[PM-21001] Move auth code to new encrypt service interface (#14542)

* Add new encrypt service functions

* Undo changes

* Cleanup

* Fix build

* Fix comments

* Move auth code to new encrypt service interface

apps/web/src/app/auth/core/services/rotateable-key-set.service.ts

@@ -58,7 +58,7 @@ export class RotateableKeySetService {
       throw new Error("failed to rotate key set: newUserKey is required");
     }
 
-    const publicKey = await this.encryptService.decryptToBytes(
+    const publicKey = await this.encryptService.unwrapEncapsulationKey(
       keySet.encryptedPublicKey,
       oldUserKey,
     );

apps/web/src/app/auth/organization-invite/accept-organization.service.spec.ts

@@ -95,7 +95,7 @@ describe("AcceptOrganizationInviteService", () => {
       encryptService.wrapDecapsulationKey.mockResolvedValue({
         encryptedString: "string",
       } as EncString);
-      encryptService.encrypt.mockResolvedValue({ encryptedString: "string" } as EncString);
+      encryptService.encryptString.mockResolvedValue({ encryptedString: "string" } as EncString);
       const invite = createOrgInvite({ initOrganization: true });
 
       const result = await sut.validateAndAcceptInvite(invite);

apps/web/src/app/auth/organization-invite/accept-organization.service.ts

@@ -145,7 +145,7 @@ export class AcceptOrganizationInviteService {
 
     const [encryptedOrgKey, orgKey] = await this.keyService.makeOrgKey<OrgKey>();
     const [orgPublicKey, encryptedOrgPrivateKey] = await this.keyService.makeKeyPair(orgKey);
-    const collection = await this.encryptService.encrypt(
+    const collection = await this.encryptService.encryptString(
       this.i18nService.t("defaultCollection"),
       orgKey,
     );

libs/auth/src/common/login-strategies/webauthn-login.strategy.spec.ts

@@ -230,7 +230,7 @@ describe("WebAuthnLoginStrategy", () => {
     const mockUserKeyArray: Uint8Array = randomBytes(32);
     const mockUserKey = new SymmetricCryptoKey(mockUserKeyArray) as UserKey;
 
-    encryptService.decryptToBytes.mockResolvedValue(mockPrfPrivateKey);
+    encryptService.unwrapDecapsulationKey.mockResolvedValue(mockPrfPrivateKey);
     encryptService.decapsulateKeyUnsigned.mockResolvedValue(
       new SymmetricCryptoKey(mockUserKeyArray),
     );
@@ -246,8 +246,8 @@ describe("WebAuthnLoginStrategy", () => {
       userId,
     );
 
-    expect(encryptService.decryptToBytes).toHaveBeenCalledTimes(1);
-    expect(encryptService.decryptToBytes).toHaveBeenCalledWith(
+    expect(encryptService.unwrapDecapsulationKey).toHaveBeenCalledTimes(1);
+    expect(encryptService.unwrapDecapsulationKey).toHaveBeenCalledWith(
       idTokenResponse.userDecryptionOptions.webAuthnPrfOption.encryptedPrivateKey,
       webAuthnCredentials.prfKey,
     );
@@ -279,7 +279,7 @@ describe("WebAuthnLoginStrategy", () => {
     await webAuthnLoginStrategy.logIn(webAuthnCredentials);
 
     // Assert
-    expect(encryptService.decryptToBytes).not.toHaveBeenCalled();
+    expect(encryptService.unwrapDecapsulationKey).not.toHaveBeenCalled();
     expect(encryptService.decapsulateKeyUnsigned).not.toHaveBeenCalled();
     expect(keyService.setUserKey).not.toHaveBeenCalled();
   });
@@ -314,7 +314,7 @@ describe("WebAuthnLoginStrategy", () => {
 
     apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
 
-    encryptService.decryptToBytes.mockResolvedValue(null);
+    encryptService.unwrapDecapsulationKey.mockResolvedValue(null);
 
     // Act
     await webAuthnLoginStrategy.logIn(webAuthnCredentials);

libs/auth/src/common/login-strategies/webauthn-login.strategy.ts

@@ -82,7 +82,7 @@ export class WebAuthnLoginStrategy extends LoginStrategy {
       }
 
       // decrypt prf encrypted private key
-      const privateKey = await this.encryptService.decryptToBytes(
+      const privateKey = await this.encryptService.unwrapDecapsulationKey(
         webAuthnPrfOption.encryptedPrivateKey,
         credentials.prfKey,
       );

libs/auth/src/common/services/pin/pin.service.implementation.ts

@@ -8,7 +8,6 @@ import { EncryptService } from "@bitwarden/common/key-management/crypto/abstract
 import { KeyGenerationService } from "@bitwarden/common/platform/abstractions/key-generation.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { EncString, EncryptedString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import {
   PIN_DISK,
   PIN_MEMORY,
@@ -221,7 +220,7 @@ export class PinService implements PinServiceAbstraction {
       throw new Error("No UserKey provided. Cannot create userKeyEncryptedPin.");
     }
 
-    return await this.encryptService.encrypt(pin, userKey);
+    return await this.encryptService.encryptString(pin, userKey);
   }
 
   async makePinKey(pin: string, salt: string, kdfConfig: KdfConfig): Promise<PinKey> {
@@ -339,9 +338,9 @@ export class PinService implements PinServiceAbstraction {
     }
 
     const pinKey = await this.makePinKey(pin, salt, kdfConfig);
-    const userKey = await this.encryptService.decryptToBytes(pinKeyEncryptedUserKey, pinKey);
+    const userKey = await this.encryptService.unwrapSymmetricKey(pinKeyEncryptedUserKey, pinKey);
 
-    return new SymmetricCryptoKey(userKey) as UserKey;
+    return userKey as UserKey;
   }
 
   /**
@@ -377,7 +376,7 @@ export class PinService implements PinServiceAbstraction {
     this.validateUserId(userId, "Cannot validate PIN.");
 
     const userKeyEncryptedPin = await this.getUserKeyEncryptedPin(userId);
-    const decryptedPin = await this.encryptService.decryptToUtf8(userKeyEncryptedPin, userKey);
+    const decryptedPin = await this.encryptService.decryptString(userKeyEncryptedPin, userKey);
 
     const isPinValid = this.cryptoFunctionService.compareFast(decryptedPin, pin);
     return isPinValid;

libs/auth/src/common/services/pin/pin.service.spec.ts

@@ -259,11 +259,11 @@ describe("PinService", () => {
       });
 
       it("should create a userKeyEncryptedPin from the provided PIN and userKey", async () => {
-        encryptService.encrypt.mockResolvedValue(mockUserKeyEncryptedPin);
+        encryptService.encryptString.mockResolvedValue(mockUserKeyEncryptedPin);
 
         const result = await sut.createUserKeyEncryptedPin(mockPin, mockUserKey);
 
-        expect(encryptService.encrypt).toHaveBeenCalledWith(mockPin, mockUserKey);
+        expect(encryptService.encryptString).toHaveBeenCalledWith(mockPin, mockUserKey);
         expect(result).toEqual(mockUserKeyEncryptedPin);
       });
     });
@@ -425,7 +425,7 @@ describe("PinService", () => {
       mockDecryptUserKeyFn();
 
       sut.getUserKeyEncryptedPin = jest.fn().mockResolvedValue(mockUserKeyEncryptedPin);
-      encryptService.decryptToUtf8.mockResolvedValue(mockPin);
+      encryptService.decryptString.mockResolvedValue(mockPin);
       cryptoFunctionService.compareFast.calledWith(mockPin, "1234").mockResolvedValue(true);
     }
 
@@ -434,7 +434,7 @@ describe("PinService", () => {
         .fn()
         .mockResolvedValue(pinKeyEncryptedUserKeyPersistant);
       sut.makePinKey = jest.fn().mockResolvedValue(mockPinKey);
-      encryptService.decryptToBytes.mockResolvedValue(mockUserKey.toEncoded());
+      encryptService.unwrapSymmetricKey.mockResolvedValue(mockUserKey);
     }
 
     function mockPinEncryptedKeyDataByPinLockType(pinLockType: PinLockType) {
@@ -490,7 +490,7 @@ describe("PinService", () => {
         it(`should return null when PIN doesn't match after successful user key decryption`, async () => {
           // Arrange
           await setupDecryptUserKeyWithPinMocks(pinLockType);
-          encryptService.decryptToUtf8.mockResolvedValue("9999"); // non matching PIN
+          encryptService.decryptString.mockResolvedValue("9999"); // non matching PIN
 
           // Act
           const result = await sut.decryptUserKeyWithPin(mockPin, mockUserId);

libs/common/src/auth/services/token.service.spec.ts

@@ -293,7 +293,7 @@ describe("TokenService", () => {
 
           const mockEncryptedAccessToken = "encryptedAccessToken";
 
-          encryptService.encrypt.mockResolvedValue({
+          encryptService.encryptString.mockResolvedValue({
             encryptedString: mockEncryptedAccessToken,
           } as any);
 
@@ -504,7 +504,7 @@ describe("TokenService", () => {
             .nextState("encryptedAccessToken");
 
           secureStorageService.get.mockResolvedValue(accessTokenKeyB64);
-          encryptService.decryptToUtf8.mockResolvedValue("decryptedAccessToken");
+          encryptService.decryptString.mockResolvedValue("decryptedAccessToken");
 
           // Need to have global active id set to the user id
           if (!userId) {
@@ -1515,7 +1515,7 @@ describe("TokenService", () => {
             .nextState(encryptedAccessToken);
 
           secureStorageService.get.mockResolvedValue(accessTokenKeyB64);
-          encryptService.decryptToUtf8.mockRejectedValue(new Error("Decryption error"));
+          encryptService.decryptString.mockRejectedValue(new Error("Decryption error"));
 
           // Act
           const result = await tokenService.getAccessToken(userIdFromAccessToken);

libs/common/src/auth/services/token.service.ts

@@ -289,7 +289,7 @@ export class TokenService implements TokenServiceAbstraction {
   private async encryptAccessToken(accessToken: string, userId: UserId): Promise<EncString> {
     const accessTokenKey = await this.getOrCreateAccessTokenKey(userId);
 
-    return await this.encryptService.encrypt(accessToken, accessTokenKey);
+    return await this.encryptService.encryptString(accessToken, accessTokenKey);
   }
 
   private async decryptAccessToken(
@@ -302,7 +302,7 @@ export class TokenService implements TokenServiceAbstraction {
       );
     }
 
-    const decryptedAccessToken = await this.encryptService.decryptToUtf8(
+    const decryptedAccessToken = await this.encryptService.decryptString(
       encryptedAccessToken,
       accessTokenKey,
     );