support attachment key, 100k iterations on regist.

src/App/Services/CipherService.cs

@@ -310,7 +310,7 @@ namespace Bit.App.Services
             _appSettingsService.ClearCiphersCache = true;
         }
 
-        public async Task<byte[]> DownloadAndDecryptAttachmentAsync(string url, string orgId = null)
+        public async Task<byte[]> DownloadAndDecryptAttachmentAsync(string url, CipherString key, string orgId = null)
         {
             using(var client = new HttpClient())
             {
@@ -328,14 +328,20 @@ namespace Bit.App.Services
                         return null;
                     }
 
-                    if(!string.IsNullOrWhiteSpace(orgId))
+                    SymmetricCryptoKey regularKey = !string.IsNullOrWhiteSpace(orgId) ?
+                        _cryptoService.GetOrgKey(orgId) : null;
+                    SymmetricCryptoKey dataKey = null;
+                    if(key != null)
                     {
-                        return _cryptoService.DecryptToBytes(data, _cryptoService.GetOrgKey(orgId));
+                        var decDataKey = _cryptoService.DecryptToBytes(key, regularKey);
+                        dataKey = new SymmetricCryptoKey(decDataKey);
                     }
                     else
                     {
-                        return _cryptoService.DecryptToBytes(data, null);
+                        dataKey = regularKey;
                     }
+
+                    return _cryptoService.DecryptToBytes(data, dataKey);
                 }
                 catch
                 {
@@ -346,10 +352,13 @@ namespace Bit.App.Services
 
         public async Task<ApiResult<CipherResponse>> EncryptAndSaveAttachmentAsync(Cipher cipher, byte[] data, string fileName)
         {
+            var key = cipher.OrganizationId != null ? _cryptoService.GetOrgKey(cipher.OrganizationId) : null;
             var encFileName = fileName.Encrypt(cipher.OrganizationId);
-            var encBytes = _cryptoService.EncryptToBytes(data,
-                cipher.OrganizationId != null ? _cryptoService.GetOrgKey(cipher.OrganizationId) : null);
-            var response = await _cipherApiRepository.PostAttachmentAsync(cipher.Id, encBytes, encFileName.EncryptedString);
+
+            var dataKey = _cryptoService.MakeEncKey(key);
+            var encBytes = _cryptoService.EncryptToBytes(data, dataKey.Item1);
+            var response = await _cipherApiRepository.PostAttachmentAsync(cipher.Id, encBytes,
+                dataKey.Item2.EncryptedString, encFileName.EncryptedString);
 
             if(response.Succeeded)
             {

src/App/Services/CryptoService.cs

@@ -483,18 +483,20 @@ namespace Bit.App.Services
             return Convert.ToBase64String(hash);
         }
 
-        public CipherString MakeEncKey(SymmetricCryptoKey key)
+        public Tuple<SymmetricCryptoKey, CipherString> MakeEncKey(SymmetricCryptoKey key)
         {
+            var theKey = key ?? EncKey ?? Key;
             var encKey = Crypto.RandomBytes(64);
-            // TODO: Remove hardcoded true/false when we're ready to enable key stretching
-            if(false && key.Key.Length == 32)
+            if(theKey.Key.Length == 32)
             {
-                var newKey = StretchKey(key);
-                return Encrypt(encKey, newKey);
+                var newKey = StretchKey(theKey);
+                return new Tuple<SymmetricCryptoKey, CipherString>(
+                    new SymmetricCryptoKey(encKey), Encrypt(encKey, newKey));
             }
-            else if(true || key.Key.Length == 64)
+            else if(theKey.Key.Length == 64)
             {
-                return Encrypt(encKey, key);
+                return new Tuple<SymmetricCryptoKey, CipherString>(
+                    new SymmetricCryptoKey(encKey), Encrypt(encKey, theKey));
             }
 
             throw new Exception("Invalid key size.");