mirror of
https://github.com/bitwarden/browser
synced 2025-12-17 16:53:34 +00:00
migrate pin to use user's symmetric key instead of master key
- set up new state - migrate on lock component - use new crypto service methods
This commit is contained in:
Jacob Fink
@@ -22,7 +22,7 @@ export abstract class CryptoService {
|
||||
hasUserKey: () => Promise<boolean>;
|
||||
hasUserKeyInMemory: (userId?: string) => Promise<boolean>;
|
||||
hasUserKeyStored: (keySuffix?: KeySuffixOptions, userId?: string) => Promise<boolean>;
|
||||
makeUserSymKey: (key: SymmetricCryptoKey) => Promise<[SymmetricCryptoKey, EncString]>;
|
||||
makeUserSymKey: (key: SymmetricCryptoKey) => Promise<[UserSymKey, EncString]>;
|
||||
clearUserKey: (clearSecretStorage?: boolean, userId?: string) => Promise<void>;
|
||||
clearUserKeyFromStorage: (keySuffix: KeySuffixOptions) => Promise<void>;
|
||||
setUserSymKeyMasterKey: (UserSymKeyMasterKey: string, userId?: string) => Promise<void>;
|
||||
@@ -39,7 +39,11 @@ export abstract class CryptoService {
|
||||
masterKey: MasterKey,
|
||||
userSymKey?: UserSymKey
|
||||
) => Promise<[UserSymKey, EncString]>;
|
||||
decryptUserSymKeyWithMasterKey: (masterKey: MasterKey, userId?: string) => Promise<UserSymKey>;
|
||||
decryptUserSymKeyWithMasterKey: (
|
||||
masterKey: MasterKey,
|
||||
userSymKey?: EncString,
|
||||
userId?: string
|
||||
) => Promise<UserSymKey>;
|
||||
hashPassword: (password: string, key: MasterKey, hashPurpose?: HashPurpose) => Promise<string>;
|
||||
setKeyHash: (keyHash: string) => Promise<void>;
|
||||
getKeyHash: () => Promise<string>;
|
||||
@@ -65,6 +69,16 @@ export abstract class CryptoService {
|
||||
clearKeyPair: (memoryOnly?: boolean, userId?: string) => Promise<void[]>;
|
||||
makePinKey: (pin: string, salt: string, kdf: KdfType, kdfConfig: KdfConfig) => Promise<PinKey>;
|
||||
clearPinProtectedKey: () => Promise<void>;
|
||||
/**
|
||||
* Decrypts the user's symmetric key with their pin
|
||||
* @param pin The user's PIN
|
||||
* @param salt The user's salt
|
||||
* @param kdf The user's KDF
|
||||
* @param kdfConfig The user's KDF config
|
||||
* @param pinProtectedUserSymKey The user's PIN protected symmetric key, if not provided
|
||||
* it will be retrieved from storage
|
||||
* @returns The decrypted user's symmetric key
|
||||
*/
|
||||
decryptUserSymKeyWithPin: (
|
||||
pin: string,
|
||||
salt: string,
|
||||
@@ -72,6 +86,16 @@ export abstract class CryptoService {
|
||||
kdfConfig: KdfConfig,
|
||||
protectedKeyCs?: EncString
|
||||
) => Promise<UserSymKey>;
|
||||
/**
|
||||
* @deprecated Left for migration purposes. Use decryptUserSymKeyWithPin instead.
|
||||
*/
|
||||
decryptMasterKeyWithPin: (
|
||||
pin: string,
|
||||
salt: string,
|
||||
kdf: KdfType,
|
||||
kdfConfig: KdfConfig,
|
||||
protectedKeyCs?: EncString
|
||||
) => Promise<MasterKey>;
|
||||
makeSendKey: (keyMaterial: ArrayBuffer) => Promise<SymmetricCryptoKey>;
|
||||
clearKeys: (userId?: string) => Promise<any>;
|
||||
rsaEncrypt: (data: ArrayBuffer, publicKey?: ArrayBuffer) => Promise<EncString>;
|
||||
|
||||
@@ -76,8 +76,6 @@ export abstract class StateService<T extends Account = Account> {
|
||||
setCollapsedGroupings: (value: string[], options?: StorageOptions) => Promise<void>;
|
||||
getConvertAccountToKeyConnector: (options?: StorageOptions) => Promise<boolean>;
|
||||
setConvertAccountToKeyConnector: (value: boolean, options?: StorageOptions) => Promise<void>;
|
||||
|
||||
// new keys
|
||||
getUserSymKey: (options?: StorageOptions) => Promise<UserSymKey>;
|
||||
setUserSymKey: (value: UserSymKey, options?: StorageOptions) => Promise<void>;
|
||||
getMasterKey: (options?: StorageOptions) => Promise<MasterKey>;
|
||||
@@ -89,10 +87,35 @@ export abstract class StateService<T extends Account = Account> {
|
||||
getUserSymKeyBiometric: (options?: StorageOptions) => Promise<string>;
|
||||
hasUserSymKeyBiometric: (options?: StorageOptions) => Promise<boolean>;
|
||||
setUserSymKeyBiometric: (value: BiometricKey, options?: StorageOptions) => Promise<void>;
|
||||
// end new keys
|
||||
/**
|
||||
* Gets the encrypted version of the user's symmetric key encrypted by the Pin key.
|
||||
* Used when Master Password on Reset is disabled
|
||||
*/
|
||||
getEncryptedUserSymKeyPin: (options?: StorageOptions) => Promise<string>;
|
||||
/**
|
||||
* Sets the encrypted version of the user's symmetric key encrypted by the Pin key.
|
||||
* Used when Master Password on Reset is disabled
|
||||
*/
|
||||
setEncryptedUserSymKeyPin: (value: string, options?: StorageOptions) => Promise<void>;
|
||||
/**
|
||||
* Gets the decrypted version of the user's symmetric key encrypted by the Pin key.
|
||||
* Used when Master Password on Reset is enabled
|
||||
*/
|
||||
getDecryptedUserSymKeyPin: (options?: StorageOptions) => Promise<EncString>;
|
||||
/**
|
||||
* Sets the decrypted version of the user's symmetric key encrypted by the Pin key.
|
||||
* Used when Master Password on Reset is enabled
|
||||
*/
|
||||
setDecryptedUserSymKeyPin: (value: EncString, options?: StorageOptions) => Promise<void>;
|
||||
|
||||
// deprecated keys
|
||||
/**
|
||||
* @deprecated For migration purposes only, use getUserSymKeyMasterKey instead
|
||||
*/
|
||||
getEncryptedCryptoSymmetricKey: (options?: StorageOptions) => Promise<string>;
|
||||
/**
|
||||
* @deprecated For migration purposes only, use setUserSymKeyMasterKey instead
|
||||
*/
|
||||
setEncryptedCryptoSymmetricKey: (value: string, options?: StorageOptions) => Promise<void>;
|
||||
getDecryptedCryptoSymmetricKey: (options?: StorageOptions) => Promise<SymmetricCryptoKey>;
|
||||
setDecryptedCryptoSymmetricKey: (
|
||||
@@ -128,7 +151,13 @@ export abstract class StateService<T extends Account = Account> {
|
||||
value: GeneratedPasswordHistory[],
|
||||
options?: StorageOptions
|
||||
) => Promise<void>;
|
||||
/**
|
||||
* @deprecated For migration purposes only, use getDecryptedUserSymKeyPin instead
|
||||
*/
|
||||
getDecryptedPinProtected: (options?: StorageOptions) => Promise<EncString>;
|
||||
/**
|
||||
* @deprecated For migration purposes only, use setDecryptedUserSymKeyPin instead
|
||||
*/
|
||||
setDecryptedPinProtected: (value: EncString, options?: StorageOptions) => Promise<void>;
|
||||
/**
|
||||
* @deprecated Do not call this, use PolicyService
|
||||
@@ -255,7 +284,13 @@ export abstract class StateService<T extends Account = Account> {
|
||||
value: GeneratedPasswordHistory[],
|
||||
options?: StorageOptions
|
||||
) => Promise<void>;
|
||||
/**
|
||||
* @deprecated For migration purposes only, use getEncryptedUserSymKeyPin instead
|
||||
*/
|
||||
getEncryptedPinProtected: (options?: StorageOptions) => Promise<string>;
|
||||
/**
|
||||
* @deprecated For migration purposes only, use setEncryptedUserSymKeyPin instead
|
||||
*/
|
||||
setEncryptedPinProtected: (value: string, options?: StorageOptions) => Promise<void>;
|
||||
/**
|
||||
* @deprecated Do not call this directly, use PolicyService
|
||||
|
||||
@@ -4,6 +4,7 @@ import { Utils } from "../../misc/utils";
|
||||
import { AccountKeys, EncryptionPair } from "./account";
|
||||
import { SymmetricCryptoKey } from "./symmetric-crypto-key";
|
||||
|
||||
//TODO(Jake): Fix tests
|
||||
describe("AccountKeys", () => {
|
||||
describe("toJSON", () => {
|
||||
it("should serialize itself", () => {
|
||||
|
||||
@@ -7,6 +7,20 @@ describe("AccountSettings", () => {
|
||||
expect(AccountSettings.fromJSON(JSON.parse("{}"))).toBeInstanceOf(AccountSettings);
|
||||
});
|
||||
|
||||
it("should deserialize userSymKeyPin", () => {
|
||||
const accountSettings = new AccountSettings();
|
||||
accountSettings.userSymKeyPin = EncryptionPair.fromJSON<string, EncString>({
|
||||
encrypted: "encrypted",
|
||||
decrypted: "3.data",
|
||||
});
|
||||
const jsonObj = JSON.parse(JSON.stringify(accountSettings));
|
||||
const actual = AccountSettings.fromJSON(jsonObj);
|
||||
|
||||
expect(actual.userSymKeyPin).toBeInstanceOf(EncryptionPair);
|
||||
expect(actual.userSymKeyPin.encrypted).toEqual("encrypted");
|
||||
expect(actual.userSymKeyPin.decrypted.encryptedString).toEqual("3.data");
|
||||
});
|
||||
|
||||
it("should deserialize pinProtected", () => {
|
||||
const accountSettings = new AccountSettings();
|
||||
accountSettings.pinProtected = EncryptionPair.fromJSON<string, EncString>({
|
||||
|
||||
@@ -235,7 +235,8 @@ export class AccountSettings {
|
||||
passwordGenerationOptions?: any;
|
||||
usernameGenerationOptions?: any;
|
||||
generatorOptions?: any;
|
||||
pinProtected?: EncryptionPair<string, EncString> = new EncryptionPair<string, EncString>();
|
||||
userSymKeyPin?: EncryptionPair<string, EncString> = new EncryptionPair<string, EncString>();
|
||||
pinProtected?: EncryptionPair<string, EncString> = new EncryptionPair<string, EncString>(); // Deprecated
|
||||
protectedPin?: string;
|
||||
settings?: AccountSettingsSettings; // TODO: Merge whatever is going on here into the AccountSettings model properly
|
||||
vaultTimeout?: number;
|
||||
@@ -254,6 +255,10 @@ export class AccountSettings {
|
||||
|
||||
return Object.assign(new AccountSettings(), obj, {
|
||||
environmentUrls: EnvironmentUrls.fromJSON(obj?.environmentUrls),
|
||||
userSymKeyPin: EncryptionPair.fromJSON<string, EncString>(
|
||||
obj?.userSymKeyPin,
|
||||
EncString.fromJSON
|
||||
),
|
||||
pinProtected: EncryptionPair.fromJSON<string, EncString>(
|
||||
obj?.pinProtected,
|
||||
EncString.fromJSON
|
||||
|
||||
@@ -245,28 +245,36 @@ export class CryptoService implements CryptoServiceAbstraction {
|
||||
/**
|
||||
* Decrypts the user symmetric key with the provided master key
|
||||
* @param masterKey The user's master key
|
||||
* @param userSymKey The user's encrypted symmetric key
|
||||
* @param userId The desired user
|
||||
* @returns The user's symmetric key
|
||||
*/
|
||||
async decryptUserSymKeyWithMasterKey(masterKey: MasterKey, userId?: string): Promise<UserSymKey> {
|
||||
async decryptUserSymKeyWithMasterKey(
|
||||
masterKey: MasterKey,
|
||||
userSymKey?: EncString,
|
||||
userId?: string
|
||||
): Promise<UserSymKey> {
|
||||
masterKey ||= await this.getMasterKey();
|
||||
if (masterKey == null) {
|
||||
throw new Error("No Master Key found.");
|
||||
}
|
||||
|
||||
// TODO(Jake): Do we need to let this be passed in as well?
|
||||
const userSymKeyMasterKey = await this.stateService.getUserSymKeyMasterKey({ userId: userId });
|
||||
if (userSymKeyMasterKey == null) {
|
||||
throw new Error("No User Key found.");
|
||||
if (!userSymKey) {
|
||||
const userSymKeyMasterKey = await this.stateService.getUserSymKeyMasterKey({
|
||||
userId: userId,
|
||||
});
|
||||
if (userSymKeyMasterKey == null) {
|
||||
throw new Error("No User Key found.");
|
||||
}
|
||||
userSymKey = new EncString(userSymKeyMasterKey);
|
||||
}
|
||||
|
||||
let decUserKey: ArrayBuffer;
|
||||
const encUserKey = new EncString(userSymKeyMasterKey);
|
||||
if (encUserKey.encryptionType === EncryptionType.AesCbc256_B64) {
|
||||
decUserKey = await this.decryptToBytes(encUserKey, masterKey);
|
||||
} else if (encUserKey.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
|
||||
if (userSymKey.encryptionType === EncryptionType.AesCbc256_B64) {
|
||||
decUserKey = await this.decryptToBytes(userSymKey, masterKey);
|
||||
} else if (userSymKey.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
|
||||
const newKey = await this.stretchKey(masterKey);
|
||||
decUserKey = await this.decryptToBytes(encUserKey, newKey);
|
||||
decUserKey = await this.decryptToBytes(userSymKey, newKey);
|
||||
} else {
|
||||
throw new Error("Unsupported encryption type.");
|
||||
}
|
||||
@@ -673,28 +681,19 @@ export class CryptoService implements CryptoServiceAbstraction {
|
||||
* @param userId The desired user
|
||||
*/
|
||||
async clearPinProtectedKey(userId?: string): Promise<void> {
|
||||
return await this.stateService.setEncryptedPinProtected(null, { userId: userId });
|
||||
await this.stateService.setEncryptedPinProtected(null, { userId: userId });
|
||||
await this.stateService.setEncryptedUserSymKeyPin(null, { userId: userId });
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypts the user's symmetric key with their pin
|
||||
* @param pin The user's PIN
|
||||
* @param salt The user's salt
|
||||
* @param kdf The user's KDF
|
||||
* @param kdfConfig The user's KDF config
|
||||
* @param pinProtectedUserSymKey The user's PIN protected symmetric key, if not provided
|
||||
* it will be retrieved from storage
|
||||
* @returns The decrypted user's symmetric key
|
||||
*/
|
||||
async decryptUserSymKeyWithPin(
|
||||
pin: string,
|
||||
salt: string,
|
||||
kdf: KdfType,
|
||||
kdfConfig: KdfConfig,
|
||||
pinProtectedUserSymKey: EncString = null
|
||||
pinProtectedUserSymKey?: EncString
|
||||
): Promise<UserSymKey> {
|
||||
if (pinProtectedUserSymKey == null) {
|
||||
const pinProtectedUserSymKeyString = await this.stateService.getEncryptedPinProtected();
|
||||
if (!pinProtectedUserSymKey) {
|
||||
const pinProtectedUserSymKeyString = await this.stateService.getEncryptedUserSymKeyPin();
|
||||
if (pinProtectedUserSymKeyString == null) {
|
||||
throw new Error("No PIN protected key found.");
|
||||
}
|
||||
@@ -705,6 +704,25 @@ export class CryptoService implements CryptoServiceAbstraction {
|
||||
return new SymmetricCryptoKey(userSymKey) as UserSymKey;
|
||||
}
|
||||
|
||||
async decryptMasterKeyWithPin(
|
||||
pin: string,
|
||||
salt: string,
|
||||
kdf: KdfType,
|
||||
kdfConfig: KdfConfig,
|
||||
pinProtectedMasterKey?: EncString
|
||||
): Promise<MasterKey> {
|
||||
if (!pinProtectedMasterKey) {
|
||||
const pinProtectedMasterKeyString = await this.stateService.getEncryptedPinProtected();
|
||||
if (pinProtectedMasterKeyString == null) {
|
||||
throw new Error("No PIN protected key found.");
|
||||
}
|
||||
pinProtectedMasterKey = new EncString(pinProtectedMasterKeyString);
|
||||
}
|
||||
const pinKey = await this.makePinKey(pin, salt, kdf, kdfConfig);
|
||||
const masterKey = await this.decryptToBytes(pinProtectedMasterKey, pinKey);
|
||||
return new SymmetricCryptoKey(masterKey) as MasterKey;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param keyMaterial The key material to derive the send key from
|
||||
* @returns A new send key
|
||||
|
||||
@@ -619,7 +619,7 @@ export class StateService<
|
||||
* so we can unlock with MP offline
|
||||
*/
|
||||
async getUserSymKeyMasterKey(options?: StorageOptions): Promise<string> {
|
||||
// TODO: defaultOnDiskOptions? Other's are saved in secure storage
|
||||
// TODO(Jake): defaultOnDiskOptions? Other's are saved in secure storage
|
||||
return (
|
||||
await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
|
||||
)?.keys.userSymKeyMasterKey;
|
||||
@@ -630,7 +630,7 @@ export class StateService<
|
||||
* so we can unlock with MP offline
|
||||
*/
|
||||
async setUserSymKeyMasterKey(value: string, options?: StorageOptions): Promise<void> {
|
||||
// TODO: defaultOnDiskOptions? Other's are saved in secure storage
|
||||
// TODO(Jake): defaultOnDiskOptions? Other's are saved in secure storage
|
||||
const account = await this.getAccount(
|
||||
this.reconcileOptions(options, await this.defaultOnDiskOptions())
|
||||
);
|
||||
@@ -720,6 +720,40 @@ export class StateService<
|
||||
await this.saveSecureStorageKey(partialKeys.userBiometricKey, value, options);
|
||||
}
|
||||
|
||||
async getEncryptedUserSymKeyPin(options?: StorageOptions): Promise<string> {
|
||||
return (
|
||||
await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
|
||||
)?.settings?.userSymKeyPin?.encrypted;
|
||||
}
|
||||
|
||||
async setEncryptedUserSymKeyPin(value: string, options?: StorageOptions): Promise<void> {
|
||||
const account = await this.getAccount(
|
||||
this.reconcileOptions(options, await this.defaultOnDiskOptions())
|
||||
);
|
||||
account.settings.userSymKeyPin.encrypted = value;
|
||||
await this.saveAccount(
|
||||
account,
|
||||
this.reconcileOptions(options, await this.defaultOnDiskOptions())
|
||||
);
|
||||
}
|
||||
|
||||
async getDecryptedUserSymKeyPin(options?: StorageOptions): Promise<EncString> {
|
||||
return (
|
||||
await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions()))
|
||||
)?.settings?.userSymKeyPin?.decrypted;
|
||||
}
|
||||
|
||||
async setDecryptedUserSymKeyPin(value: EncString, options?: StorageOptions): Promise<void> {
|
||||
const account = await this.getAccount(
|
||||
this.reconcileOptions(options, await this.defaultInMemoryOptions())
|
||||
);
|
||||
account.settings.userSymKeyPin.decrypted = value;
|
||||
await this.saveAccount(
|
||||
account,
|
||||
this.reconcileOptions(options, await this.defaultInMemoryOptions())
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated Use UserSymKeyAuto instead
|
||||
*/
|
||||
|
||||
@@ -46,7 +46,9 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
|
||||
|
||||
async isPinLockSet(): Promise<[boolean, boolean]> {
|
||||
const protectedPin = await this.stateService.getProtectedPin();
|
||||
const pinProtectedKey = await this.stateService.getEncryptedPinProtected();
|
||||
let pinProtectedKey = await this.stateService.getEncryptedUserSymKeyPin();
|
||||
pinProtectedKey ||= await this.stateService.getEncryptedPinProtected();
|
||||
|
||||
return [protectedPin != null, pinProtectedKey != null];
|
||||
}
|
||||
|
||||
@@ -105,6 +107,7 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
|
||||
async clear(userId?: string): Promise<void> {
|
||||
await this.stateService.setEverBeenUnlocked(false, { userId: userId });
|
||||
await this.stateService.setDecryptedPinProtected(null, { userId: userId });
|
||||
await this.stateService.setDecryptedUserSymKeyPin(null, { userId: userId });
|
||||
await this.stateService.setProtectedPin(null, { userId: userId });
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user