[PM-23386] Fix fix usages of encrypt service (#15476)

* Fix incorrect usages of encrypt service * Add docs * Fix types
2025-12-13 14:53:33 +00:00 · 2025-07-15 11:56:19 +02:00
parent 8250e40c6c
commit d1f0c40e2f
3 changed files with 26 additions and 6 deletions
--- a/libs/common/src/auth/services/token.service.ts
+++ b/libs/common/src/auth/services/token.service.ts
@@ -296,10 +296,18 @@ export class TokenService implements TokenServiceAbstraction {
    return await this.encryptService.encryptString(accessToken, accessTokenKey);
  }

+  /**
+   * Decrypts the access token using the provided access token key.
+   *
+   * @param accessTokenKey - the key used to decrypt the access token
+   * @param encryptedAccessToken - the encrypted access token to decrypt
+   * @returns the decrypted access token
+   * @throws Error if the access token key is not provided or the decryption fails
+   */
  private async decryptAccessToken(
    accessTokenKey: AccessTokenKey,
    encryptedAccessToken: EncString,
-  ): Promise<string | null> {
+  ): Promise<string> {
    if (!accessTokenKey) {
      throw new Error(
        "decryptAccessToken: Access token key required. Cannot decrypt access token.",
--- a/libs/common/src/key-management/crypto/abstractions/encrypt.service.ts
+++ b/libs/common/src/key-management/crypto/abstractions/encrypt.service.ts
@@ -87,12 +87,16 @@ export abstract class EncryptService {
   * Decrypts an EncString to a string
   * @param encString - The EncString containing the encrypted string.
   * @param key - The key to decrypt the value with
+   * @returns The decrypted string
+   * @throws Error if decryption fails
   */
  abstract decryptString(encString: EncString, key: SymmetricCryptoKey): Promise<string>;
  /**
   * Decrypts an EncString to a Uint8Array
   * @param encString - The EncString containing the encrypted bytes.
   * @param key - The key to decrypt the value with
+   * @returns The decrypted bytes as a Uint8Array
+   * @throws Error if decryption fails
   * @deprecated Bytes are not the right abstraction to encrypt in. Use e.g. key wrapping or file encryption instead
   */
  abstract decryptBytes(encString: EncString, key: SymmetricCryptoKey): Promise<Uint8Array>;
@@ -100,6 +104,8 @@ export abstract class EncryptService {
   * Decrypts an EncArrayBuffer to a Uint8Array
   * @param encBuffer - The EncArrayBuffer containing the encrypted file bytes.
   * @param key - The key to decrypt the value with
+   * @returns The decrypted file bytes as a Uint8Array
+   * @throws Error if decryption fails
   */
  abstract decryptFileData(encBuffer: EncArrayBuffer, key: SymmetricCryptoKey): Promise<Uint8Array>;

@@ -139,6 +145,8 @@ export abstract class EncryptService {
   * @see {@link https://en.wikipedia.org/wiki/Key_wrap}
   * @param decapsulationKeyPcks8 - The private key in PKCS8 format
   * @param wrappingKey - The symmetric key to wrap the private key with
+   * @returns The unwrapped private key as a Uint8Array
+   * @throws Error if unwrapping fails
   */
  abstract unwrapDecapsulationKey(
    wrappedDecapsulationKey: EncString,
@@ -149,6 +157,8 @@ export abstract class EncryptService {
   * @see {@link https://en.wikipedia.org/wiki/Key_wrap}
   * @param encapsulationKeySpki - The public key in SPKI format
   * @param wrappingKey - The symmetric key to wrap the public key with
+   * @returns The unwrapped public key as a Uint8Array
+   * @throws Error if unwrapping fails
   */
  abstract unwrapEncapsulationKey(
    wrappedEncapsulationKey: EncString,
@@ -159,6 +169,8 @@ export abstract class EncryptService {
   * @see {@link https://en.wikipedia.org/wiki/Key_wrap}
   * @param keyToBeWrapped - The symmetric key to wrap
   * @param wrappingKey - The symmetric key to wrap the encapsulated key with
+   * @returns The unwrapped symmetric key as a SymmetricCryptoKey
+   * @throws Error if unwrapping fails
   */
  abstract unwrapSymmetricKey(
    keyToBeUnwrapped: EncString,
@@ -182,6 +194,8 @@ export abstract class EncryptService {
   * @see {@link https://en.wikipedia.org/wiki/Key_encapsulation_mechanism}
   * @param encryptedSharedKey - The encrypted shared symmetric key
   * @param decapsulationKey - The key to decapsulate with (private key)
+   * @return The decapsulated symmetric key
+   * @throws Error if decapsulation fails
   */
  abstract decapsulateKeyUnsigned(
    encryptedSharedKey: EncString,
--- a/libs/importer/src/importers/bitwarden/bitwarden-json-importer.ts
+++ b/libs/importer/src/importers/bitwarden/bitwarden-json-importer.ts
@@ -74,11 +74,9 @@ export class BitwardenJsonImporter extends BaseImporter implements Importer {
        keyForDecryption = await this.keyService.getUserKey();
      }
      const encKeyValidation = new EncString(results.encKeyValidation_DO_NOT_EDIT);
-      const encKeyValidationDecrypt = await this.encryptService.decryptString(
-        encKeyValidation,
-        keyForDecryption,
-      );
-      if (encKeyValidationDecrypt === null) {
+      try {
+        await this.encryptService.decryptString(encKeyValidation, keyForDecryption);
+      } catch {
        this.result.success = false;
        this.result.errorMessage = this.i18nService.t("importEncKeyError");
        return;