bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-16 08:13:42 +00:00
Code Issues Releases Wiki Activity

Clean up stretchKey (#14520)

Browse Source
This commit is contained in:
Bernd Schoolmann
2025-05-09 21:39:38 +02:00
committed by GitHub
parent 6b6f9577f4
commit 51e327e20b
2 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
libs/common/src/platform/services/key-generation.service.spec.ts
View File

@@ -5,6 +5,7 @@ import { PBKDF2KdfConfig, Argon2KdfConfig } from "@bitwarden/key-management";
import { CryptoFunctionService } from "../../key-management/crypto/abstractions/crypto-function.service"; import { CryptoFunctionService } from "../../key-management/crypto/abstractions/crypto-function.service";
import { CsprngArray } from "../../types/csprng"; import { CsprngArray } from "../../types/csprng";
import { EncryptionType } from "../enums"; import { EncryptionType } from "../enums";
import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
import { KeyGenerationService } from "./key-generation.service"; import { KeyGenerationService } from "./key-generation.service";
@@ -98,4 +99,23 @@ describe("KeyGenerationService", () => {
expect(key.inner().type).toEqual(EncryptionType.AesCbc256_B64); expect(key.inner().type).toEqual(EncryptionType.AesCbc256_B64);
}); });
}); });
describe("stretchKey", () => {
it("should stretch a key", async () => {
const key = new SymmetricCryptoKey(new Uint8Array(32));
cryptoFunctionService.hkdf.mockResolvedValue(new Uint8Array(64));
const stretchedKey = await sut.stretchKey(key);
expect(stretchedKey.inner().type).toEqual(EncryptionType.AesCbc256_HmacSha256_B64);
});
it("should throw if key is not 32 bytes", async () => {
const key = new SymmetricCryptoKey(new Uint8Array(64));
await expect(sut.stretchKey(key)).rejects.toThrow(
"Key passed into stretchKey is not a 256-bit key.",
);
});
});
}); });

10
libs/common/src/platform/services/key-generation.service.ts
View File

@@ -1,11 +1,11 @@
// FIXME: Update this file to be type safe and remove this and next line // FIXME: Update this file to be type safe and remove this and next line
// @ts-strict-ignore // @ts-strict-ignore
import { MasterKey, PinKey } from "@bitwarden/common/types/key";
import { KdfConfig, PBKDF2KdfConfig, Argon2KdfConfig, KdfType } from "@bitwarden/key-management"; import { KdfConfig, PBKDF2KdfConfig, Argon2KdfConfig, KdfType } from "@bitwarden/key-management";
import { CryptoFunctionService } from "../../key-management/crypto/abstractions/crypto-function.service"; import { CryptoFunctionService } from "../../key-management/crypto/abstractions/crypto-function.service";
import { CsprngArray } from "../../types/csprng"; import { CsprngArray } from "../../types/csprng";
import { KeyGenerationService as KeyGenerationServiceAbstraction } from "../abstractions/key-generation.service"; import { KeyGenerationService as KeyGenerationServiceAbstraction } from "../abstractions/key-generation.service";
import { EncryptionType } from "../enums";
import { Utils } from "../misc/utils"; import { Utils } from "../misc/utils";
import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key"; import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
@@ -79,7 +79,13 @@ export class KeyGenerationService implements KeyGenerationServiceAbstraction {
return new SymmetricCryptoKey(key); return new SymmetricCryptoKey(key);
} }
async stretchKey(key: MasterKey | PinKey): Promise<SymmetricCryptoKey> { async stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey> {
// The key to be stretched is actually usually the output of a KDF, and not actually meant for AesCbc256_B64 encryption,
// but has the same key length. Only 256-bit key materials should be stretched.
if (key.inner().type != EncryptionType.AesCbc256_B64) {
throw new Error("Key passed into stretchKey is not a 256-bit key.");
}
const newKey = new Uint8Array(64); const newKey = new Uint8Array(64);
// Master key and pin key are always 32 bytes // Master key and pin key are always 32 bytes
const encKey = await this.cryptoFunctionService.hkdfExpand( const encKey = await this.cryptoFunctionService.hkdfExpand(