From 6287ac3c100b41e7cb1f1e5b0958d085d8aaf058 Mon Sep 17 00:00:00 2001 From: Dmitry Yakimenko Date: Wed, 1 Oct 2025 21:43:24 +0200 Subject: [PATCH] Verify that we're decrypting Chrome keys (sort of) --- .../src/bin/admin.rs | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/apps/desktop/desktop_native/bitwarden_chromium_importer/src/bin/admin.rs b/apps/desktop/desktop_native/bitwarden_chromium_importer/src/bin/admin.rs index d5fddd8aa38..6f027949573 100644 --- a/apps/desktop/desktop_native/bitwarden_chromium_importer/src/bin/admin.rs +++ b/apps/desktop/desktop_native/bitwarden_chromium_importer/src/bin/admin.rs @@ -426,11 +426,28 @@ async fn run() -> Result { debug!("Running as admin"); // Impersonate a SYSTEM process to be able to decrypt data encrypted for the machine - let (_guard, pid) = ImpersonateGuard::start(None, None)?; - debug!("Impersonating system process with PID {}", pid); + let system_decrypted_base64 = { + let (_guard, pid) = ImpersonateGuard::start(None, None)?; + debug!("Impersonating system process with PID {}", pid); - let system_decrypted_base64 = decrypt_data_base64(&args.encrypted, true)?; - debug!("Decrypted data with system"); + let system_decrypted_base64 = decrypt_data_base64(&args.encrypted, true)?; + debug!("Decrypted data with system"); + + system_decrypted_base64 + }; + + // This is just to check that we're decrypting Chrome keys and not something else sent to us by a malicious actor. + // Now that we're back from SYSTEM, we need to decrypt one more time just to verify. + // Chrome keys are double encrypted: once at SYSTEM level and once at USER level. + // When the decryption fails, it means that we're decrypting something unexpected. + // We don't send this result back since the library will decrypt again at USER level. + + _ = decrypt_data_base64(&system_decrypted_base64, false).map_err(|e| { + debug!("User level decryption check failed: {}", e); + e + })?; + + debug!("User level decryption check passed"); Ok(system_decrypted_base64) }