[PM-19731] Refactor encrypt service to expose key wrapping (#14080)

* Refactor encrypt service to expose key wrapping

* Fix build

* Undo ts strict removal

* Fix wrong method being used to encrypt key material

* Rename parameters and remove todo

* Add summary to encrypt

* Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update libs/common/src/key-management/crypto/abstractions/encrypt.service.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Add tests for unhappy paths

* Add test coverage

* Add links

---------

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

apps/web/src/app/auth/core/services/rotateable-key-set.service.spec.ts

@@ -36,7 +36,7 @@ describe("RotateableKeySetService", () => {
       keyService.makeKeyPair.mockResolvedValue(["publicKey", encryptedPrivateKey as any]);
       keyService.getUserKey.mockResolvedValue({ key: userKey.key } as any);
       encryptService.encapsulateKeyUnsigned.mockResolvedValue(encryptedUserKey as any);
-      encryptService.encrypt.mockResolvedValue(encryptedPublicKey as any);
+      encryptService.wrapEncapsulationKey.mockResolvedValue(encryptedPublicKey as any);
 
       const result = await service.createKeySet(externalKey as any);
 

apps/web/src/app/auth/core/services/rotateable-key-set.service.ts

@@ -29,7 +29,10 @@ export class RotateableKeySetService {
       userKey,
       rawPublicKey,
     );
-    const encryptedPublicKey = await this.encryptService.encrypt(rawPublicKey, userKey);
+    const encryptedPublicKey = await this.encryptService.wrapEncapsulationKey(
+      rawPublicKey,
+      userKey,
+    );
     return new RotateableKeySet(encryptedUserKey, encryptedPublicKey, encryptedPrivateKey);
   }
 
@@ -62,7 +65,10 @@ export class RotateableKeySetService {
     if (publicKey == null) {
       throw new Error("failed to rotate key set: could not decrypt public key");
     }
-    const newEncryptedPublicKey = await this.encryptService.encrypt(publicKey, newUserKey);
+    const newEncryptedPublicKey = await this.encryptService.wrapEncapsulationKey(
+      publicKey,
+      newUserKey,
+    );
     const newEncryptedUserKey = await this.encryptService.encapsulateKeyUnsigned(
       newUserKey,
       publicKey,

apps/web/src/app/auth/organization-invite/accept-organization.service.spec.ts

@@ -92,6 +92,9 @@ describe("AcceptOrganizationInviteService", () => {
         "orgPublicKey",
         { encryptedString: "string" } as EncString,
       ]);
+      encryptService.wrapDecapsulationKey.mockResolvedValue({
+        encryptedString: "string",
+      } as EncString);
       encryptService.encrypt.mockResolvedValue({ encryptedString: "string" } as EncString);
       const invite = createOrgInvite({ initOrganization: true });
 

apps/web/src/app/billing/organizations/organization-plans.component.ts

@@ -812,7 +812,7 @@ export class OrganizationPlansComponent implements OnInit, OnDestroy {
       );
       const providerKey = await this.keyService.getProviderKey(this.providerId);
       providerRequest.organizationCreateRequest.key = (
-        await this.encryptService.encrypt(orgKey.key, providerKey)
+        await this.encryptService.wrapSymmetricKey(orgKey, providerKey)
       ).encryptedString;
       const orgId = (
         await this.apiService.postProviderCreateOrganization(this.providerId, providerRequest)

apps/web/src/app/key-management/key-rotation/user-key-rotation.service.spec.ts

@@ -183,7 +183,10 @@ describe("KeyRotationService", () => {
       mockKeyService.hashMasterKey.mockResolvedValue("mockMasterPasswordHash");
       mockConfigService.getFeatureFlag.mockResolvedValue(true);
 
-      mockEncryptService.encrypt.mockResolvedValue({
+      mockEncryptService.wrapSymmetricKey.mockResolvedValue({
+        encryptedString: "mockEncryptedData",
+      } as any);
+      mockEncryptService.wrapDecapsulationKey.mockResolvedValue({
         encryptedString: "mockEncryptedData",
       } as any);
 

apps/web/src/app/key-management/key-rotation/user-key-rotation.service.ts

@@ -145,7 +145,9 @@ export class UserKeyRotationService {
     const { privateKey, publicKey } = keyPair;
 
     const accountKeysRequest = new AccountKeysRequest(
-      (await this.encryptService.encrypt(privateKey, newUnencryptedUserKey)).encryptedString!,
+      (
+        await this.encryptService.wrapDecapsulationKey(privateKey, newUnencryptedUserKey)
+      ).encryptedString!,
       Utils.fromBufferToB64(publicKey),
     );
 
@@ -427,6 +429,6 @@ export class UserKeyRotationService {
     if (privateKey == null) {
       throw new Error("No private key found for user key rotation");
     }
-    return (await this.encryptService.encrypt(privateKey, newUserKey)).encryptedString;
+    return (await this.encryptService.wrapDecapsulationKey(privateKey, newUserKey)).encryptedString;
   }
 }