[PM-1379] add DeviceTrustCryptoService with establish trust logic (#2535 )

* [PM-1379] add DeviceCryptoService with establish trust logic * PM-1379 update api location and other minor refactors * pm-1379 fix encoding * update trusted device keys api call to Put * [PM-1379] rename DeviceCryptoService to DeviceTrustCryptoService - refactors to prevent side effects * [PM-1379] rearrange methods in DeviceTrustCryptoService * [PM-1379] rearrange methods in abstraction * [PM-1379] deconstruct tuples * [PM-1379] remove extra tasks
2025-12-05 23:53:33 +00:00 · 2023-07-05 16:13:20 -04:00
9 changed files with 141 additions and 0 deletions
--- a/src/Core/Abstractions/IApiService.cs
+++ b/src/Core/Abstractions/IApiService.cs
@@ -92,6 +92,8 @@ namespace Bit.Core.Abstractions
        Task<PasswordlessLoginResponse> PutAuthRequestAsync(string id, string key, string masterPasswordHash, string deviceIdentifier, bool requestApproved);
        Task<PasswordlessLoginResponse> PostCreateRequestAsync(PasswordlessCreateLoginRequest passwordlessCreateLoginRequest);
        Task<bool> GetKnownDeviceAsync(string email, string deviceIdentifier);
+        Task<DeviceResponse> GetDeviceByIdentifierAsync(string deviceIdentifier);
+        Task<DeviceResponse> UpdateTrustedDeviceKeysAsync(string deviceIdentifier, TrustedDeviceKeysRequest deviceRequest);
        Task<OrganizationDomainSsoDetailsResponse> GetOrgDomainSsoDetailsAsync(string email);
        Task<ConfigResponse> GetConfigsAsync();
        Task<string> GetFastmailAccountIdAsync(string apiKey);
--- a/src/Core/Abstractions/IDeviceTrustCryptoService.cs
+++ b/src/Core/Abstractions/IDeviceTrustCryptoService.cs
@@ -0,0 +1,11 @@
+using System.Threading.Tasks;
+using Bit.Core.Models.Domain;
+
+namespace Bit.Core.Abstractions
+{
+    public interface IDeviceTrustCryptoService
+    {
+        Task<SymmetricCryptoKey> GetDeviceKeyAsync();
+        Task<DeviceResponse> TrustDeviceAsync();
+    }
+}
--- a/src/Core/Abstractions/IStateService.cs
+++ b/src/Core/Abstractions/IStateService.cs
@@ -56,6 +56,8 @@ namespace Bit.Core.Abstractions
        Task SetOrgKeysEncryptedAsync(Dictionary<string, string> value, string userId = null);
        Task<string> GetPrivateKeyEncryptedAsync(string userId = null);
        Task SetPrivateKeyEncryptedAsync(string value, string userId = null);
+        Task<SymmetricCryptoKey> GetDeviceKeyAsync(string userId = null);
+        Task SetDeviceKeyAsync(SymmetricCryptoKey value, string userId = null);
        Task<List<string>> GetAutofillBlacklistedUrisAsync(string userId = null);
        Task SetAutofillBlacklistedUrisAsync(List<string> value, string userId = null);
        Task<bool?> GetAutofillTileAddedAsync();
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -91,6 +91,7 @@
        public static string EncOrgKeysKey(string userId) => $"encOrgKeys_{userId}";
        public static string EncPrivateKeyKey(string userId) => $"encPrivateKey_{userId}";
        public static string EncKeyKey(string userId) => $"encKey_{userId}";
+        public static string DeviceKeyKey(string userId) => $"deviceKey_{userId}";
        public static string KeyHashKey(string userId) => $"keyHash_{userId}";
        public static string PinProtectedKey(string userId) => $"pinProtectedKey_{userId}";
        public static string PassGenOptionsKey(string userId) => $"passwordGenerationOptions_{userId}";
--- a/src/Core/Models/Request/TrustedDeviceKeysRequest.cs
+++ b/src/Core/Models/Request/TrustedDeviceKeysRequest.cs
@@ -0,0 +1,10 @@
+
+namespace Bit.Core.Models.Request
+{
+    public class TrustedDeviceKeysRequest
+    {
+        public string EncryptedUserKey { get; set; }
+        public string EncryptedPublicKey { get; set; }
+        public string EncryptedPrivateKey { get; set; }
+    }
+}
--- a/src/Core/Models/Response/DeviceResponse.cs
+++ b/src/Core/Models/Response/DeviceResponse.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Enums;
+
+public class DeviceResponse
+{
+    public string Id { get; set; }
+    public int Name { get; set; }
+    public string Identifier { get; set; }
+    public DeviceType Type { get; set; }
+    public string CreationDate { get; set; }
+    public string EncryptedUserKey { get; set; }
+    public string EncryptedPublicKey { get; set; }
+    public string EncryptedPrivateKey { get; set; }
+}
--- a/src/Core/Services/ApiService.cs
+++ b/src/Core/Services/ApiService.cs
@@ -585,6 +585,16 @@ namespace Bit.Core.Services
            });
        }

+        public Task<DeviceResponse> GetDeviceByIdentifierAsync(string deviceIdentifier)
+        {
+            return SendAsync<object, DeviceResponse>(HttpMethod.Get, $"/devices/identifier/{deviceIdentifier}", null, true, true);
+        }
+
+        public Task<DeviceResponse> UpdateTrustedDeviceKeysAsync(string deviceIdentifier, TrustedDeviceKeysRequest trustedDeviceKeysRequest)
+        {
+            return SendAsync<TrustedDeviceKeysRequest, DeviceResponse>(HttpMethod.Put, $"/devices/{deviceIdentifier}/keys", trustedDeviceKeysRequest, true, true);
+        }
+
        #endregion

        #region Configs
--- a/src/Core/Services/DeviceTrustCryptoService.cs
+++ b/src/Core/Services/DeviceTrustCryptoService.cs
@@ -0,0 +1,81 @@
+
+using System;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Models.Domain;
+using Bit.Core.Models.Request;
+
+namespace Bit.Core.Services
+{
+    public class DeviceTrustCryptoService : IDeviceTrustCryptoService
+    {
+        private readonly IApiService _apiService;
+        private readonly IAppIdService _appIdService;
+        private readonly ICryptoFunctionService _cryptoFunctionService;
+        private readonly ICryptoService _cryptoService;
+        private readonly IStateService _stateService;
+
+        private const int DEVICE_KEY_SIZE = 64;
+
+        public DeviceTrustCryptoService(
+            IApiService apiService,
+            IAppIdService appIdService,
+            ICryptoFunctionService cryptoFunctionService,
+            ICryptoService cryptoService,
+            IStateService stateService)
+        {
+            _apiService = apiService;
+            _appIdService = appIdService;
+            _cryptoFunctionService = cryptoFunctionService;
+            _cryptoService = cryptoService;
+            _stateService = stateService;
+        }
+
+        public async Task<SymmetricCryptoKey> GetDeviceKeyAsync()
+        {
+            return await _stateService.GetDeviceKeyAsync();
+        }
+
+        private async Task SetDeviceKeyAsync(SymmetricCryptoKey deviceKey)
+        {
+            await _stateService.SetDeviceKeyAsync(deviceKey);
+        }
+
+        public async Task<DeviceResponse> TrustDeviceAsync()
+        {
+            // Attempt to get user key
+            var userKey = await _cryptoService.GetEncKeyAsync();
+            if (userKey == null)
+            {
+                return null;
+            }
+            // Generate deviceKey
+            var deviceKey = await MakeDeviceKeyAsync();
+
+            // Generate asymmetric RSA key pair: devicePrivateKey, devicePublicKey
+            var (devicePublicKey, devicePrivateKey) = await _cryptoFunctionService.RsaGenerateKeyPairAsync(2048);
+
+            // Send encrypted keys to server
+            var deviceIdentifier = await _appIdService.GetAppIdAsync();
+            var deviceRequest = new TrustedDeviceKeysRequest
+            {
+                EncryptedUserKey = (await _cryptoService.RsaEncryptAsync(userKey.EncKey, devicePublicKey)).EncryptedString,
+                EncryptedPublicKey = (await _cryptoService.EncryptAsync(devicePublicKey, userKey)).EncryptedString,
+                EncryptedPrivateKey = (await _cryptoService.EncryptAsync(devicePrivateKey, deviceKey)).EncryptedString,
+            };
+
+            var deviceResponse = await _apiService.UpdateTrustedDeviceKeysAsync(deviceIdentifier, deviceRequest);
+
+            // Store device key if successful
+            await SetDeviceKeyAsync(deviceKey);
+            return deviceResponse;
+        }
+
+        private async Task<SymmetricCryptoKey> MakeDeviceKeyAsync()
+        {
+            // Create 512-bit device key
+            var randomBytes = await _cryptoFunctionService.RandomBytesAsync(DEVICE_KEY_SIZE);
+            return new SymmetricCryptoKey(randomBytes);
+        }
+    }
+}
--- a/src/Core/Services/StateService.cs
+++ b/src/Core/Services/StateService.cs
@@ -482,6 +482,17 @@ namespace Bit.Core.Services
            await SetValueAsync(Constants.EncPrivateKeyKey(reconciledOptions.UserId), value, reconciledOptions);
        }

+        public async Task<SymmetricCryptoKey> GetDeviceKeyAsync(string userId = null)
+        {
+            var deviceKeyB64 = await _storageMediatorService.GetAsync<string>(Constants.DeviceKeyKey(userId), true);
+            return new SymmetricCryptoKey(Convert.FromBase64String(deviceKeyB64));
+        }
+
+        public async Task SetDeviceKeyAsync(SymmetricCryptoKey value, string userId = null)
+        {
+            await _storageMediatorService.SaveAsync(Constants.DeviceKeyKey(userId), value.KeyB64, true);
+        }
+
        public async Task<List<string>> GetAutofillBlacklistedUrisAsync(string userId = null)
        {
            var reconciledOptions = ReconcileOptions(new StorageOptions { UserId = userId },