Move asymmetric crypto functions out of crypto service (#10903)

2025-12-16 08:13:42 +00:00 · 2024-10-01 08:47:41 -07:00
parent f2339b0586
commit dafe795854
36 changed files with 126 additions and 152 deletions
--- a/libs/common/src/auth/services/device-trust.service.implementation.ts
+++ b/libs/common/src/auth/services/device-trust.service.implementation.ts
@@ -144,7 +144,7 @@ export class DeviceTrustService implements DeviceTrustServiceAbstraction {
      deviceKeyEncryptedDevicePrivateKey,
    ] = await Promise.all([
      // Encrypt user key with the DevicePublicKey
-      this.cryptoService.rsaEncrypt(userKey.key, devicePublicKey),
+      this.encryptService.rsaEncrypt(userKey.key, devicePublicKey),

      // Encrypt devicePublicKey with user key
      this.encryptService.encrypt(devicePublicKey, userKey),
@@ -206,7 +206,7 @@ export class DeviceTrustService implements DeviceTrustServiceAbstraction {
    );

    // Encrypt the brand new user key with the now-decrypted public key for the device
-    const encryptedNewUserKey = await this.cryptoService.rsaEncrypt(
+    const encryptedNewUserKey = await this.encryptService.rsaEncrypt(
      newUserKey.key,
      decryptedDevicePublicKey,
    );
@@ -317,8 +317,8 @@ export class DeviceTrustService implements DeviceTrustServiceAbstraction {
      );

      // Attempt to decrypt encryptedUserDataKey with devicePrivateKey
-      const userKey = await this.cryptoService.rsaDecrypt(
-        encryptedUserKey.encryptedString,
+      const userKey = await this.encryptService.rsaDecrypt(
+        new EncString(encryptedUserKey.encryptedString),
        devicePrivateKey,
      );

--- a/libs/common/src/auth/services/device-trust.service.spec.ts
+++ b/libs/common/src/auth/services/device-trust.service.spec.ts
@@ -372,7 +372,7 @@ describe("deviceTrustService", () => {
          .mockResolvedValue(mockUserKey);

        cryptoSvcRsaEncryptSpy = jest
-          .spyOn(cryptoService, "rsaEncrypt")
+          .spyOn(encryptService, "rsaEncrypt")
          .mockResolvedValue(mockDevicePublicKeyEncryptedUserKey);

        encryptServiceEncryptSpy = jest
@@ -577,7 +577,7 @@ describe("deviceTrustService", () => {
          .spyOn(encryptService, "decryptToBytes")
          .mockResolvedValue(new Uint8Array(userKeyBytesLength));
        const rsaDecryptSpy = jest
-          .spyOn(cryptoService, "rsaDecrypt")
+          .spyOn(encryptService, "rsaDecrypt")
          .mockResolvedValue(new Uint8Array(userKeyBytesLength));

        const result = await deviceTrustService.decryptUserKeyWithDeviceKey(
@@ -696,7 +696,7 @@ describe("deviceTrustService", () => {
          });

          // Mock the encryption of the new user key with the decrypted public key
-          cryptoService.rsaEncrypt.mockImplementationOnce((data, publicKey) => {
+          encryptService.rsaEncrypt.mockImplementationOnce((data, publicKey) => {
            expect(data.byteLength).toBe(64); // New key should also be 64 bytes
            expect(new Uint8Array(data)[0]).toBe(FakeNewUserKeyMarker); // New key should have the first byte be '1';

--- a/libs/common/src/auth/services/password-reset-enrollment.service.implementation.spec.ts
+++ b/libs/common/src/auth/services/password-reset-enrollment.service.implementation.spec.ts
@@ -2,6 +2,7 @@ import { mock, MockProxy } from "jest-mock-extended";
 import { BehaviorSubject } from "rxjs";

 import { OrganizationUserApiService } from "@bitwarden/admin-console/common";
+import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";

 import { UserId } from "../../../../common/src/types/guid";
 import { OrganizationApiServiceAbstraction } from "../../admin-console/abstractions/organization/organization-api.service.abstraction";
@@ -18,6 +19,7 @@ describe("PasswordResetEnrollmentServiceImplementation", () => {
  let organizationApiService: MockProxy<OrganizationApiServiceAbstraction>;
  let accountService: MockProxy<AccountService>;
  let cryptoService: MockProxy<CryptoService>;
+  let encryptService: MockProxy<EncryptService>;
  let organizationUserApiService: MockProxy<OrganizationUserApiService>;
  let i18nService: MockProxy<I18nService>;
  let service: PasswordResetEnrollmentServiceImplementation;
@@ -27,12 +29,14 @@ describe("PasswordResetEnrollmentServiceImplementation", () => {
    accountService = mock<AccountService>();
    accountService.activeAccount$ = activeAccountSubject;
    cryptoService = mock<CryptoService>();
+    encryptService = mock<EncryptService>();
    organizationUserApiService = mock<OrganizationUserApiService>();
    i18nService = mock<I18nService>();
    service = new PasswordResetEnrollmentServiceImplementation(
      organizationApiService,
      accountService,
      cryptoService,
+      encryptService,
      organizationUserApiService,
      i18nService,
    );
@@ -96,7 +100,7 @@ describe("PasswordResetEnrollmentServiceImplementation", () => {
      activeAccountSubject.next(Object.assign(user1AccountInfo, { id: "userId" as UserId }));

      cryptoService.getUserKey.mockResolvedValue({ key: "key" } as any);
-      cryptoService.rsaEncrypt.mockResolvedValue(encryptedKey as any);
+      encryptService.rsaEncrypt.mockResolvedValue(encryptedKey as any);

      await service.enroll("orgId");

@@ -118,7 +122,7 @@ describe("PasswordResetEnrollmentServiceImplementation", () => {
      };
      const encryptedKey = { encryptedString: "encryptedString" };
      organizationApiService.getKeys.mockResolvedValue(orgKeyResponse as any);
-      cryptoService.rsaEncrypt.mockResolvedValue(encryptedKey as any);
+      encryptService.rsaEncrypt.mockResolvedValue(encryptedKey as any);

      await service.enroll("orgId", "userId", { key: "key" } as any);

--- a/libs/common/src/auth/services/password-reset-enrollment.service.implementation.ts
+++ b/libs/common/src/auth/services/password-reset-enrollment.service.implementation.ts
@@ -4,6 +4,7 @@ import {
  OrganizationUserApiService,
  OrganizationUserResetPasswordEnrollmentRequest,
 } from "@bitwarden/admin-console/common";
+import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";

 import { OrganizationApiServiceAbstraction } from "../../admin-console/abstractions/organization/organization-api.service.abstraction";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
@@ -20,6 +21,7 @@ export class PasswordResetEnrollmentServiceImplementation
    protected organizationApiService: OrganizationApiServiceAbstraction,
    protected accountService: AccountService,
    protected cryptoService: CryptoService,
+    protected encryptService: EncryptService,
    protected organizationUserApiService: OrganizationUserApiService,
    protected i18nService: I18nService,
  ) {}
@@ -47,7 +49,7 @@ export class PasswordResetEnrollmentServiceImplementation
      userId ?? (await firstValueFrom(this.accountService.activeAccount$.pipe(map((a) => a?.id))));
    userKey = userKey ?? (await this.cryptoService.getUserKey(userId));
    // RSA Encrypt user's userKey.key with organization public key
-    const encryptedKey = await this.cryptoService.rsaEncrypt(userKey.key, orgPublicKey);
+    const encryptedKey = await this.encryptService.rsaEncrypt(userKey.key, orgPublicKey);

    const resetRequest = new OrganizationUserResetPasswordEnrollmentRequest();
    resetRequest.resetPasswordKey = encryptedKey.encryptedString;