[PM-14542] Move kdf to km ownership (#11877)

* Move kdf to km ownership * Fix duplicate import * Remove whitespace * Fix double imports * Fix desktop build * Fix test error * Fix imports * Move ownership of kdftype to km * Fix imports --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-12-16 00:03:56 +00:00 · 2024-11-21 04:45:28 -08:00
parent eea460e397
commit 38c4eeb27d
87 changed files with 232 additions and 235 deletions
--- a/libs/key-management/src/abstractions/kdf-config.service.ts
+++ b/libs/key-management/src/abstractions/kdf-config.service.ts
@@ -0,0 +1,11 @@
+import { Observable } from "rxjs";
+
+import { UserId } from "@bitwarden/common/types/guid";
+
+import { KdfConfig } from "../models/kdf-config";
+
+export abstract class KdfConfigService {
+  abstract setKdfConfig(userId: UserId, KdfConfig: KdfConfig): Promise<void>;
+  abstract getKdfConfig(): Promise<KdfConfig>;
+  abstract getKdfConfig$(userId: UserId): Observable<KdfConfig>;
+}
--- a/libs/key-management/src/abstractions/key.service.ts
+++ b/libs/key-management/src/abstractions/key.service.ts
@@ -1,11 +1,11 @@
 import { Observable } from "rxjs";

 import { EncryptedOrganizationKeyData } from "@bitwarden/common/admin-console/models/data/encrypted-organization-key.data";
+import { KdfConfig } from "@bitwarden/key-management";

 import { ProfileOrganizationResponse } from "../../../common/src/admin-console/models/response/profile-organization.response";
 import { ProfileProviderOrganizationResponse } from "../../../common/src/admin-console/models/response/profile-provider-organization.response";
 import { ProfileProviderResponse } from "../../../common/src/admin-console/models/response/profile-provider.response";
-import { KdfConfig } from "../../../common/src/auth/models/domain/kdf-config";
 import { KeySuffixOptions, HashPurpose } from "../../../common/src/platform/enums";
 import { EncryptedString, EncString } from "../../../common/src/platform/models/domain/enc-string";
 import { SymmetricCryptoKey } from "../../../common/src/platform/models/domain/symmetric-crypto-key";
--- a/libs/key-management/src/enums/kdf-type.enum.ts
+++ b/libs/key-management/src/enums/kdf-type.enum.ts
@@ -0,0 +1,4 @@
+export enum KdfType {
+  PBKDF2_SHA256 = 0,
+  Argon2id = 1,
+}
--- a/libs/key-management/src/index.ts
+++ b/libs/key-management/src/index.ts
@@ -8,3 +8,12 @@ export * from "./biometrics/biometric.state";
 export { KeyService } from "./abstractions/key.service";
 export { DefaultKeyService } from "./key.service";
 export { UserKeyRotationDataProvider } from "./abstractions/user-key-rotation-data-provider.abstraction";
+export {
+  PBKDF2KdfConfig,
+  Argon2KdfConfig,
+  KdfConfig,
+  DEFAULT_KDF_CONFIG,
+} from "./models/kdf-config";
+export { KdfConfigService } from "./abstractions/kdf-config.service";
+export { DefaultKdfConfigService } from "./kdf-config.service";
+export { KdfType } from "./enums/kdf-type.enum";
--- a/libs/key-management/src/kdf-config.service.spec.ts
+++ b/libs/key-management/src/kdf-config.service.spec.ts
@@ -0,0 +1,137 @@
+import {
+  FakeAccountService,
+  FakeStateProvider,
+  mockAccountServiceWith,
+} from "@bitwarden/common/spec";
+import { UserId } from "@bitwarden/common/src/types/guid";
+
+import { Utils } from "../../common/src/platform/misc/utils";
+
+import { DefaultKdfConfigService } from "./kdf-config.service";
+import { Argon2KdfConfig, PBKDF2KdfConfig } from "./models/kdf-config";
+
+describe("KdfConfigService", () => {
+  let sutKdfConfigService: DefaultKdfConfigService;
+
+  let fakeStateProvider: FakeStateProvider;
+  let fakeAccountService: FakeAccountService;
+  const mockUserId = Utils.newGuid() as UserId;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    fakeAccountService = mockAccountServiceWith(mockUserId);
+    fakeStateProvider = new FakeStateProvider(fakeAccountService);
+    sutKdfConfigService = new DefaultKdfConfigService(fakeStateProvider);
+  });
+
+  it("setKdfConfig(): should set the KDF config", async () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(600_000);
+    await sutKdfConfigService.setKdfConfig(mockUserId, kdfConfig);
+    await expect(sutKdfConfigService.getKdfConfig()).resolves.toEqual(kdfConfig);
+  });
+
+  it("setKdfConfig(): should get the KDF config", async () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 4);
+    await sutKdfConfigService.setKdfConfig(mockUserId, kdfConfig);
+    await expect(sutKdfConfigService.getKdfConfig()).resolves.toEqual(kdfConfig);
+  });
+
+  it("setKdfConfig(): should throw error KDF cannot be null", async () => {
+    const kdfConfig: Argon2KdfConfig = null;
+    try {
+      await sutKdfConfigService.setKdfConfig(mockUserId, kdfConfig);
+    } catch (e) {
+      expect(e).toEqual(new Error("kdfConfig cannot be null"));
+    }
+  });
+
+  it("setKdfConfig(): should throw error userId cannot be null", async () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 4);
+    try {
+      await sutKdfConfigService.setKdfConfig(null, kdfConfig);
+    } catch (e) {
+      expect(e).toEqual(new Error("userId cannot be null"));
+    }
+  });
+
+  it("getKdfConfig(): should throw error KdfConfig for active user account state is null", async () => {
+    try {
+      await sutKdfConfigService.getKdfConfig();
+    } catch (e) {
+      expect(e).toEqual(new Error("KdfConfig for active user account state is null"));
+    }
+  });
+
+  it("validateKdfConfigForSetting(): should validate the PBKDF2 KDF config", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(600_000);
+    expect(() => kdfConfig.validateKdfConfigForSetting()).not.toThrow();
+  });
+
+  it("validateKdfConfigForSetting(): should validate the Argon2id KDF config", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 4);
+    expect(() => kdfConfig.validateKdfConfigForSetting()).not.toThrow();
+  });
+
+  it("validateKdfConfigForSetting(): should throw an error for invalid PBKDF2 iterations", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(100000);
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
+      `PBKDF2 iterations must be between ${PBKDF2KdfConfig.ITERATIONS.min} and ${PBKDF2KdfConfig.ITERATIONS.max}`,
+    );
+  });
+
+  it("validateKdfConfigForSetting(): should throw an error for invalid Argon2 iterations", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(11, 64, 4);
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
+      `Argon2 iterations must be between ${Argon2KdfConfig.ITERATIONS.min} and ${Argon2KdfConfig.ITERATIONS.max}`,
+    );
+  });
+
+  it("validateKdfConfigForSetting(): should throw an error for invalid Argon2 parallelism", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 17);
+    expect(() => kdfConfig.validateKdfConfigForSetting()).toThrow(
+      `Argon2 parallelism must be between ${Argon2KdfConfig.PARALLELISM.min} and ${Argon2KdfConfig.PARALLELISM.max}`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should validate the PBKDF2 KDF config", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(600_000);
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).not.toThrow();
+  });
+
+  it("validateKdfConfigForPrelogin(): should validate the Argon2id KDF config", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(3, 64, 4);
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).not.toThrow();
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too low PBKDF2 iterations", () => {
+    const kdfConfig: PBKDF2KdfConfig = new PBKDF2KdfConfig(
+      PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN - 1,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `PBKDF2 iterations must be at least ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN}, but was ${kdfConfig.iterations}; possible pre-login downgrade attack detected.`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too low Argon2 iterations", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(
+      Argon2KdfConfig.PRELOGIN_ITERATIONS_MIN - 1,
+      64,
+      4,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 iterations must be at least ${Argon2KdfConfig.PRELOGIN_ITERATIONS_MIN}, but was ${kdfConfig.iterations}; possible pre-login downgrade attack detected.`,
+    );
+  });
+
+  it("validateKdfConfigForPrelogin(): should throw an error for too low Argon2 memory", () => {
+    const kdfConfig: Argon2KdfConfig = new Argon2KdfConfig(
+      3,
+      Argon2KdfConfig.PRELOGIN_MEMORY_MIN - 1,
+      4,
+    );
+    expect(() => kdfConfig.validateKdfConfigForPrelogin()).toThrow(
+      `Argon2 memory must be at least ${Argon2KdfConfig.PRELOGIN_MEMORY_MIN} MiB, but was ${kdfConfig.memory} MiB; possible pre-login downgrade attack detected.`,
+    );
+  });
+});
--- a/libs/key-management/src/kdf-config.service.ts
+++ b/libs/key-management/src/kdf-config.service.ts
@@ -0,0 +1,47 @@
+import { firstValueFrom, Observable } from "rxjs";
+
+import { UserId } from "@bitwarden/common/src/types/guid";
+
+import { KDF_CONFIG_DISK, StateProvider, UserKeyDefinition } from "../../common/src/platform/state";
+
+import { KdfConfigService } from "./abstractions/kdf-config.service";
+import { KdfType } from "./enums/kdf-type.enum";
+import { Argon2KdfConfig, KdfConfig, PBKDF2KdfConfig } from "./models/kdf-config";
+
+export const KDF_CONFIG = new UserKeyDefinition<KdfConfig>(KDF_CONFIG_DISK, "kdfConfig", {
+  deserializer: (kdfConfig: KdfConfig) => {
+    if (kdfConfig == null) {
+      return null;
+    }
+    return kdfConfig.kdfType === KdfType.PBKDF2_SHA256
+      ? PBKDF2KdfConfig.fromJSON(kdfConfig)
+      : Argon2KdfConfig.fromJSON(kdfConfig);
+  },
+  clearOn: ["logout"],
+});
+
+export class DefaultKdfConfigService implements KdfConfigService {
+  constructor(private stateProvider: StateProvider) {}
+  async setKdfConfig(userId: UserId, kdfConfig: KdfConfig) {
+    if (!userId) {
+      throw new Error("userId cannot be null");
+    }
+    if (kdfConfig === null) {
+      throw new Error("kdfConfig cannot be null");
+    }
+    await this.stateProvider.setUserState(KDF_CONFIG, kdfConfig, userId);
+  }
+
+  async getKdfConfig(): Promise<KdfConfig> {
+    const userId = await firstValueFrom(this.stateProvider.activeUserId$);
+    const state = await firstValueFrom(this.stateProvider.getUser(userId, KDF_CONFIG).state$);
+    if (state === null) {
+      throw new Error("KdfConfig for active user account state is null");
+    }
+    return state;
+  }
+
+  getKdfConfig$(userId: UserId): Observable<KdfConfig> {
+    return this.stateProvider.getUser(userId, KDF_CONFIG).state$;
+  }
+}
--- a/libs/key-management/src/key.service.spec.ts
+++ b/libs/key-management/src/key.service.spec.ts
@@ -1,6 +1,8 @@
 import { mock } from "jest-mock-extended";
 import { bufferCount, firstValueFrom, lastValueFrom, of, take, tap } from "rxjs";

+import { EncryptedOrganizationKeyData } from "@bitwarden/common/admin-console/models/data/encrypted-organization-key.data";
+
 import { PinServiceAbstraction } from "../../auth/src/common/abstractions";
 import {
  awaitAsync,
@@ -11,8 +13,6 @@ import {
 import { FakeAccountService, mockAccountServiceWith } from "../../common/spec/fake-account-service";
 import { FakeActiveUserState, FakeSingleUserState } from "../../common/spec/fake-state";
 import { FakeStateProvider } from "../../common/spec/fake-state-provider";
-import { EncryptedOrganizationKeyData } from "../../common/src/admin-console/models/data/encrypted-organization-key.data";
-import { KdfConfigService } from "../../common/src/auth/abstractions/kdf-config.service";
 import { FakeMasterPasswordService } from "../../common/src/auth/services/master-password/fake-master-password.service";
 import { CryptoFunctionService } from "../../common/src/platform/abstractions/crypto-function.service";
 import { EncryptService } from "../../common/src/platform/abstractions/encrypt.service";
@@ -38,6 +38,7 @@ import { OrganizationId, UserId } from "../../common/src/types/guid";
 import { UserKey, MasterKey } from "../../common/src/types/key";
 import { VaultTimeoutStringType } from "../../common/src/types/vault-timeout.type";

+import { KdfConfigService } from "./abstractions/kdf-config.service";
 import { UserPrivateKeyDecryptionFailedError } from "./abstractions/key.service";
 import { DefaultKeyService } from "./key.service";

--- a/libs/key-management/src/key.service.ts
+++ b/libs/key-management/src/key.service.ts
@@ -17,9 +17,7 @@ import { ProfileOrganizationResponse } from "../../common/src/admin-console/mode
 import { ProfileProviderOrganizationResponse } from "../../common/src/admin-console/models/response/profile-provider-organization.response";
 import { ProfileProviderResponse } from "../../common/src/admin-console/models/response/profile-provider.response";
 import { AccountService } from "../../common/src/auth/abstractions/account.service";
-import { KdfConfigService } from "../../common/src/auth/abstractions/kdf-config.service";
 import { InternalMasterPasswordServiceAbstraction } from "../../common/src/auth/abstractions/master-password.service.abstraction";
-import { KdfConfig } from "../../common/src/auth/models/domain/kdf-config";
 import { CryptoFunctionService } from "../../common/src/platform/abstractions/crypto-function.service";
 import { EncryptService } from "../../common/src/platform/abstractions/encrypt.service";
 import { KeyGenerationService } from "../../common/src/platform/abstractions/key-generation.service";
@@ -54,11 +52,13 @@ import {
 } from "../../common/src/types/key";
 import { VaultTimeoutStringType } from "../../common/src/types/vault-timeout.type";

+import { KdfConfigService } from "./abstractions/kdf-config.service";
 import {
  CipherDecryptionKeys,
  KeyService as KeyServiceAbstraction,
  UserPrivateKeyDecryptionFailedError,
 } from "./abstractions/key.service";
+import { KdfConfig } from "./models/kdf-config";

 export class DefaultKeyService implements KeyServiceAbstraction {
  private readonly activeUserEverHadUserKey: ActiveUserState<boolean>;
--- a/libs/key-management/src/models/kdf-config.ts
+++ b/libs/key-management/src/models/kdf-config.ts
@@ -0,0 +1,128 @@
+import { Jsonify } from "type-fest";
+
+import { RangeWithDefault } from "../../../common/src/platform/misc/range-with-default";
+import { KdfType } from "../enums/kdf-type.enum";
+
+/**
+ * Represents a type safe KDF configuration.
+ */
+export type KdfConfig = PBKDF2KdfConfig | Argon2KdfConfig;
+
+/**
+ * Password-Based Key Derivation Function 2 (PBKDF2) KDF configuration.
+ */
+export class PBKDF2KdfConfig {
+  static ITERATIONS = new RangeWithDefault(600_000, 2_000_000, 600_000);
+  static PRELOGIN_ITERATIONS_MIN = 5000;
+  kdfType: KdfType.PBKDF2_SHA256 = KdfType.PBKDF2_SHA256;
+  iterations: number;
+
+  constructor(iterations?: number) {
+    this.iterations = iterations ?? PBKDF2KdfConfig.ITERATIONS.defaultValue;
+  }
+
+  /**
+   * Validates the PBKDF2 KDF configuration for updating the KDF config.
+   * A Valid PBKDF2 KDF configuration has KDF iterations between the 600_000 and 2_000_000.
+   */
+  validateKdfConfigForSetting(): void {
+    if (!PBKDF2KdfConfig.ITERATIONS.inRange(this.iterations)) {
+      throw new Error(
+        `PBKDF2 iterations must be between ${PBKDF2KdfConfig.ITERATIONS.min} and ${PBKDF2KdfConfig.ITERATIONS.max}`,
+      );
+    }
+  }
+
+  /**
+   * Validates the PBKDF2 KDF configuration for pre-login.
+   * A Valid PBKDF2 KDF configuration has KDF iterations between the 5000 and 2_000_000.
+   */
+  validateKdfConfigForPrelogin(): void {
+    if (PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN > this.iterations) {
+      throw new Error(
+        `PBKDF2 iterations must be at least ${PBKDF2KdfConfig.PRELOGIN_ITERATIONS_MIN}, but was ${this.iterations}; possible pre-login downgrade attack detected.`,
+      );
+    }
+  }
+
+  static fromJSON(json: Jsonify<PBKDF2KdfConfig>): PBKDF2KdfConfig {
+    return new PBKDF2KdfConfig(json.iterations);
+  }
+}
+
+/**
+ * Argon2 KDF configuration.
+ */
+export class Argon2KdfConfig {
+  static MEMORY = new RangeWithDefault(16, 1024, 64);
+  static PARALLELISM = new RangeWithDefault(1, 16, 4);
+  static ITERATIONS = new RangeWithDefault(2, 10, 3);
+
+  static PRELOGIN_MEMORY_MIN = 16;
+  static PRELOGIN_PARALLELISM_MIN = 1;
+  static PRELOGIN_ITERATIONS_MIN = 2;
+
+  kdfType: KdfType.Argon2id = KdfType.Argon2id;
+  iterations: number;
+  memory: number;
+  parallelism: number;
+
+  constructor(iterations?: number, memory?: number, parallelism?: number) {
+    this.iterations = iterations ?? Argon2KdfConfig.ITERATIONS.defaultValue;
+    this.memory = memory ?? Argon2KdfConfig.MEMORY.defaultValue;
+    this.parallelism = parallelism ?? Argon2KdfConfig.PARALLELISM.defaultValue;
+  }
+
+  /**
+   * Validates the Argon2 KDF configuration for updating the KDF config.
+   * A Valid Argon2 KDF configuration has iterations between 2 and 10, memory between 16mb and 1024mb, and parallelism between 1 and 16.
+   */
+  validateKdfConfigForSetting(): void {
+    if (!Argon2KdfConfig.ITERATIONS.inRange(this.iterations)) {
+      throw new Error(
+        `Argon2 iterations must be between ${Argon2KdfConfig.ITERATIONS.min} and ${Argon2KdfConfig.ITERATIONS.max}`,
+      );
+    }
+
+    if (!Argon2KdfConfig.MEMORY.inRange(this.memory)) {
+      throw new Error(
+        `Argon2 memory must be between ${Argon2KdfConfig.MEMORY.min} MiB and ${Argon2KdfConfig.MEMORY.max} MiB`,
+      );
+    }
+
+    if (!Argon2KdfConfig.PARALLELISM.inRange(this.parallelism)) {
+      throw new Error(
+        `Argon2 parallelism must be between ${Argon2KdfConfig.PARALLELISM.min} and ${Argon2KdfConfig.PARALLELISM.max}.`,
+      );
+    }
+  }
+
+  /**
+   * Validates the Argon2 KDF configuration for pre-login.
+   */
+  validateKdfConfigForPrelogin(): void {
+    if (Argon2KdfConfig.PRELOGIN_ITERATIONS_MIN > this.iterations) {
+      throw new Error(
+        `Argon2 iterations must be at least ${Argon2KdfConfig.PRELOGIN_ITERATIONS_MIN}, but was ${this.iterations}; possible pre-login downgrade attack detected.`,
+      );
+    }
+
+    if (Argon2KdfConfig.PRELOGIN_MEMORY_MIN > this.memory) {
+      throw new Error(
+        `Argon2 memory must be at least ${Argon2KdfConfig.PRELOGIN_MEMORY_MIN} MiB, but was ${this.memory} MiB; possible pre-login downgrade attack detected.`,
+      );
+    }
+
+    if (Argon2KdfConfig.PRELOGIN_PARALLELISM_MIN > this.parallelism) {
+      throw new Error(
+        `Argon2 parallelism must be at least ${Argon2KdfConfig.PRELOGIN_PARALLELISM_MIN}, but was ${this.parallelism}; possible pre-login downgrade attack detected.`,
+      );
+    }
+  }
+
+  static fromJSON(json: Jsonify<Argon2KdfConfig>): Argon2KdfConfig {
+    return new Argon2KdfConfig(json.iterations, json.memory, json.parallelism);
+  }
+}
+
+export const DEFAULT_KDF_CONFIG = new PBKDF2KdfConfig(PBKDF2KdfConfig.ITERATIONS.defaultValue);