Split out encrypt to bytes and migrate services

bitwarden_license/bit-web/src/app/billing/providers/setup/setup-business-unit.component.ts

@@ -84,10 +84,8 @@ export class SetupBusinessUnitComponent extends BaseAcceptComponent {
 
     const organizationKey = await firstValueFrom(organizationKey$);
 
-    const { encryptedString: encryptedOrganizationKey } = await this.encryptService.encrypt(
-      organizationKey.key,
-      providerKey,
-    );
+    const { encryptedString: encryptedOrganizationKey } =
+      await this.encryptService.wrapSymmetricKey(organizationKey, providerKey);
 
     if (!encryptedProviderKey || !encryptedOrganizationKey) {
       return await fail();

libs/common/src/key-management/crypto/abstractions/encrypt.service.ts

@@ -13,6 +13,14 @@ export abstract class EncryptService {
    * @param key - The key to encrypt the value with
    */
   abstract encrypt(plainValue: string, key: SymmetricCryptoKey): Promise<EncString>;
+  /**
+   * Encrypts bytes to an EncString
+   * @param plainValue - The value to encrypt
+   * @param key - The key to encrypt the value with
+   * @deprecated Bytes are not the right abstraction to encrypt in. Use e.g. key wrapping or file encryption instead
+   */
+  abstract encryptBytes(plainValue: Uint8Array, key: SymmetricCryptoKey): Promise<EncString>;
+
   /**
    * Encrypts a value to a Uint8Array
    * @param plainValue - The value to encrypt

libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

@@ -59,6 +59,24 @@ export class EncryptServiceImplementation implements EncryptService {
     return this.encryptUint8Array(Utils.fromUtf8ToArray(plainValue), key);
   }
 
+  async encryptBytes(plainValue: Uint8Array, key: SymmetricCryptoKey): Promise<EncString> {
+    if (key == null) {
+      throw new Error("No encryption key provided.");
+    }
+
+    if (this.blockType0) {
+      if (key.inner().type === EncryptionType.AesCbc256_B64 || key.key.byteLength < 64) {
+        throw new Error("Type 0 encryption is not supported.");
+      }
+    }
+
+    if (plainValue == null) {
+      return null;
+    }
+
+    return this.encryptUint8Array(plainValue, key);
+  }
+
   async wrapDecapsulationKey(
     decapsulationKeyPkcs8: Uint8Array,
     wrappingKey: SymmetricCryptoKey,

libs/common/src/key-management/device-trust/services/device-trust.service.implementation.ts

@@ -220,9 +220,12 @@ export class DeviceTrustService implements DeviceTrustServiceAbstraction {
             return null;
           }
 
-          const newEncryptedPublicKey = await this.encryptService.encrypt(publicKey, newUserKey);
-          const newEncryptedUserKey = await this.encryptService.rsaEncrypt(
-            newUserKey.key,
+          const newEncryptedPublicKey = await this.encryptService.wrapEncapsulationKey(
+            publicKey,
+            newUserKey,
+          );
+          const newEncryptedUserKey = await this.encryptService.encapsulateKeyUnsigned(
+            newUserKey,
             publicKey,
           );
 

libs/common/src/tools/send/services/send.service.ts

@@ -82,7 +82,7 @@ export class SendService implements InternalSendServiceAbstraction {
       key = await this.keyService.getUserKey();
     }
     // Key is not a SymmetricCryptoKey, but key material used to derive the cryptoKey
-    send.key = await this.encryptService.encrypt(model.key, key);
+    send.key = await this.encryptService.encryptBytes(model.key, key);
     send.name = await this.encryptService.encrypt(model.name, model.cryptoKey);
     send.notes = await this.encryptService.encrypt(model.notes, model.cryptoKey);
     if (send.type === SendType.Text) {