bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-17 00:33:44 +00:00
Code Issues Releases Wiki Activity

Validate key before using it (#366)

Browse Source 
* Validate key before using it
This commit is contained in:
Oscar Hinton
2021-04-28 22:02:43 +02:00
committed by GitHub
parent 672d07e1e2
commit 5b7d918f29
2 changed files with 44 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/abstractions/crypto.service.ts
View File

@@ -48,4 +48,5 @@ export abstract class CryptoService {
decryptToUtf8: (encString: EncString, key?: SymmetricCryptoKey) => Promise<string>; decryptToUtf8: (encString: EncString, key?: SymmetricCryptoKey) => Promise<string>;
decryptFromBytes: (encBuf: ArrayBuffer, key: SymmetricCryptoKey) => Promise<ArrayBuffer>; decryptFromBytes: (encBuf: ArrayBuffer, key: SymmetricCryptoKey) => Promise<ArrayBuffer>;
randomNumber: (min: number, max: number) => Promise<number>; randomNumber: (min: number, max: number) => Promise<number>;
validateKey: (key: SymmetricCryptoKey) => Promise<boolean>;
} }

48
src/services/crypto.service.ts
View File

@@ -46,10 +46,7 @@ export class CryptoService implements CryptoServiceAbstraction {
async setKey(key: SymmetricCryptoKey): Promise<any> { async setKey(key: SymmetricCryptoKey): Promise<any> {
this.key = key; this.key = key;
const option = await this.storageService.get<number>(ConstantsService.vaultTimeoutKey); if (!await this.shouldStoreKey()) {
const biometric = await this.storageService.get<boolean>(ConstantsService.biometricUnlockKey);
if (option != null && !(biometric && this.platformUtilService.supportsSecureStorage())) {
// if we have a lock option set, we do not store the key
return; return;
} }
@@ -96,7 +93,21 @@ export class CryptoService implements CryptoServiceAbstraction {
const key = await this.secureStorageService.get<string>(Keys.key); const key = await this.secureStorageService.get<string>(Keys.key);
if (key != null) { if (key != null) {
this.key = new SymmetricCryptoKey(Utils.fromB64ToArray(key).buffer); if (!await this.shouldStoreKey()) {
this.logService.warning('Throwing away stored key since settings have changed');
this.secureStorageService.remove(Keys.key);
return null;
}
const symmetricKey = new SymmetricCryptoKey(Utils.fromB64ToArray(key).buffer);
if (!await this.validateKey(symmetricKey)) {
this.logService.warning('Wrong key, throwing away stored key');
this.secureStorageService.remove(Keys.key);
return null;
}
this.key = symmetricKey;
} }
return key == null ? null : this.key; return key == null ? null : this.key;
@@ -580,8 +591,35 @@ export class CryptoService implements CryptoServiceAbstraction {
return min + rval; return min + rval;
} }
async validateKey(key: SymmetricCryptoKey) {
try {
const encPrivateKey = await this.storageService.get<string>(Keys.encPrivateKey);
if (encPrivateKey == null) {
return false;
}
const encKey = await this.getEncKey(key);
const privateKey = await this.decryptToBytes(new EncString(encPrivateKey), encKey);
await this.cryptoFunctionService.rsaExtractPublicKey(privateKey);
} catch (e) {
return false;
}
return true;
}
// Helpers // Helpers
private async shouldStoreKey() {
const vaultTimeout = await this.storageService.get<number>(ConstantsService.vaultTimeoutKey);
const biometricUnlock = await this.storageService.get<boolean>(ConstantsService.biometricUnlockKey);
const biometricsEnabled = biometricUnlock && this.platformUtilService.supportsSecureStorage();
const noVaultTimeout = vaultTimeout == null;
return noVaultTimeout || biometricsEnabled;
}
private async aesEncrypt(data: ArrayBuffer, key: SymmetricCryptoKey): Promise<EncryptedObject> { private async aesEncrypt(data: ArrayBuffer, key: SymmetricCryptoKey): Promise<EncryptedObject> {
const obj = new EncryptedObject(); const obj = new EncryptedObject();
obj.key = await this.getKeyForEncryption(key); obj.key = await this.getKeyForEncryption(key);