migrate biometrics key

- migrate only on retrieval
2025-12-16 16:23:44 +00:00 · 2023-06-08 14:26:59 -04:00
parent 56c750d375
commit 9a12cb099a
7 changed files with 70 additions and 36 deletions
--- a/apps/desktop/src/app/accounts/settings.component.ts
+++ b/apps/desktop/src/app/accounts/settings.component.ts
@@ -404,7 +404,7 @@ export class SettingsComponent implements OnInit {
    await this.cryptoService.toggleKey();
    // Validate the key is stored in case biometrics fail.
-    const biometricSet = await this.cryptoService.hasKeyStored(KeySuffixOptions.Biometric);
+    const biometricSet = await this.cryptoService.hasUserKeyStored(KeySuffixOptions.Biometric);
    this.form.controls.biometric.setValue(biometricSet);
    if (!biometricSet) {
      await this.stateService.setBiometricUnlock(null);
--- a/apps/desktop/src/platform/services/electron-crypto.service.ts
+++ b/apps/desktop/src/platform/services/electron-crypto.service.ts
@@ -4,7 +4,9 @@ import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
 import {
  MasterKey,
  SymmetricCryptoKey,
  UserSymKey,
 } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
@@ -32,16 +34,32 @@ export class ElectronCryptoService extends CryptoService {
    if (storeBiometricKey) {
      await this.storeBiometricKey(key, userId);
    } else {
-      await this.stateService.setCryptoMasterKeyBiometric(null, { userId: userId });
+      await this.stateService.setUserSymKeyBiometric(null, { userId: userId });
    }
  }
-  protected async storeBiometricKey(key: SymmetricCryptoKey, userId?: string): Promise<void> {
+  protected override async retrieveUserKeyFromStorage(
    keySuffix: KeySuffixOptions,
    userId?: string
  ): Promise<UserSymKey> {
    const userKey = super.retrieveUserKeyFromStorage(keySuffix, userId);
    if (userKey) {
      return userKey;
    }
    if (keySuffix === KeySuffixOptions.Biometric) {
      await this.migrateBiometricKeyIfNeeded(userId);
      const userKey = await this.stateService.getUserSymKeyBiometric({ userId: userId });
      return new SymmetricCryptoKey(Utils.fromB64ToArray(userKey).buffer) as UserSymKey;
    }
    return null;
  }
  protected async storeBiometricKey(key: UserSymKey, userId?: string): Promise<void> {
    let clientEncKeyHalf: CsprngString = null;
    if (await this.stateService.getBiometricRequirePasswordOnStart({ userId })) {
      clientEncKeyHalf = await this.getBiometricEncryptionClientKeyHalf(userId);
    }
-    await this.stateService.setCryptoMasterKeyBiometric(
+    await this.stateService.setUserSymKeyBiometric(
      { key: key.keyB64, clientEncKeyHalf },
      { userId: userId }
    );
@@ -66,4 +84,21 @@ export class ElectronCryptoService extends CryptoService {
      return null;
    }
  }
  private async migrateBiometricKeyIfNeeded(userId?: string) {
    const oldBiometricKey = await this.stateService.getCryptoMasterKeyBiometric({ userId });
    if (oldBiometricKey) {
      // decrypt
      const masterKey = new SymmetricCryptoKey(
        Utils.fromB64ToArray(oldBiometricKey).buffer
      ) as MasterKey;
      const userSymKey = await this.decryptUserSymKeyWithMasterKey(
        masterKey,
        new EncString(await this.stateService.getEncryptedCryptoSymmetricKey())
      );
      // migrate
      await this.storeBiometricKey(userSymKey, userId);
      await this.stateService.setCryptoMasterKeyBiometric(null, { userId });
    }
  }
 }
--- a/apps/desktop/src/services/native-messaging.service.ts
+++ b/apps/desktop/src/services/native-messaging.service.ts
@@ -136,7 +136,7 @@ export class NativeMessagingService {
          });
        }
-        const key = await this.cryptoService.getKeyFromStorage(
+        const key = await this.cryptoService.getUserKeyFromStorage(
          KeySuffixOptions.Biometric,
          message.userId
        );
--- a/libs/angular/src/auth/components/lock.component.ts
+++ b/libs/angular/src/auth/components/lock.component.ts
@@ -116,13 +116,13 @@ export class LockComponent implements OnInit, OnDestroy {
      return;
    }
-    const success = (await this.cryptoService.getKey(KeySuffixOptions.Biometric)) != null;
+    const userKey = await this.cryptoService.getUserKeyFromStorage(KeySuffixOptions.Biometric);
-    if (success) {
+    if (userKey) {
-      await this.doContinue(false);
+      await this.setKeyAndContinue(userKey, false);
    }
-    return success;
+    return !!userKey;
  }
  togglePassword() {
@@ -337,7 +337,7 @@ export class LockComponent implements OnInit, OnDestroy {
    this.supportsBiometric = await this.platformUtilsService.supportsBiometric();
    this.biometricLock =
      (await this.vaultTimeoutSettingsService.isBiometricLockSet()) &&
-      ((await this.cryptoService.hasKeyStored(KeySuffixOptions.Biometric)) ||
+      ((await this.cryptoService.hasUserKeyStored(KeySuffixOptions.Biometric)) ||
        !this.platformUtilsService.supportsSecureStorage());
    this.biometricText = await this.stateService.getBiometricText();
    this.email = await this.stateService.getEmail();
--- a/libs/common/src/platform/abstractions/state.service.ts
+++ b/libs/common/src/platform/abstractions/state.service.ts
@@ -124,12 +124,27 @@ export abstract class StateService<T extends Account = Account> {
  ) => Promise<void>;
  getCryptoMasterKey: (options?: StorageOptions) => Promise<SymmetricCryptoKey>;
  setCryptoMasterKey: (value: SymmetricCryptoKey, options?: StorageOptions) => Promise<void>;
  /**
   * @deprecated For migration purposes only, use getUserSymKeyAuto instead
   */
  getCryptoMasterKeyAuto: (options?: StorageOptions) => Promise<string>;
  /**
   * @deprecated For migration purposes only, use setUserSymKeyAuto instead
   */
  setCryptoMasterKeyAuto: (value: string, options?: StorageOptions) => Promise<void>;
  getCryptoMasterKeyB64: (options?: StorageOptions) => Promise<string>;
  setCryptoMasterKeyB64: (value: string, options?: StorageOptions) => Promise<void>;
  /**
   * @deprecated For migration purposes only, use getUserSymKeyBiometric instead
   */
  getCryptoMasterKeyBiometric: (options?: StorageOptions) => Promise<string>;
  /**
   * @deprecated For migration purposes only, use hasUserSymKeyBiometric instead
   */
  hasCryptoMasterKeyBiometric: (options?: StorageOptions) => Promise<boolean>;
  /**
   * @deprecated For migration purposes only, use setUserSymKeyBiometric instead
   */
  setCryptoMasterKeyBiometric: (value: BiometricKey, options?: StorageOptions) => Promise<void>;
  // end deprecated keys
--- a/libs/common/src/platform/services/crypto.service.ts
+++ b/libs/common/src/platform/services/crypto.service.ts
@@ -136,14 +136,11 @@ export class CryptoService implements CryptoServiceAbstraction {
    keySuffix: KeySuffixOptions.Auto | KeySuffixOptions.Biometric,
    userId?: string
  ): Promise<boolean> {
-    switch (keySuffix) {
+    if (keySuffix === KeySuffixOptions.Biometric) {
-      case KeySuffixOptions.Auto:
+      const oldKey = await this.stateService.hasCryptoMasterKeyBiometric({ userId: userId });
-        return (await this.retrieveUserKeyFromStorage(keySuffix, userId)) != null;
+      return oldKey || (await this.stateService.hasUserSymKeyBiometric({ userId: userId }));
      case KeySuffixOptions.Biometric:
        return (await this.stateService.hasUserSymKeyBiometric({ userId: userId })) === true;
      default:
        return false;
    }
    return (await this.retrieveUserKeyFromStorage(keySuffix, userId)) != null;
  }
  /**
@@ -947,23 +944,16 @@ export class CryptoService implements CryptoServiceAbstraction {
  }
  protected async retrieveUserKeyFromStorage(
-    keySuffix: KeySuffixOptions.Auto | KeySuffixOptions.Biometric,
+    keySuffix: KeySuffixOptions,
    userId?: string
  ): Promise<UserSymKey> {
-    let userKey: string;
+    if (keySuffix === KeySuffixOptions.Pin) {
    switch (keySuffix) {
      case KeySuffixOptions.Auto: {
      await this.migrateAutoKeyIfNeeded(userId);
-        userKey = await this.stateService.getUserSymKeyAuto({ userId: userId });
+      const userKey = await this.stateService.getUserSymKeyAuto({ userId: userId });
        break;
      }
      case KeySuffixOptions.Biometric: {
        userKey = await this.stateService.getUserSymKeyBiometric({ userId: userId });
        break;
      }
    }
      return new SymmetricCryptoKey(Utils.fromB64ToArray(userKey).buffer) as UserSymKey;
    }
    return null;
  }
  private async migrateAutoKeyIfNeeded(userId?: string) {
    const oldAutoKey = await this.stateService.getCryptoMasterKeyAuto({ userId: userId });
--- a/libs/common/src/platform/services/state.service.ts
+++ b/libs/common/src/platform/services/state.service.ts
@@ -689,9 +689,6 @@ export class StateService<
    );
  }
  /**
   * User's encrypted symmetric key when using biometrics
   */
  async hasUserSymKeyBiometric(options?: StorageOptions): Promise<boolean> {
    options = this.reconcileOptions(
      this.reconcileOptions(options, { keySuffix: "biometric" }),
@@ -706,9 +703,6 @@ export class StateService<
    );
  }
  /**
   * User's encrypted symmetric key when using biometrics
   */
  async setUserSymKeyBiometric(value: BiometricKey, options?: StorageOptions): Promise<void> {
    options = this.reconcileOptions(
      this.reconcileOptions(options, { keySuffix: "biometric" }),