstractions/user-key-rotation-data-provider.abstraction";
+export { UserKeyRotationKeyRecoveryProvider } from "./abstractions/user-key-rotation-key-recovery-provider.abstraction";
 export {
   PBKDF2KdfConfig,
   Argon2KdfConfig,