[PM-29208] Remove individual cryptographic-key states & migrate key service (#18164)

* Remove inividual user key states and migrate to account cryptographic state * Fix browser * Fix tests * Clean up migration * Remove key-pair creation from login strategy * Add clearing for the account cryptographic state * Add migration * Cleanup * Fix linting
2026-02-25 00:53:22 +00:00 · 2026-02-09 12:39:55 +01:00
parent c21841a2df
commit f7a5ad712f
43 changed files with 562 additions and 597 deletions
--- a/libs/common/src/platform/sync/default-sync.service.spec.ts
+++ b/libs/common/src/platform/sync/default-sync.service.spec.ts
@@ -199,7 +199,10 @@ describe("DefaultSyncService", () => {
        new EncString("encryptedUserKey"),
        user1,
      );
-      expect(keyService.setPrivateKey).toHaveBeenCalledWith("privateKey", user1);
+      expect(accountCryptographicStateService.setAccountCryptographicState).toHaveBeenCalledWith(
+        { V1: { private_key: "privateKey" } },
+        user1,
+      );
      expect(keyService.setProviderKeys).toHaveBeenCalledWith([], user1);
      expect(keyService.setOrgKeys).toHaveBeenCalledWith([], [], user1);
    });
@@ -242,7 +245,10 @@ describe("DefaultSyncService", () => {
        new EncString("encryptedUserKey"),
        user1,
      );
-      expect(keyService.setPrivateKey).toHaveBeenCalledWith("wrappedPrivateKey", user1);
+      expect(accountCryptographicStateService.setAccountCryptographicState).toHaveBeenCalledWith(
+        { V1: { private_key: "wrappedPrivateKey" } },
+        user1,
+      );
      expect(keyService.setProviderKeys).toHaveBeenCalledWith([], user1);
      expect(keyService.setOrgKeys).toHaveBeenCalledWith([], [], user1);
    });
@@ -293,12 +299,7 @@ describe("DefaultSyncService", () => {
        new EncString("encryptedUserKey"),
        user1,
      );
-      expect(keyService.setPrivateKey).toHaveBeenCalledWith("wrappedPrivateKey", user1);
-      expect(keyService.setUserSigningKey).toHaveBeenCalledWith("wrappedSigningKey", user1);
-      expect(securityStateService.setAccountSecurityState).toHaveBeenCalledWith(
-        "securityState",
-        user1,
-      );
+      expect(accountCryptographicStateService.setAccountCryptographicState).toHaveBeenCalled();
      expect(keyService.setProviderKeys).toHaveBeenCalledWith([], user1);
      expect(keyService.setOrgKeys).toHaveBeenCalledWith([], [], user1);
    });
--- a/libs/common/src/platform/sync/default-sync.service.ts
+++ b/libs/common/src/platform/sync/default-sync.service.ts
@@ -14,6 +14,7 @@ import { SecurityStateService } from "@bitwarden/common/key-management/security-
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
 import { KdfConfigService, KeyService } from "@bitwarden/key-management";
+import { EncString as SdkEncString } from "@bitwarden/sdk-internal";

 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
@@ -251,29 +252,15 @@ export class DefaultSyncService extends CoreSyncService {
        response.accountKeys.toWrappedAccountCryptographicState(),
        response.id,
      );
-
-      // V1 and V2 users
-      await this.keyService.setPrivateKey(
-        response.accountKeys.publicKeyEncryptionKeyPair.wrappedPrivateKey,
+    } else {
+      await this.accountCryptographicStateService.setAccountCryptographicState(
+        {
+          V1: {
+            private_key: response.privateKey as SdkEncString,
+          },
+        },
        response.id,
      );
-      // V2 users only
-      if (response.accountKeys.isV2Encryption()) {
-        await this.keyService.setUserSigningKey(
-          response.accountKeys.signatureKeyPair.wrappedSigningKey,
-          response.id,
-        );
-        await this.securityStateService.setAccountSecurityState(
-          response.accountKeys.securityState.securityState,
-          response.id,
-        );
-        await this.keyService.setSignedPublicKey(
-          response.accountKeys.publicKeyEncryptionKeyPair.signedPublicKey,
-          response.id,
-        );
-      }
-    } else {
-      await this.keyService.setPrivateKey(response.privateKey, response.id);
    }
    await this.keyService.setProviderKeys(response.providers, response.id);
    await this.keyService.setOrgKeys(