mirror of
https://github.com/bitwarden/server
synced 2025-12-06 00:03:34 +00:00
[PM-25473] Non-encryption passkeys prevent key rotation (#6359)
* use webauthn credentials that have encrypted user key for user key rotation * where condition simplification
This commit is contained in:
Maciej Zieniuk
GitHub
@@ -1,4 +1,5 @@
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Core.Auth.Enums;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Auth.Repositories;
|
||||
using Bit.Core.Entities;
|
||||
@@ -6,7 +7,13 @@ using Bit.Core.Exceptions;
|
||||
|
||||
namespace Bit.Api.KeyManagement.Validators;
|
||||
|
||||
public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
|
||||
/// <summary>
|
||||
/// Validates WebAuthn credentials during key rotation. Only processes credentials that have PRF enabled
|
||||
/// and have encrypted user, public, and private keys. Ensures all such credentials are included
|
||||
/// in the rotation request with the required encrypted keys.
|
||||
/// </summary>
|
||||
public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>,
|
||||
IEnumerable<WebAuthnLoginRotateKeyData>>
|
||||
{
|
||||
private readonly IWebAuthnCredentialRepository _webAuthnCredentialRepository;
|
||||
|
||||
@@ -15,24 +22,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
|
||||
_webAuthnCredentialRepository = webAuthnCredentialRepository;
|
||||
}
|
||||
|
||||
public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
|
||||
public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user,
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
|
||||
{
|
||||
var result = new List<WebAuthnLoginRotateKeyData>();
|
||||
var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
|
||||
if (existing == null)
|
||||
var validCredentials = (await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id))
|
||||
.Where(credential => credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled).ToList();
|
||||
if (validCredentials.Count == 0)
|
||||
{
|
||||
return result;
|
||||
}
|
||||
|
||||
var validCredentials = existing.Where(credential => credential.SupportsPrf);
|
||||
if (!validCredentials.Any())
|
||||
foreach (var webAuthnCredential in validCredentials)
|
||||
{
|
||||
return result;
|
||||
}
|
||||
|
||||
foreach (var ea in validCredentials)
|
||||
{
|
||||
var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
|
||||
var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == webAuthnCredential.Id);
|
||||
if (keyToRotate == null)
|
||||
{
|
||||
throw new BadRequestException("All existing webauthn prf keys must be included in the rotation.");
|
||||
@@ -42,6 +45,7 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
|
||||
{
|
||||
throw new BadRequestException("WebAuthn prf keys must have user-key during rotation.");
|
||||
}
|
||||
|
||||
if (keyToRotate.EncryptedPublicKey == null)
|
||||
{
|
||||
throw new BadRequestException("WebAuthn prf keys must have public-key during rotation.");
|
||||
|
||||
@@ -22,13 +22,30 @@ public class WebAuthnCredential : ITableObject<Guid>
|
||||
[MaxLength(20)]
|
||||
public string Type { get; set; }
|
||||
public Guid AaGuid { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// User key encrypted with this WebAuthn credential's public key (EncryptedPublicKey field).
|
||||
/// </summary>
|
||||
[MaxLength(2000)]
|
||||
public string EncryptedUserKey { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Private key encrypted with an external key for secure storage.
|
||||
/// </summary>
|
||||
[MaxLength(2000)]
|
||||
public string EncryptedPrivateKey { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Public key encrypted with the user key for key rotation.
|
||||
/// </summary>
|
||||
[MaxLength(2000)]
|
||||
public string EncryptedPublicKey { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Indicates whether this credential supports PRF (Pseudo-Random Function) extension.
|
||||
/// </summary>
|
||||
public bool SupportsPrf { get; set; }
|
||||
|
||||
public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
|
||||
public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
|
||||
|
||||
|
||||
@@ -33,8 +33,9 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
{
|
||||
Id = guid,
|
||||
SupportsPrf = true,
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
EncryptedPublicKey = "TestPublicKey",
|
||||
EncryptedUserKey = "TestUserKey",
|
||||
EncryptedPrivateKey = "TestPrivateKey"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
|
||||
.Returns(new List<WebAuthnCredential> { data });
|
||||
@@ -45,8 +46,12 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_DoesNotSupportPRF_Ignores(
|
||||
[BitAutoData(false, null, null, null)]
|
||||
[BitAutoData(true, null, "TestPublicKey", "TestPrivateKey")]
|
||||
[BitAutoData(true, "TestUserKey", null, "TestPrivateKey")]
|
||||
[BitAutoData(true, "TestUserKey", "TestPublicKey", null)]
|
||||
public async Task ValidateAsync_NotEncryptedOrPrfNotSupported_Ignores(
|
||||
bool supportsPrf, string encryptedUserKey, string encryptedPublicKey, string encryptedPrivateKey,
|
||||
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
|
||||
{
|
||||
@@ -58,7 +63,14 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
EncryptedPublicKey = e.EncryptedPublicKey,
|
||||
}).ToList();
|
||||
|
||||
var data = new WebAuthnCredential { Id = guid, EncryptedUserKey = "Test", EncryptedPublicKey = "TestKey" };
|
||||
var data = new WebAuthnCredential
|
||||
{
|
||||
Id = guid,
|
||||
SupportsPrf = supportsPrf,
|
||||
EncryptedUserKey = encryptedUserKey,
|
||||
EncryptedPublicKey = encryptedPublicKey,
|
||||
EncryptedPrivateKey = encryptedPrivateKey
|
||||
};
|
||||
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
|
||||
.Returns(new List<WebAuthnCredential> { data });
|
||||
@@ -69,7 +81,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
|
||||
public async Task ValidateAsync_WebAuthnKeysNotMatchingExisting_Throws(
|
||||
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
|
||||
{
|
||||
@@ -84,10 +96,12 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
{
|
||||
Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
|
||||
SupportsPrf = true,
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
EncryptedPublicKey = "TestPublicKey",
|
||||
EncryptedUserKey = "TestUserKey",
|
||||
EncryptedPrivateKey = "TestPrivateKey"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
|
||||
.Returns(new List<WebAuthnCredential> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
|
||||
@@ -100,20 +114,24 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
|
||||
{
|
||||
var guid = Guid.NewGuid();
|
||||
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedPublicKey = e.EncryptedPublicKey,
|
||||
}).ToList();
|
||||
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e =>
|
||||
new WebAuthnLoginRotateKeyRequestModel
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedPublicKey = e.EncryptedPublicKey,
|
||||
EncryptedUserKey = null
|
||||
}).ToList();
|
||||
|
||||
var data = new WebAuthnCredential
|
||||
{
|
||||
Id = guid,
|
||||
SupportsPrf = true,
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
EncryptedPublicKey = "TestPublicKey",
|
||||
EncryptedUserKey = "TestUserKey",
|
||||
EncryptedPrivateKey = "TestPrivateKey"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
|
||||
.Returns(new List<WebAuthnCredential> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
|
||||
@@ -131,19 +149,21 @@ public class WebAuthnLoginKeyRotationValidatorTests
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedUserKey = e.EncryptedUserKey,
|
||||
EncryptedPublicKey = null,
|
||||
}).ToList();
|
||||
|
||||
var data = new WebAuthnCredential
|
||||
{
|
||||
Id = guid,
|
||||
SupportsPrf = true,
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
EncryptedPublicKey = "TestPublicKey",
|
||||
EncryptedUserKey = "TestUserKey",
|
||||
EncryptedPrivateKey = "TestPrivateKey"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
|
||||
.Returns(new List<WebAuthnCredential> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user