[PM-2713] add toggle method to crypto service for keys

2025-12-17 16:53:26 +00:00 · 2023-07-18 14:02:54 -04:00
parent cd4f44e6f6
commit 5ed567ab90
4 changed files with 48 additions and 21 deletions
--- a/src/Core/Services/CryptoService.cs
+++ b/src/Core/Services/CryptoService.cs
@@ -36,6 +36,17 @@ namespace Bit.Core.Services
            _cryptoFunctionService = cryptoFunctionService;
        }

+        public async Task ToggleKeysAsync()
+        {
+            // refresh or clear the pin key
+            await SetUserKeyAsync(await GetUserKeyAsync());
+
+            // refresh or clear the encrypted user key
+            var encUserKey = await _stateService.GetUserKeyMasterKeyAsync();
+            await _stateService.SetUserKeyMasterKeyAsync(null);
+            await _stateService.SetUserKeyMasterKeyAsync(encUserKey);
+        }
+
        public async Task SetUserKeyAsync(UserKey userKey, string userId = null)
        {
            await _stateService.SetUserKeyAsync(userKey, userId);
@@ -45,6 +56,11 @@ namespace Bit.Core.Services
            {
                await StorePinKey(userKey, userId);
            }
+            else
+            {
+                await _stateService.SetUserKeyPinAsync(null, userId);
+                await _stateService.SetUserKeyPinEphemeralAsync(null, userId);
+            }
        }

        public async Task<UserKey> GetUserKeyAsync(string userId = null)
@@ -69,12 +85,21 @@ namespace Bit.Core.Services

        public async Task SetMasterKeyEncryptedUserKeyAsync(string value, string userId = null)
        {
+            var option = await _stateService.GetVaultTimeoutAsync();
+            var biometric = await _stateService.GetBiometricUnlockAsync();
+            if (option.HasValue && !biometric.GetValueOrDefault())
+            {
+                // we only store the encrypted user key if the user has a vault timeout set
+                // with no biometric. Otherwise, we need it for auto unlock or biometric unlock
+                return;
+            }
            await _stateService.SetUserKeyMasterKeyAsync(value, userId);
        }

        public async Task SetMasterKeyAsync(MasterKey masterKey, string userId = null)
        {
            await _stateService.SetMasterKeyAsync(masterKey, userId);
+
        }

        public async Task<MasterKey> GetMasterKeyAsync(string userId = null)
@@ -211,7 +236,7 @@ namespace Bit.Core.Services
        }

        // TODO(Jake): Uses Master Key
-        public async Task<bool> CompareAndUpdatePasswordHashAsync(string masterPassword, SymmetricCryptoKey key)
+        public async Task<bool> CompareAndUpdatePasswordHashAsync(string masterPassword, MasterKey key)
        {
            var storedPasswordHash = await GetPasswordHashAsync();
            if (masterPassword != null && storedPasswordHash != null)
@@ -385,6 +410,14 @@ namespace Bit.Core.Services
            return await StretchKeyAsync(pinKey) as PinKey;
        }

+        public async Task ClearPinKeys(string userId = null)
+        {
+            await _stateService.SetUserKeyPinAsync(null, userId);
+            await _stateService.SetUserKeyPinEphemeralAsync(null, userId);
+            await _stateService.SetProtectedPinAsync(null, userId);
+            await clearDeprecatedPinKeysAsync(userId);
+        }
+
        // public async Task<UserKey> DecryptUserKeyWithPin(string pin, string salt, KdfConfig kdfConfig, EncString pinProtectedUserKey = null)
        // {
        //     pinProtectedUserKey ??= await _stateService.GetUserKeyPinAsync();
@@ -614,7 +647,7 @@ namespace Bit.Core.Services
            return new EncByteArray(encBytes);
        }

-        // Helpers
+        // --HELPER METHODS--

        private async Task StorePinKey(UserKey userKey, string userId = null)
        {
@@ -899,6 +932,15 @@ namespace Bit.Core.Services
            public SymmetricCryptoKey Key { get; set; }
        }

+        // --LEGACY METHODS--
+        // We previously used the master key for additional keys, but now we use the user key.
+        // These methods support migrating the old keys to the new ones.
+
+        public async Task clearDeprecatedPinKeysAsync(string userId = null)
+        {
+            await _stateService.SetPinProtectedAsync(null);
+            await _stateService.SetPinProtectedKeyAsync(null);
+        }



@@ -1083,21 +1125,6 @@ namespace Bit.Core.Services
        }


-        public async Task ToggleKeyAsync()
-        {
-            var key = await GetKeyAsync();
-            var option = await _stateService.GetVaultTimeoutAsync();
-            var biometric = await _stateService.GetBiometricUnlockAsync();
-            if (!biometric.GetValueOrDefault() && (option != null || option == 0))
-            {
-                await ClearKeyAsync();
-                await _stateService.SetKeyDecryptedAsync(key);
-                return;
-            }
-            await SetKeyAsync(key);
-        }
-
-
        public async Task<SymmetricCryptoKey> MakeKeyFromPinAsync(string pin, string salt,
            KdfConfig config, EncString protectedKeyCs = null)
        {