update cli with new crypto service methods

- decrypt user sym key and set when unlocking
2025-12-16 16:23:44 +00:00 · 2023-05-30 10:50:11 -04:00
parent f0438e5dd2
commit f2e7a8ad11
3 changed files with 31 additions and 18 deletions
--- a/apps/cli/src/auth/commands/login.command.ts
+++ b/apps/cli/src/auth/commands/login.command.ts
@@ -406,7 +406,11 @@ export class LoginCommand {
    }

    try {
-      const { newPasswordHash, newEncKey, hint } = await this.collectNewMasterPasswordDetails(
+      const {
+        newPasswordHash,
+        newUserSymKey: newEncKey,
+        hint,
+      } = await this.collectNewMasterPasswordDetails(
        "Your master password does not meet one or more of your organization policies. In order to access the vault, you must update your master password now."
      );

@@ -444,7 +448,11 @@ export class LoginCommand {
    }

    try {
-      const { newPasswordHash, newEncKey, hint } = await this.collectNewMasterPasswordDetails(
+      const {
+        newPasswordHash,
+        newUserSymKey: newEncKey,
+        hint,
+      } = await this.collectNewMasterPasswordDetails(
        "An organization administrator recently changed your master password. In order to access the vault, you must update your master password now."
      );

@@ -477,7 +485,7 @@ export class LoginCommand {
    error?: string
  ): Promise<{
    newPasswordHash: string;
-    newEncKey: [SymmetricCryptoKey, EncString];
+    newUserSymKey: [SymmetricCryptoKey, EncString];
    hint?: string;
  }> {
    if (this.email == null || this.email === "undefined") {
@@ -559,21 +567,24 @@ export class LoginCommand {
    const kdfConfig = await this.stateService.getKdfConfig();

    // Create new key and hash new password
-    const newKey = await this.cryptoService.makeKey(
+    const newMasterKey = await this.cryptoService.makeMasterKey(
      masterPassword,
      this.email.trim().toLowerCase(),
      kdf,
      kdfConfig
    );
-    const newPasswordHash = await this.cryptoService.hashPassword(masterPassword, newKey);
+    const newPasswordHash = await this.cryptoService.hashPassword(masterPassword, newMasterKey);

-    // Grab user's current enc key
-    const userEncKey = await this.cryptoService.getEncKey();
+    // Grab user's symmetric key
+    const userSymKey = await this.cryptoService.getUserKey();

-    // Create new encKey for the User
-    const newEncKey = await this.cryptoService.remakeEncKey(newKey, userEncKey);
+    // Re-encrypt user's symmetric key with new master key
+    const newUserSymKey = await this.cryptoService.encryptUserSymKeyWithMasterKey(
+      newMasterKey,
+      userSymKey
+    );

-    return { newPasswordHash, newEncKey, hint: masterPasswordHint };
+    return { newPasswordHash, newUserSymKey, hint: masterPasswordHint };
  }

  private async handleCaptchaRequired(
--- a/apps/cli/src/auth/commands/unlock.command.ts
+++ b/apps/cli/src/auth/commands/unlock.command.ts
@@ -44,17 +44,17 @@ export class UnlockCommand {
    const email = await this.stateService.getEmail();
    const kdf = await this.stateService.getKdfType();
    const kdfConfig = await this.stateService.getKdfConfig();
-    const key = await this.cryptoService.makeKey(password, email, kdf, kdfConfig);
+    const masterKey = await this.cryptoService.makeMasterKey(password, email, kdf, kdfConfig);
    const storedKeyHash = await this.cryptoService.getKeyHash();

    let passwordValid = false;
-    if (key != null) {
+    if (masterKey != null) {
      if (storedKeyHash != null) {
-        passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, key);
+        passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, masterKey);
      } else {
        const serverKeyHash = await this.cryptoService.hashPassword(
          password,
-          key,
+          masterKey,
          HashPurpose.ServerAuthorization
        );
        const request = new SecretVerificationRequest();
@@ -64,7 +64,7 @@ export class UnlockCommand {
          passwordValid = true;
          const localKeyHash = await this.cryptoService.hashPassword(
            password,
-            key,
+            masterKey,
            HashPurpose.LocalAuthorization
          );
          await this.cryptoService.setKeyHash(localKeyHash);
@@ -75,7 +75,9 @@ export class UnlockCommand {
    }

    if (passwordValid) {
-      await this.cryptoService.setKey(key);
+      await this.cryptoService.setMasterKey(masterKey);
+      const userKey = await this.cryptoService.decryptUserSymKeyWithMasterKey(masterKey);
+      await this.cryptoService.setUserKey(userKey);

      if (await this.keyConnectorService.getConvertAccountRequired()) {
        const convertToKeyConnectorCommand = new ConvertToKeyConnectorCommand(
--- a/apps/cli/src/vault/create.command.ts
+++ b/apps/cli/src/vault/create.command.ts
@@ -126,8 +126,8 @@ export class CreateCommand {
      return Response.error("Premium status is required to use this feature.");
    }

-    const encKey = await this.cryptoService.getEncKey();
-    if (encKey == null) {
+    const userSymKey = await this.cryptoService.getUserKey();
+    if (userSymKey == null) {
      return Response.error(
        "You must update your encryption key before you can use this feature. " +
          "See https://help.bitwarden.com/article/update-encryption-key/"