[PM-21001] Move auth code to new encrypt service interface (#14542)

* Add new encrypt service functions * Undo changes * Cleanup * Fix build * Fix comments * Move auth code to new encrypt service interface
2025-12-18 09:13:33 +00:00 · 2025-05-05 16:50:06 +02:00
parent 9c8fc80971
commit af40ff26a2
9 changed files with 23 additions and 24 deletions
--- a/libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts
+++ b/libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts
@@ -230,7 +230,7 @@ describe("WebAuthnLoginStrategy", () => {
    const mockUserKeyArray: Uint8Array = randomBytes(32);
    const mockUserKey = new SymmetricCryptoKey(mockUserKeyArray) as UserKey;

-    encryptService.decryptToBytes.mockResolvedValue(mockPrfPrivateKey);
+    encryptService.unwrapDecapsulationKey.mockResolvedValue(mockPrfPrivateKey);
    encryptService.decapsulateKeyUnsigned.mockResolvedValue(
      new SymmetricCryptoKey(mockUserKeyArray),
    );
@@ -246,8 +246,8 @@ describe("WebAuthnLoginStrategy", () => {
      userId,
    );

-    expect(encryptService.decryptToBytes).toHaveBeenCalledTimes(1);
-    expect(encryptService.decryptToBytes).toHaveBeenCalledWith(
+    expect(encryptService.unwrapDecapsulationKey).toHaveBeenCalledTimes(1);
+    expect(encryptService.unwrapDecapsulationKey).toHaveBeenCalledWith(
      idTokenResponse.userDecryptionOptions.webAuthnPrfOption.encryptedPrivateKey,
      webAuthnCredentials.prfKey,
    );
@@ -279,7 +279,7 @@ describe("WebAuthnLoginStrategy", () => {
    await webAuthnLoginStrategy.logIn(webAuthnCredentials);

    // Assert
-    expect(encryptService.decryptToBytes).not.toHaveBeenCalled();
+    expect(encryptService.unwrapDecapsulationKey).not.toHaveBeenCalled();
    expect(encryptService.decapsulateKeyUnsigned).not.toHaveBeenCalled();
    expect(keyService.setUserKey).not.toHaveBeenCalled();
  });
@@ -314,7 +314,7 @@ describe("WebAuthnLoginStrategy", () => {

    apiService.postIdentityToken.mockResolvedValue(idTokenResponse);

-    encryptService.decryptToBytes.mockResolvedValue(null);
+    encryptService.unwrapDecapsulationKey.mockResolvedValue(null);

    // Act
    await webAuthnLoginStrategy.logIn(webAuthnCredentials);
--- a/libs/auth/src/common/login-strategies/webauthn-login.strategy.ts
+++ b/libs/auth/src/common/login-strategies/webauthn-login.strategy.ts
@@ -82,7 +82,7 @@ export class WebAuthnLoginStrategy extends LoginStrategy {
      }

      // decrypt prf encrypted private key
-      const privateKey = await this.encryptService.decryptToBytes(
+      const privateKey = await this.encryptService.unwrapDecapsulationKey(
        webAuthnPrfOption.encryptedPrivateKey,
        credentials.prfKey,
      );
--- a/libs/auth/src/common/services/pin/pin.service.implementation.ts
+++ b/libs/auth/src/common/services/pin/pin.service.implementation.ts
@@ -8,7 +8,6 @@ import { EncryptService } from "@bitwarden/common/key-management/crypto/abstract
 import { KeyGenerationService } from "@bitwarden/common/platform/abstractions/key-generation.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { EncString, EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import {
  PIN_DISK,
  PIN_MEMORY,
@@ -221,7 +220,7 @@ export class PinService implements PinServiceAbstraction {
      throw new Error("No UserKey provided. Cannot create userKeyEncryptedPin.");
    }

-    return await this.encryptService.encrypt(pin, userKey);
+    return await this.encryptService.encryptString(pin, userKey);
  }

  async makePinKey(pin: string, salt: string, kdfConfig: KdfConfig): Promise<PinKey> {
@@ -339,9 +338,9 @@ export class PinService implements PinServiceAbstraction {
    }

    const pinKey = await this.makePinKey(pin, salt, kdfConfig);
-    const userKey = await this.encryptService.decryptToBytes(pinKeyEncryptedUserKey, pinKey);
+    const userKey = await this.encryptService.unwrapSymmetricKey(pinKeyEncryptedUserKey, pinKey);

-    return new SymmetricCryptoKey(userKey) as UserKey;
+    return userKey as UserKey;
  }

  /**
@@ -377,7 +376,7 @@ export class PinService implements PinServiceAbstraction {
    this.validateUserId(userId, "Cannot validate PIN.");

    const userKeyEncryptedPin = await this.getUserKeyEncryptedPin(userId);
-    const decryptedPin = await this.encryptService.decryptToUtf8(userKeyEncryptedPin, userKey);
+    const decryptedPin = await this.encryptService.decryptString(userKeyEncryptedPin, userKey);

    const isPinValid = this.cryptoFunctionService.compareFast(decryptedPin, pin);
    return isPinValid;
--- a/libs/auth/src/common/services/pin/pin.service.spec.ts
+++ b/libs/auth/src/common/services/pin/pin.service.spec.ts
@@ -259,11 +259,11 @@ describe("PinService", () => {
      });

      it("should create a userKeyEncryptedPin from the provided PIN and userKey", async () => {
-        encryptService.encrypt.mockResolvedValue(mockUserKeyEncryptedPin);
+        encryptService.encryptString.mockResolvedValue(mockUserKeyEncryptedPin);

        const result = await sut.createUserKeyEncryptedPin(mockPin, mockUserKey);

-        expect(encryptService.encrypt).toHaveBeenCalledWith(mockPin, mockUserKey);
+        expect(encryptService.encryptString).toHaveBeenCalledWith(mockPin, mockUserKey);
        expect(result).toEqual(mockUserKeyEncryptedPin);
      });
    });
@@ -425,7 +425,7 @@ describe("PinService", () => {
      mockDecryptUserKeyFn();

      sut.getUserKeyEncryptedPin = jest.fn().mockResolvedValue(mockUserKeyEncryptedPin);
-      encryptService.decryptToUtf8.mockResolvedValue(mockPin);
+      encryptService.decryptString.mockResolvedValue(mockPin);
      cryptoFunctionService.compareFast.calledWith(mockPin, "1234").mockResolvedValue(true);
    }

@@ -434,7 +434,7 @@ describe("PinService", () => {
        .fn()
        .mockResolvedValue(pinKeyEncryptedUserKeyPersistant);
      sut.makePinKey = jest.fn().mockResolvedValue(mockPinKey);
-      encryptService.decryptToBytes.mockResolvedValue(mockUserKey.toEncoded());
+      encryptService.unwrapSymmetricKey.mockResolvedValue(mockUserKey);
    }

    function mockPinEncryptedKeyDataByPinLockType(pinLockType: PinLockType) {
@@ -490,7 +490,7 @@ describe("PinService", () => {
        it(`should return null when PIN doesn't match after successful user key decryption`, async () => {
          // Arrange
          await setupDecryptUserKeyWithPinMocks(pinLockType);
-          encryptService.decryptToUtf8.mockResolvedValue("9999"); // non matching PIN
+          encryptService.decryptString.mockResolvedValue("9999"); // non matching PIN

          // Act
          const result = await sut.decryptUserKeyWithPin(mockPin, mockUserId);