Merge branch 'vault/pm-4739-implement-checksum-uri' into vault/pm-4739-IVIE-on

[PM-5461] Fix item saving with blank URI (#2948 )
* PM-5461 Fix item saving with blank URI * PM-5461 Fix PR comment
2025-12-05 23:53:33 +00:00 · 2024-01-23 15:02:32 +00:00 · 2024-01-23 14:47:42 +00:00 · 2024-01-22 11:48:46 +00:00 · 2023-12-21 10:02:00 +00:00 · 2023-12-12 22:07:16 +00:00
13 changed files with 61 additions and 12 deletions
--- a/src/Android/MainApplication.cs
+++ b/src/Android/MainApplication.cs
@@ -157,7 +157,7 @@ namespace Bit.Droid
            var autofillHandler = new AutofillHandler(stateService, messagingService, clipboardService,
                platformUtilsService, new LazyResolve<IEventService>());
            var cryptoFunctionService = new PclCryptoFunctionService(cryptoPrimitiveService);
-            var cryptoService = new CryptoService(stateService, cryptoFunctionService);
+            var cryptoService = new CryptoService(stateService, cryptoFunctionService, logger);
            var biometricService = new BiometricService(stateService, cryptoService);
            var userPinService = new UserPinService(stateService, cryptoService);
            var passwordRepromptService = new MobilePasswordRepromptService(platformUtilsService, cryptoService, stateService);
--- a/src/Core/Abstractions/ICryptoService.cs
+++ b/src/Core/Abstractions/ICryptoService.cs
@@ -63,5 +63,7 @@ namespace Bit.Core.Abstractions
        Task<UserKey> DecryptAndMigrateOldPinKeyAsync(bool masterPasswordOnRestart, string pin, string email, KdfConfig kdfConfig, EncString oldPinKey);
        Task<MasterKey> GetOrDeriveMasterKeyAsync(string password, string userId = null);
        Task UpdateMasterKeyAndUserKeyAsync(MasterKey masterKey);
+        Task<string> HashAsync(string value, CryptoHashAlgorithm hashAlgorithm);
+        Task<bool> ValidateUriChecksumAsync(EncString remoteUriChecksum, string rawUri, string orgId, SymmetricCryptoKey key);
    }
 }
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -70,7 +70,7 @@ namespace Bit.Core
        public const int Argon2Parallelism = 4;
        public const int MasterPasswordMinimumChars = 12;
        public const int CipherKeyRandomBytesLength = 64;
-        public const string CipherKeyEncryptionMinServerVersion = "2023.9.1";
+        public const string CipherKeyEncryptionMinServerVersion = "2023.12.0";
        public const string DefaultFido2CredentialType = "public-key";
        public const string DefaultFido2CredentialAlgorithm = "ECDSA";
        public const string DefaultFido2CredentialCurve = "P-256";
--- a/src/Core/Models/Api/LoginUriApi.cs
+++ b/src/Core/Models/Api/LoginUriApi.cs
@@ -6,5 +6,6 @@ namespace Bit.Core.Models.Api
    {
        public string Uri { get; set; }
        public UriMatchType? Match { get; set; }
+        public string UriChecksum { get; set; }
    }
 }
--- a/src/Core/Models/Data/LoginUriData.cs
+++ b/src/Core/Models/Data/LoginUriData.cs
@@ -11,9 +11,11 @@ namespace Bit.Core.Models.Data
        {
            Uri = data.Uri;
            Match = data.Match;
+            UriChecksum = data.UriChecksum;
        }

        public string Uri { get; set; }
        public UriMatchType? Match { get; set; }
+        public string UriChecksum { get; set; }
    }
 }
--- a/src/Core/Models/Domain/Cipher.cs
+++ b/src/Core/Models/Domain/Cipher.cs
@@ -115,7 +115,7 @@ namespace Bit.Core.Models.Domain
            switch (Type)
            {
                case Enums.CipherType.Login:
-                    model.Login = await Login.DecryptAsync(OrganizationId, model.Key);
+                    model.Login = await Login.DecryptAsync(OrganizationId, Key == null, model.Key);
                    break;
                case Enums.CipherType.SecureNote:
                    model.SecureNote = await SecureNote.DecryptAsync(OrganizationId, model.Key);
--- a/src/Core/Models/Domain/Login.cs
+++ b/src/Core/Models/Domain/Login.cs
@@ -2,8 +2,10 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using Bit.Core.Abstractions;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.View;
+using Bit.Core.Utilities;

 namespace Bit.Core.Models.Domain
 {
@@ -31,7 +33,7 @@ namespace Bit.Core.Models.Domain
        public EncString Totp { get; set; }
        public List<Fido2Credential> Fido2Credentials { get; set; }

-        public async Task<LoginView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
+        public async Task<LoginView> DecryptAsync(string orgId, bool bypassUriChecksumValidation, SymmetricCryptoKey key = null)
        {
            var view = await DecryptObjAsync(new LoginView(this), this, new HashSet<string>
            {
@@ -41,10 +43,15 @@ namespace Bit.Core.Models.Domain
            }, orgId, key);
            if (Uris != null)
            {
+                var cryptoService = ServiceContainer.Resolve<ICryptoService>();
                view.Uris = new List<LoginUriView>();
                foreach (var uri in Uris)
                {
-                    view.Uris.Add(await uri.DecryptAsync(orgId, key));
+                    var loginUriView = await uri.DecryptAsync(orgId, key);
+                    if (bypassUriChecksumValidation || await cryptoService.ValidateUriChecksumAsync(uri.UriChecksum, loginUriView.Uri, orgId, key))
+                    {
+                        view.Uris.Add(loginUriView);
+                    }
                }
            }
            if (Fido2Credentials != null)
--- a/src/Core/Models/Domain/LoginUri.cs
+++ b/src/Core/Models/Domain/LoginUri.cs
@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using System.Linq;
 using System.Threading.Tasks;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@@ -10,7 +11,8 @@ namespace Bit.Core.Models.Domain
    {
        private HashSet<string> _map = new HashSet<string>
        {
-            "Uri"
+            nameof(Uri),
+            nameof(UriChecksum)
        };

        public LoginUri() { }
@@ -23,10 +25,11 @@ namespace Bit.Core.Models.Domain

        public EncString Uri { get; set; }
        public UriMatchType? Match { get; set; }
+        public EncString UriChecksum { get; set; }

        public Task<LoginUriView> DecryptAsync(string orgId, SymmetricCryptoKey key = null)
        {
-            return DecryptObjAsync(new LoginUriView(this), this, _map, orgId, key);
+            return DecryptObjAsync(new LoginUriView(this), this, _map.Where(m => m != nameof(UriChecksum)).ToHashSet<string>(), orgId, key);
        }

        public LoginUriData ToLoginUriData()
--- a/src/Core/Models/Export/LoginUri.cs
+++ b/src/Core/Models/Export/LoginUri.cs
@@ -17,10 +17,12 @@ namespace Bit.Core.Models.Export
        {
            Match = obj.Match;
            Uri = obj.Uri?.EncryptedString;
+            UriChecksum = obj.UriChecksum?.EncryptedString;
        }

        public UriMatchType? Match { get; set; }
        public string Uri { get; set; }
+        public string UriChecksum { get; set; }

        public static LoginUriView ToView(LoginUri req, LoginUriView view = null)
        {
--- a/src/Core/Models/Request/CipherRequest.cs
+++ b/src/Core/Models/Request/CipherRequest.cs
@@ -27,7 +27,7 @@ namespace Bit.Core.Models.Request
                    Login = new LoginApi
                    {
                        Uris = cipher.Login.Uris?.Select(
-                            u => new LoginUriApi { Match = u.Match, Uri = u.Uri?.EncryptedString }).ToList(),
+                            u => new LoginUriApi { Match = u.Match, Uri = u.Uri?.EncryptedString, UriChecksum = u.UriChecksum?.EncryptedString }).ToList(),
                        Username = cipher.Login.Username?.EncryptedString,
                        Password = cipher.Login.Password?.EncryptedString,
                        PasswordRevisionDate = cipher.Login.PasswordRevisionDate,
--- a/src/Core/Services/CipherService.cs
+++ b/src/Core/Services/CipherService.cs
@@ -1,4 +1,4 @@
-//#define ENABLE_NEW_CIPHER_KEY_ENCRYPTION_ON_CREATION
+#define ENABLE_NEW_CIPHER_KEY_ENCRYPTION_ON_CREATION

 using System;
 using System.Collections.Generic;
@@ -1146,13 +1146,15 @@ namespace Bit.Core.Services
                    if (model.Login.Uris != null)
                    {
                        cipher.Login.Uris = new List<LoginUri>();
-                        foreach (var uri in model.Login.Uris)
+                        foreach (var uri in model.Login.Uris.Where(u => u.Uri != null))
                        {
                            var loginUri = new LoginUri
                            {
                                Match = uri.Match
                            };
                            await EncryptObjPropertyAsync(uri, loginUri, new HashSet<string> { "Uri" }, key);
+                            var uriHash = await _cryptoService.HashAsync(uri.Uri, CryptoHashAlgorithm.Sha256);
+                            loginUri.UriChecksum = await _cryptoService.EncryptAsync(uriHash, key);
                            cipher.Login.Uris.Add(loginUri);
                        }
                    }
--- a/src/Core/Services/CryptoService.cs
+++ b/src/Core/Services/CryptoService.cs
@@ -19,6 +19,7 @@ namespace Bit.Core.Services

        private readonly IStateService _stateService;
        private readonly ICryptoFunctionService _cryptoFunctionService;
+        private readonly ILogger _logger;

        private SymmetricCryptoKey _legacyEtmKey;
        private string _masterKeyHash;
@@ -29,10 +30,12 @@ namespace Bit.Core.Services

        public CryptoService(
            IStateService stateService,
-            ICryptoFunctionService cryptoFunctionService)
+            ICryptoFunctionService cryptoFunctionService,
+            ILogger logger)
        {
            _stateService = stateService;
            _cryptoFunctionService = cryptoFunctionService;
+            _logger = logger;
        }

        public void ClearCache()
@@ -730,6 +733,33 @@ namespace Bit.Core.Services
            }
        }

+        public async Task<string> HashAsync(string value, CryptoHashAlgorithm hashAlgorithm)
+        {
+            var hashArray = await _cryptoFunctionService.HashAsync(value, hashAlgorithm);
+            return Convert.ToBase64String(hashArray);
+        }
+
+        public async Task<bool> ValidateUriChecksumAsync(EncString remoteUriChecksum, string rawUri, string orgId, SymmetricCryptoKey key)
+        {
+            try
+            {
+                if (remoteUriChecksum == null)
+                {
+                    return false;
+                }
+
+                var localChecksum = await HashAsync(rawUri, CryptoHashAlgorithm.Sha256);
+
+                var remoteChecksum = await remoteUriChecksum.DecryptAsync(orgId, key);
+                return remoteChecksum == localChecksum;
+            }
+            catch (Exception ex)
+            {
+                _logger.Exception(ex);
+                return false;
+            }
+        }
+
        // --HELPER METHODS--

        private async Task StoreAdditionalKeysAsync(UserKey userKey, string userId = null)
--- a/src/iOS.Core/Utilities/iOSCoreHelpers.cs
+++ b/src/iOS.Core/Utilities/iOSCoreHelpers.cs
@@ -113,7 +113,7 @@ namespace Bit.iOS.Core.Utilities
            var platformUtilsService = new MobilePlatformUtilsService(deviceActionService, clipboardService,
                messagingService, broadcasterService);
            var cryptoFunctionService = new PclCryptoFunctionService(cryptoPrimitiveService);
-            var cryptoService = new CryptoService(stateService, cryptoFunctionService);
+            var cryptoService = new CryptoService(stateService, cryptoFunctionService, logger);
            var biometricService = new BiometricService(stateService, cryptoService);
            var userPinService = new UserPinService(stateService, cryptoService);
            var passwordRepromptService = new MobilePasswordRepromptService(platformUtilsService, cryptoService, stateService);
Author	SHA1	Message	Date
Carlos Gonçalves	2bae821ee6	Merge branch 'vault/pm-4739-implement-checksum-uri' into vault/pm-4739-IVIE-on	2024-01-23 15:02:32 +00:00
Carlos Gonçalves	c3f07282b6	[PM-5461] Fix item saving with blank URI (#2948 ) * PM-5461 Fix item saving with blank URI * PM-5461 Fix PR comment	2024-01-23 14:47:42 +00:00
Carlos Gonçalves	a74961cd0f	Merge branch 'main' into vault/pm-4739-implement-checksum-uri	2024-01-22 11:48:46 +00:00
Carlos Gonçalves	32666df951	Turned IVIE on	2023-12-21 10:02:00 +00:00
Carlos Gonçalves	c7490a7163	PM-4739 Change arg name	2023-12-12 22:07:16 +00:00
Carlos Gonçalves	e3106d5b74	Merge branch 'master' into vault/pm-4739-implement-checksum-uri	2023-12-12 17:18:52 +00:00
Carlos Gonçalves	fc8d058046	PM-4739 Added missing files from last commit	2023-12-12 17:18:24 +00:00
Carlos Gonçalves	573cdf9984	Merge branch 'master' into vault/pm-4739-implement-checksum-uri	2023-12-12 15:48:40 +00:00
Carlos Gonçalves	0e40102de5	PM-4739 Add try catch and log exception	2023-12-12 15:48:14 +00:00
Carlos Gonçalves	0eea17831b	PM-4739 Remove unnecessary comment	2023-12-12 12:36:18 +00:00
Carlos Gonçalves	edc1e555b6	Merge branch 'master' into vault/pm-4739-implement-checksum-uri	2023-12-12 12:22:46 +00:00
Carlos Gonçalves	287b3a0580	PM-4739 Fix PR comments	2023-12-12 12:22:28 +00:00
Carlos Gonçalves	c04933b959	Merge branch 'master' into vault/pm-4739-implement-checksum-uri	2023-12-07 17:49:39 +00:00
Carlos Gonçalves	e1e9ee0255	Merge branch 'master' into vault/pm-4739-implement-checksum-uri	2023-12-06 18:16:40 +00:00
Carlos Gonçalves	e947d3eebb	PM-4739 Add missing field	2023-12-06 18:15:45 +00:00
Carlos Gonçalves	c2928b88b0	Merge branch 'master' into vault/pm-4739-implement-checksum-uri	2023-12-04 16:39:41 +00:00
Carlos Gonçalves	b2374ed5f6	PM-4739 Implement checksum uri validation	2023-12-04 16:39:23 +00:00