PM-14445: Biometrics nullable initialization vector

2026-03-01 19:11:22 +00:00 · 2024-11-05 13:14:58 +00:00
parent d287fc80f1
commit 43be8e7ada
3 changed files with 21 additions and 16 deletions
--- a/apps/desktop/desktop_native/napi/index.d.ts
+++ b/apps/desktop/desktop_native/napi/index.d.ts
@@ -17,7 +17,7 @@ export declare namespace passwords {
 export declare namespace biometrics {
  export function prompt(hwnd: Buffer, message: string): Promise<boolean>
  export function available(): Promise<boolean>
-  export function setBiometricSecret(service: string, account: string, secret: string, keyMaterial: KeyMaterial | undefined | null, ivB64: string | null): Promise<string>
+  export function setBiometricSecret(service: string, account: string, secret: string, keyMaterial: KeyMaterial | undefined | null, ivB64: string): Promise<string>
  export function getBiometricSecret(service: string, account: string, keyMaterial?: KeyMaterial | undefined | null): Promise<string>
  /**
   * Derives key material from biometric data. Returns a string encoded with a
--- a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
+++ b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
@@ -33,7 +33,8 @@ export default class BiometricUnixMain implements OsBiometricService {
    private i18nservice: I18nService,
    private windowMain: WindowMain,
  ) {}
-  private _iv: string | null = null;
+
+  private _iv?: string;
  // Use getKeyMaterial helper instead of direct access
  private _osKeyHalf: string | null = null;

@@ -52,6 +53,7 @@ export default class BiometricUnixMain implements OsBiometricService {
      storageDetails.ivB64,
    );
  }
+
  async deleteBiometricKey(service: string, key: string): Promise<void> {
    await passwords.deletePassword(service, key);
  }
@@ -73,14 +75,9 @@ export default class BiometricUnixMain implements OsBiometricService {
      return null;
    } else {
      const encValue = new EncString(value);
-      this.setIv(encValue.iv ?? null);
+      this.setIv(encValue.iv);
      const storageDetails = await this.getStorageDetails({ clientKeyHalfB64: clientKeyPartB64 });
-      const storedValue = await biometrics.getBiometricSecret(
-        service,
-        storageKey,
-        storageDetails.key_material,
-      );
-      return storedValue;
+      return await biometrics.getBiometricSecret(service, storageKey, storageDetails.key_material);
    }
  }

@@ -132,7 +129,7 @@ export default class BiometricUnixMain implements OsBiometricService {

  // Nulls out key material in order to force a re-derive. This should only be used in getBiometricKey
  // when we want to force a re-derive of the key material.
-  private setIv(iv: string | null) {
+  private setIv(iv?: string) {
    this._iv = iv;
    this._osKeyHalf = null;
  }
@@ -141,14 +138,18 @@ export default class BiometricUnixMain implements OsBiometricService {
    clientKeyHalfB64,
  }: {
    clientKeyHalfB64: string | undefined;
-  }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string | null }> {
+  }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string }> {
    if (this._osKeyHalf == null) {
      const keyMaterial = await biometrics.deriveKeyMaterial(this._iv);
-      // osKeyHalf is based on the iv and in contrast to windows is not locked behind user verefication!
+      // osKeyHalf is based on the iv and in contrast to windows is not locked behind user verification!
      this._osKeyHalf = keyMaterial.keyB64;
      this._iv = keyMaterial.ivB64;
    }

+    if (this._iv == null) {
+      throw new Error("Initialization Vector is null");
+    }
+
    return {
      key_material: {
        osKeyPartB64: this._osKeyHalf,
--- a/apps/desktop/src/key-management/biometrics/biometric.windows.main.ts
+++ b/apps/desktop/src/key-management/biometrics/biometric.windows.main.ts
@@ -13,7 +13,7 @@ const WITNESS_VALUE = "known key";

 export default class BiometricWindowsMain implements OsBiometricService {
  // Use set helper method instead of direct access
-  private _iv: string | null = null;
+  private _iv?: string;
  // Use getKeyMaterial helper instead of direct access
  private _osKeyHalf: string | null = null;

@@ -52,7 +52,7 @@ export default class BiometricWindowsMain implements OsBiometricService {
      return value;
    } else {
      const encValue = new EncString(value);
-      this.setIv(encValue.iv ?? null);
+      this.setIv(encValue.iv);
      const storageDetails = await this.getStorageDetails({
        clientKeyHalfB64,
      });
@@ -103,7 +103,7 @@ export default class BiometricWindowsMain implements OsBiometricService {
    clientKeyHalfB64,
  }: {
    clientKeyHalfB64: string | undefined;
-  }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string | null }> {
+  }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string }> {
    if (this._osKeyHalf == null) {
      // Prompts Windows Hello
      const keyMaterial = await biometrics.deriveKeyMaterial(this._iv);
@@ -111,6 +111,10 @@ export default class BiometricWindowsMain implements OsBiometricService {
      this._iv = keyMaterial.ivB64;
    }

+    if (this._iv == null) {
+      throw new Error("Initialization Vector is null");
+    }
+
    return {
      key_material: {
        osKeyPartB64: this._osKeyHalf,
@@ -122,7 +126,7 @@ export default class BiometricWindowsMain implements OsBiometricService {

  // Nulls out key material in order to force a re-derive. This should only be used in getBiometricKey
  // when we want to force a re-derive of the key material.
-  private setIv(iv: string | null) {
+  private setIv(iv?: string) {
    this._iv = iv;
    this._osKeyHalf = null;
  }