From 43be8e7adac019327726b71951b83f83bad3599d Mon Sep 17 00:00:00 2001 From: Maciej Zieniuk Date: Tue, 5 Nov 2024 13:14:58 +0000 Subject: [PATCH] PM-14445: Biometrics nullable initialization vector --- apps/desktop/desktop_native/napi/index.d.ts | 2 +- .../biometrics/biometric.unix.main.ts | 23 ++++++++++--------- .../biometrics/biometric.windows.main.ts | 12 ++++++---- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/apps/desktop/desktop_native/napi/index.d.ts b/apps/desktop/desktop_native/napi/index.d.ts index 9fadd43f595..8e1c1381b5f 100644 --- a/apps/desktop/desktop_native/napi/index.d.ts +++ b/apps/desktop/desktop_native/napi/index.d.ts @@ -17,7 +17,7 @@ export declare namespace passwords { export declare namespace biometrics { export function prompt(hwnd: Buffer, message: string): Promise export function available(): Promise - export function setBiometricSecret(service: string, account: string, secret: string, keyMaterial: KeyMaterial | undefined | null, ivB64: string | null): Promise + export function setBiometricSecret(service: string, account: string, secret: string, keyMaterial: KeyMaterial | undefined | null, ivB64: string): Promise export function getBiometricSecret(service: string, account: string, keyMaterial?: KeyMaterial | undefined | null): Promise /** * Derives key material from biometric data. Returns a string encoded with a diff --git a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts index 49db86dc21c..bd5cd713f86 100644 --- a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts +++ b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts @@ -33,7 +33,8 @@ export default class BiometricUnixMain implements OsBiometricService { private i18nservice: I18nService, private windowMain: WindowMain, ) {} - private _iv: string | null = null; + + private _iv?: string; // Use getKeyMaterial helper instead of direct access private _osKeyHalf: string | null = null; @@ -52,6 +53,7 @@ export default class BiometricUnixMain implements OsBiometricService { storageDetails.ivB64, ); } + async deleteBiometricKey(service: string, key: string): Promise { await passwords.deletePassword(service, key); } @@ -73,14 +75,9 @@ export default class BiometricUnixMain implements OsBiometricService { return null; } else { const encValue = new EncString(value); - this.setIv(encValue.iv ?? null); + this.setIv(encValue.iv); const storageDetails = await this.getStorageDetails({ clientKeyHalfB64: clientKeyPartB64 }); - const storedValue = await biometrics.getBiometricSecret( - service, - storageKey, - storageDetails.key_material, - ); - return storedValue; + return await biometrics.getBiometricSecret(service, storageKey, storageDetails.key_material); } } @@ -132,7 +129,7 @@ export default class BiometricUnixMain implements OsBiometricService { // Nulls out key material in order to force a re-derive. This should only be used in getBiometricKey // when we want to force a re-derive of the key material. - private setIv(iv: string | null) { + private setIv(iv?: string) { this._iv = iv; this._osKeyHalf = null; } @@ -141,14 +138,18 @@ export default class BiometricUnixMain implements OsBiometricService { clientKeyHalfB64, }: { clientKeyHalfB64: string | undefined; - }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string | null }> { + }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string }> { if (this._osKeyHalf == null) { const keyMaterial = await biometrics.deriveKeyMaterial(this._iv); - // osKeyHalf is based on the iv and in contrast to windows is not locked behind user verefication! + // osKeyHalf is based on the iv and in contrast to windows is not locked behind user verification! this._osKeyHalf = keyMaterial.keyB64; this._iv = keyMaterial.ivB64; } + if (this._iv == null) { + throw new Error("Initialization Vector is null"); + } + return { key_material: { osKeyPartB64: this._osKeyHalf, diff --git a/apps/desktop/src/key-management/biometrics/biometric.windows.main.ts b/apps/desktop/src/key-management/biometrics/biometric.windows.main.ts index 2623c5af4b2..efe335a3054 100644 --- a/apps/desktop/src/key-management/biometrics/biometric.windows.main.ts +++ b/apps/desktop/src/key-management/biometrics/biometric.windows.main.ts @@ -13,7 +13,7 @@ const WITNESS_VALUE = "known key"; export default class BiometricWindowsMain implements OsBiometricService { // Use set helper method instead of direct access - private _iv: string | null = null; + private _iv?: string; // Use getKeyMaterial helper instead of direct access private _osKeyHalf: string | null = null; @@ -52,7 +52,7 @@ export default class BiometricWindowsMain implements OsBiometricService { return value; } else { const encValue = new EncString(value); - this.setIv(encValue.iv ?? null); + this.setIv(encValue.iv); const storageDetails = await this.getStorageDetails({ clientKeyHalfB64, }); @@ -103,7 +103,7 @@ export default class BiometricWindowsMain implements OsBiometricService { clientKeyHalfB64, }: { clientKeyHalfB64: string | undefined; - }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string | null }> { + }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string }> { if (this._osKeyHalf == null) { // Prompts Windows Hello const keyMaterial = await biometrics.deriveKeyMaterial(this._iv); @@ -111,6 +111,10 @@ export default class BiometricWindowsMain implements OsBiometricService { this._iv = keyMaterial.ivB64; } + if (this._iv == null) { + throw new Error("Initialization Vector is null"); + } + return { key_material: { osKeyPartB64: this._osKeyHalf, @@ -122,7 +126,7 @@ export default class BiometricWindowsMain implements OsBiometricService { // Nulls out key material in order to force a re-derive. This should only be used in getBiometricKey // when we want to force a re-derive of the key material. - private setIv(iv: string | null) { + private setIv(iv?: string) { this._iv = iv; this._osKeyHalf = null; }