[PM-19603] Change asymmetric interface to only allow key encapsulation (#14046)

* Change asymmetric interface to only allow key encapsulation * Fix naming * Clean up naming * Update libs/common/src/key-management/crypto/abstractions/encrypt.service.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update libs/common/src/key-management/crypto/abstractions/encrypt.service.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Fix test --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
2025-12-10 13:23:34 +00:00 · 2025-04-15 16:39:02 +02:00
parent 9f174e7723
commit b09305577f
30 changed files with 229 additions and 143 deletions
--- a/bitwarden_license/bit-common/src/admin-console/auth-requests/organization-auth-request.service.spec.ts
+++ b/bitwarden_license/bit-common/src/admin-console/auth-requests/organization-auth-request.service.spec.ts
@@ -7,6 +7,7 @@ import {
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { ListResponse } from "@bitwarden/common/models/response/list.response";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { KeyService } from "@bitwarden/key-management";

 import { OrganizationAuthRequestApiService } from "./organization-auth-request-api.service";
@@ -124,8 +125,10 @@ describe("OrganizationAuthRequestService", () => {
      );

      const encryptedUserKey = new EncString("encryptedUserKey");
-      encryptService.rsaDecrypt.mockResolvedValue(new Uint8Array(32));
-      encryptService.rsaEncrypt.mockResolvedValue(encryptedUserKey);
+      encryptService.decapsulateKeyUnsigned.mockResolvedValue(
+        new SymmetricCryptoKey(new Uint8Array(32)),
+      );
+      encryptService.encapsulateKeyUnsigned.mockResolvedValue(encryptedUserKey);

      const mockPendingAuthRequest = new PendingAuthRequestView();
      mockPendingAuthRequest.id = "requestId1";
@@ -166,8 +169,10 @@ describe("OrganizationAuthRequestService", () => {
      );

      const encryptedUserKey = new EncString("encryptedUserKey");
-      encryptService.rsaDecrypt.mockResolvedValue(new Uint8Array(32));
-      encryptService.rsaEncrypt.mockResolvedValue(encryptedUserKey);
+      encryptService.decapsulateKeyUnsigned.mockResolvedValue(
+        new SymmetricCryptoKey(new Uint8Array(32)),
+      );
+      encryptService.encapsulateKeyUnsigned.mockResolvedValue(encryptedUserKey);

      const mockPendingAuthRequest = new PendingAuthRequestView();
      mockPendingAuthRequest.id = "requestId1";
--- a/bitwarden_license/bit-common/src/admin-console/auth-requests/organization-auth-request.service.ts
+++ b/bitwarden_license/bit-common/src/admin-console/auth-requests/organization-auth-request.service.ts
@@ -7,7 +7,6 @@ import {
 import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { KeyService } from "@bitwarden/key-management";

 import { OrganizationAuthRequestApiService } from "./organization-auth-request-api.service";
@@ -119,13 +118,12 @@ export class OrganizationAuthRequestService {
    );

    // Decrypt user key with decrypted org private key
-    const decValue = await this.encryptService.rsaDecrypt(
+    const userKey = await this.encryptService.decapsulateKeyUnsigned(
      new EncString(encryptedUserKey),
      decOrgPrivateKey,
    );
-    const userKey = new SymmetricCryptoKey(decValue);

    // Re-encrypt user Key with the Device Public Key
-    return await this.encryptService.rsaEncrypt(userKey.key, devicePubKey);
+    return await this.encryptService.encapsulateKeyUnsigned(userKey, devicePubKey);
  }
 }
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/members.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/members.component.ts
@@ -187,7 +187,7 @@ export class MembersComponent extends BaseMembersComponent<ProviderUser> {

  async confirmUser(user: ProviderUser, publicKey: Uint8Array): Promise<void> {
    const providerKey = await this.keyService.getProviderKey(this.providerId);
-    const key = await this.encryptService.rsaEncrypt(providerKey.key, publicKey);
+    const key = await this.encryptService.encapsulateKeyUnsigned(providerKey, publicKey);
    const request = new ProviderUserConfirmRequest();
    request.key = key.encryptedString;
    await this.apiService.postProviderUserConfirm(this.providerId, user.id, request);