[PM-23099] Prevent private key regen / private key generation on v2 accounts (#15413)

* Prevent private key regen / private key generation on v2 accounts * Fix tests * Fix build * Fix tests
2025-12-10 05:13:29 +00:00 · 2025-07-25 13:19:48 +02:00
parent 1491445392
commit 594455af88
4 changed files with 41 additions and 0 deletions
--- a/libs/auth/src/common/login-strategies/login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.spec.ts
@@ -327,6 +327,7 @@ describe("LoginStrategy", () => {
      const tokenResponse = identityTokenResponseFactory();
      tokenResponse.privateKey = null;
      keyService.makeKeyPair.mockResolvedValue(["PUBLIC_KEY", new EncString("PRIVATE_KEY")]);
+      keyService.getUserKey.mockResolvedValue(userKey);

      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
      masterPasswordService.masterKeySubject.next(masterKey);
@@ -343,6 +344,15 @@ describe("LoginStrategy", () => {

      expect(apiService.postAccountKeys).toHaveBeenCalled();
    });
+
+    it("throws if userKey is CoseEncrypt0 (V2 encryption) in createKeyPairForOldAccount", async () => {
+      keyService.getUserKey.mockResolvedValue({
+        inner: () => ({ type: 7 }),
+      } as UserKey);
+      await expect(passwordLoginStrategy["createKeyPairForOldAccount"](userId)).resolves.toBe(
+        undefined,
+      );
+    });
  });

  describe("Two-factor authentication", () => {
--- a/libs/auth/src/common/login-strategies/login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/login.strategy.ts
@@ -31,6 +31,7 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { EncryptionType } from "@bitwarden/common/platform/enums";
 import { Account, AccountProfile } from "@bitwarden/common/platform/models/domain/account";
 import { UserId } from "@bitwarden/common/types/guid";
 import {
@@ -326,6 +327,10 @@ export abstract class LoginStrategy {
  protected async createKeyPairForOldAccount(userId: UserId) {
    try {
      const userKey = await this.keyService.getUserKey(userId);
+      if (userKey.inner().type == EncryptionType.CoseEncrypt0) {
+        throw new Error("Cannot create key pair for account on V2 encryption");
+      }
+
      const [publicKey, privateKey] = await this.keyService.makeKeyPair(userKey);
      if (!privateKey.encryptedString) {
        throw new Error("Failed to create encrypted private key");
--- a/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.spec.ts
+++ b/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.spec.ts
@@ -354,4 +354,22 @@ describe("regenerateIfNeeded", () => {
    ).not.toHaveBeenCalled();
    expect(keyService.setPrivateKey).not.toHaveBeenCalled();
  });
+
+  it("should not regenerate when userKey type is CoseEncrypt0 (V2 encryption)", async () => {
+    const mockUserKey = {
+      keyB64: "mockKeyB64",
+      inner: () => ({ type: 7 }),
+    } as unknown as UserKey;
+    keyService.userKey$.mockReturnValue(of(mockUserKey));
+
+    await sut.regenerateIfNeeded(userId);
+
+    expect(
+      userAsymmetricKeysRegenerationApiService.regenerateUserAsymmetricKeys,
+    ).not.toHaveBeenCalled();
+    expect(keyService.setPrivateKey).not.toHaveBeenCalled();
+    expect(logService.error).toHaveBeenCalledWith(
+      "[UserAsymmetricKeyRegeneration] Cannot regenerate asymmetric keys for accounts on V2 encryption.",
+    );
+  });
 });
--- a/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.ts
+++ b/libs/key-management/src/user-asymmetric-key-regeneration/services/default-user-asymmetric-key-regeneration.service.ts
@@ -6,6 +6,7 @@ import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-st
 import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { SdkService } from "@bitwarden/common/platform/abstractions/sdk/sdk.service";
+import { EncryptionType } from "@bitwarden/common/platform/enums";
 import { UserId } from "@bitwarden/common/types/guid";
 import { UserKey } from "@bitwarden/common/types/key";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
@@ -60,6 +61,13 @@ export class DefaultUserAsymmetricKeysRegenerationService
      return false;
    }

+    if (userKey.inner().type === EncryptionType.CoseEncrypt0) {
+      this.logService.error(
+        "[UserAsymmetricKeyRegeneration] Cannot regenerate asymmetric keys for accounts on V2 encryption.",
+      );
+      return false;
+    }
+
    const [userKeyEncryptedPrivateKey, publicKeyResponse] = await firstValueFrom(
      combineLatest([
        this.keyService.userEncryptedPrivateKey$(userId),