[PM-23229] Add extra validation to kdf changes + authentication data + unlock data (#6121)

* Added MasterPasswordUnlock to UserDecryptionOptions as part of identity response * Implement support for authentication data and unlock data in kdf change * Extract to kdf command and add tests * Fix namespace * Delete empty file * Fix build * Clean up tests * Fix tests * Add comments * Cleanup * Cleanup * Cleanup * Clean-up and fix build * Address feedback; force new parameters on KDF change request * Clean-up and add tests * Re-add logger * Update logger to interface * Clean up, remove Kdf Request Model * Remove kdf request model tests * Fix types in test * Address feedback to rename request model and re-add tests * Fix namespace * Move comments * Rename InnerKdfRequestModel to KdfRequestModel --------- Co-authored-by: Maciej Zieniuk <mzieniuk@bitwarden.com>
2025-12-06 00:03:34 +00:00 · 2025-09-24 05:10:46 +09:00
parent 744f11733d
commit ff092a031e
25 changed files with 729 additions and 173 deletions
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -10,6 +10,7 @@ using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Kdf;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -33,6 +34,7 @@ public class AccountsControllerTests : IDisposable
    private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand;
    private readonly IFeatureService _featureService;
    private readonly ITwoFactorEmailService _twoFactorEmailService;
+    private readonly IChangeKdfCommand _changeKdfCommand;


    public AccountsControllerTests()
@@ -47,7 +49,7 @@ public class AccountsControllerTests : IDisposable
        _tdeOffboardingPasswordCommand = Substitute.For<ITdeOffboardingPasswordCommand>();
        _featureService = Substitute.For<IFeatureService>();
        _twoFactorEmailService = Substitute.For<ITwoFactorEmailService>();
-
+        _changeKdfCommand = Substitute.For<IChangeKdfCommand>();

        _sut = new AccountsController(
            _organizationService,
@@ -59,7 +61,8 @@ public class AccountsControllerTests : IDisposable
            _tdeOffboardingPasswordCommand,
            _twoFactorIsEnabledQuery,
            _featureService,
-            _twoFactorEmailService
+            _twoFactorEmailService,
+            _changeKdfCommand
        );
    }

@@ -242,12 +245,18 @@ public class AccountsControllerTests : IDisposable
    {
        var user = GenerateExampleUser();
        ConfigureUserServiceToReturnValidPrincipalFor(user);
-        _userService.ChangePasswordAsync(user, default, default, default, default)
+        _userService.ChangePasswordAsync(user, Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>())
                    .Returns(Task.FromResult(IdentityResult.Success));

-        await _sut.PostPassword(new PasswordRequestModel());
+        await _sut.PostPassword(new PasswordRequestModel
+        {
+            MasterPasswordHash = "masterPasswordHash",
+            NewMasterPasswordHash = "newMasterPasswordHash",
+            MasterPasswordHint = "masterPasswordHint",
+            Key = "key"
+        });

-        await _userService.Received(1).ChangePasswordAsync(user, default, default, default, default);
+        await _userService.Received(1).ChangePasswordAsync(user, Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>());
    }

    [Fact]
@@ -256,7 +265,13 @@ public class AccountsControllerTests : IDisposable
        ConfigureUserServiceToReturnNullPrincipal();

        await Assert.ThrowsAsync<UnauthorizedAccessException>(
-            () => _sut.PostPassword(new PasswordRequestModel())
+            () => _sut.PostPassword(new PasswordRequestModel
+            {
+                MasterPasswordHash = "masterPasswordHash",
+                NewMasterPasswordHash = "newMasterPasswordHash",
+                MasterPasswordHint = "masterPasswordHint",
+                Key = "key"
+            })
        );
    }

@@ -265,11 +280,17 @@ public class AccountsControllerTests : IDisposable
    {
        var user = GenerateExampleUser();
        ConfigureUserServiceToReturnValidPrincipalFor(user);
-        _userService.ChangePasswordAsync(user, default, default, default, default)
+        _userService.ChangePasswordAsync(user, Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>())
                    .Returns(Task.FromResult(IdentityResult.Failed()));

        await Assert.ThrowsAsync<BadRequestException>(
-            () => _sut.PostPassword(new PasswordRequestModel())
+            () => _sut.PostPassword(new PasswordRequestModel
+            {
+                MasterPasswordHash = "masterPasswordHash",
+                NewMasterPasswordHash = "newMasterPasswordHash",
+                MasterPasswordHint = "masterPasswordHint",
+                Key = "key"
+            })
        );
    }

@@ -593,6 +614,30 @@ public class AccountsControllerTests : IDisposable
        await _twoFactorEmailService.Received(1).SendNewDeviceVerificationEmailAsync(user);
    }

+    [Theory]
+    [BitAutoData]
+    public async Task PostKdf_WithNullAuthenticationData_ShouldFail(
+        User user, PasswordRequestModel model)
+    {
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult(user));
+        model.AuthenticationData = null;
+
+        // Act
+        await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostKdf(model));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PostKdf_WithNullUnlockData_ShouldFail(
+        User user, PasswordRequestModel model)
+    {
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult(user));
+        model.UnlockData = null;
+
+        // Act
+        await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostKdf(model));
+    }
+
    // Below are helper functions that currently belong to this
    // test class, but ultimately may need to be split out into
    // something greater in order to share common test steps with
--- a/test/Api.Test/KeyManagement/Models/Request/MasterPasswordUnlockDataModel.cs
+++ b/test/Api.Test/KeyManagement/Models/Request/MasterPasswordUnlockDataModel.cs
@@ -18,7 +18,7 @@ public class MasterPasswordUnlockDataModelTests
    [InlineData(KdfType.Argon2id, 3, 64, 4)]
    public void Validate_Success(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
    {
-        var model = new MasterPasswordUnlockDataModel
+        var model = new MasterPasswordUnlockAndAuthenticationDataModel
        {
            KdfType = kdfType,
            KdfIterations = kdfIterations,
@@ -43,7 +43,7 @@ public class MasterPasswordUnlockDataModelTests
    [InlineData((KdfType)2, 2, 64, 4)]
    public void Validate_Failure(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
    {
-        var model = new MasterPasswordUnlockDataModel
+        var model = new MasterPasswordUnlockAndAuthenticationDataModel
        {
            KdfType = kdfType,
            KdfIterations = kdfIterations,
@@ -59,7 +59,7 @@ public class MasterPasswordUnlockDataModelTests
        Assert.NotNull(result.First().ErrorMessage);
    }

-    private static List<ValidationResult> Validate(MasterPasswordUnlockDataModel model)
+    private static List<ValidationResult> Validate(MasterPasswordUnlockAndAuthenticationDataModel model)
    {
        var results = new List<ValidationResult>();
        Validator.TryValidateObject(model, new ValidationContext(model), results, true);
--- a/test/Api.Test/Models/Request/Accounts/KdfRequestModelTests.cs
+++ b/test/Api.Test/Models/Request/Accounts/KdfRequestModelTests.cs
@@ -1,65 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-using Bit.Api.Auth.Models.Request.Accounts;
-using Bit.Core.Enums;
-using Xunit;
-
-namespace Bit.Api.Test.Models.Request.Accounts;
-
-public class KdfRequestModelTests
-{
-    [Theory]
-    [InlineData(KdfType.PBKDF2_SHA256, 1_000_000, null, null)] // Somewhere in the middle
-    [InlineData(KdfType.PBKDF2_SHA256, 600_000, null, null)] // Right on the lower boundary
-    [InlineData(KdfType.PBKDF2_SHA256, 2_000_000, null, null)] // Right on the upper boundary
-    [InlineData(KdfType.Argon2id, 5, 500, 8)] // Somewhere in the middle
-    [InlineData(KdfType.Argon2id, 2, 15, 1)] // Right on the lower boundary
-    [InlineData(KdfType.Argon2id, 10, 1024, 16)] // Right on the upper boundary
-    public void Validate_IsValid(KdfType kdfType, int? kdfIterations, int? kdfMemory, int? kdfParallelism)
-    {
-        var model = new KdfRequestModel
-        {
-            Kdf = kdfType,
-            KdfIterations = kdfIterations,
-            KdfMemory = kdfMemory,
-            KdfParallelism = kdfParallelism,
-            Key = "TEST",
-            NewMasterPasswordHash = "TEST",
-        };
-
-        var results = Validate(model);
-        Assert.Empty(results);
-    }
-
-    [Theory]
-    [InlineData(null, 350_000, null, null, 1)] // Although KdfType is nullable, it's marked as [Required]
-    [InlineData(KdfType.PBKDF2_SHA256, 500_000, null, null, 1)] // Too few iterations
-    [InlineData(KdfType.PBKDF2_SHA256, 2_000_001, null, null, 1)] // Too many iterations
-    [InlineData(KdfType.Argon2id, 0, 30, 8, 1)] // Iterations must be greater than 0
-    [InlineData(KdfType.Argon2id, 10, 14, 8, 1)] // Too little memory
-    [InlineData(KdfType.Argon2id, 10, 14, 0, 1)] // Too small of a parallelism value
-    [InlineData(KdfType.Argon2id, 10, 1025, 8, 1)] // Too much memory
-    [InlineData(KdfType.Argon2id, 10, 512, 17, 1)] // Too big of a parallelism value
-    public void Validate_Fails(KdfType? kdfType, int? kdfIterations, int? kdfMemory, int? kdfParallelism, int expectedFailures)
-    {
-        var model = new KdfRequestModel
-        {
-            Kdf = kdfType,
-            KdfIterations = kdfIterations,
-            KdfMemory = kdfMemory,
-            KdfParallelism = kdfParallelism,
-            Key = "TEST",
-            NewMasterPasswordHash = "TEST",
-        };
-
-        var results = Validate(model);
-        Assert.NotEmpty(results);
-        Assert.Equal(expectedFailures, results.Count);
-    }
-
-    public static List<ValidationResult> Validate(KdfRequestModel model)
-    {
-        var results = new List<ValidationResult>();
-        Validator.TryValidateObject(model, new ValidationContext(model), results);
-        return results;
-    }
-}
--- a/test/Api.Test/Utilities/KdfSettingsValidatorTests.cs
+++ b/test/Api.Test/Utilities/KdfSettingsValidatorTests.cs
@@ -0,0 +1,36 @@
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+using Xunit;
+
+namespace Bit.Api.Test.Utilities;
+
+public class KdfSettingsValidatorTests
+{
+    [Theory]
+    [InlineData(KdfType.PBKDF2_SHA256, 1_000_000, null, null)] // Somewhere in the middle
+    [InlineData(KdfType.PBKDF2_SHA256, 600_000, null, null)] // Right on the lower boundary
+    [InlineData(KdfType.PBKDF2_SHA256, 2_000_000, null, null)] // Right on the upper boundary
+    [InlineData(KdfType.Argon2id, 5, 500, 8)] // Somewhere in the middle
+    [InlineData(KdfType.Argon2id, 2, 15, 1)] // Right on the lower boundary
+    [InlineData(KdfType.Argon2id, 10, 1024, 16)] // Right on the upper boundary
+    public void Validate_IsValid(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism)
+    {
+        var results = KdfSettingsValidator.Validate(kdfType, kdfIterations, kdfMemory, kdfParallelism);
+        Assert.Empty(results);
+    }
+
+    [Theory]
+    [InlineData(KdfType.PBKDF2_SHA256, 500_000, null, null, 1)] // Too few iterations
+    [InlineData(KdfType.PBKDF2_SHA256, 2_000_001, null, null, 1)] // Too many iterations
+    [InlineData(KdfType.Argon2id, 0, 30, 8, 1)] // Iterations must be greater than 0
+    [InlineData(KdfType.Argon2id, 10, 14, 8, 1)] // Too little memory
+    [InlineData(KdfType.Argon2id, 10, 14, 0, 1)] // Too small of a parallelism value
+    [InlineData(KdfType.Argon2id, 10, 1025, 8, 1)] // Too much memory
+    [InlineData(KdfType.Argon2id, 10, 512, 17, 1)] // Too big of a parallelism value
+    public void Validate_Fails(KdfType kdfType, int kdfIterations, int? kdfMemory, int? kdfParallelism, int expectedFailures)
+    {
+        var results = KdfSettingsValidator.Validate(kdfType, kdfIterations, kdfMemory, kdfParallelism);
+        Assert.NotEmpty(results);
+        Assert.Equal(expectedFailures, results.Count());
+    }
+}
--- a/test/Core.Test/KeyManagement/Kdf/ChangeKdfCommandTests.cs
+++ b/test/Core.Test/KeyManagement/Kdf/ChangeKdfCommandTests.cs
@@ -0,0 +1,322 @@
+#nullable enable
+
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Kdf.Implementations;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Identity;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.Kdf;
+
+[SutProviderCustomize]
+public class ChangeKdfCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_ChangesKdfAsync(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+        sutProvider.GetDependency<IUserService>().UpdatePasswordHash(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(IdentityResult.Success));
+
+        var kdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.Argon2id,
+            Iterations = 4,
+            Memory = 512,
+            Parallelism = 4
+        };
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "newMasterPassword",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = kdf,
+            MasterKeyWrappedUserKey = "masterKeyWrappedUserKey",
+            Salt = user.GetMasterPasswordSalt()
+        };
+
+        await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData);
+
+        await sutProvider.GetDependency<IUserRepository>().Received(1).ReplaceAsync(Arg.Is<User>(u =>
+            u.Id == user.Id
+            && u.Kdf == Enums.KdfType.Argon2id
+            && u.KdfIterations == 4
+            && u.KdfMemory == 512
+            && u.KdfParallelism == 4
+        ));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_UserIsNull_ThrowsArgumentNullException(SutProvider<ChangeKdfCommand> sutProvider)
+    {
+        var kdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.Argon2id,
+            Iterations = 4,
+            Memory = 512,
+            Parallelism = 4
+        };
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "newMasterPassword",
+            Salt = "salt"
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = kdf,
+            MasterKeyWrappedUserKey = "masterKeyWrappedUserKey",
+            Salt = "salt"
+        };
+
+        await Assert.ThrowsAsync<ArgumentNullException>(async () =>
+            await sutProvider.Sut.ChangeKdfAsync(null!, "masterPassword", authenticationData, unlockData));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_WrongPassword_ReturnsPasswordMismatch(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(false));
+
+        var kdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.Argon2id,
+            Iterations = 4,
+            Memory = 512,
+            Parallelism = 4
+        };
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "newMasterPassword",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = kdf,
+            MasterKeyWrappedUserKey = "masterKeyWrappedUserKey",
+            Salt = user.GetMasterPasswordSalt()
+        };
+
+        var result = await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData);
+        Assert.False(result.Succeeded);
+        Assert.Contains(result.Errors, e => e.Code == "PasswordMismatch");
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_WithAuthenticationAndUnlockData_UpdatesUserCorrectly(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        var constantKdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.Argon2id,
+            Iterations = 5,
+            Memory = 1024,
+            Parallelism = 4
+        };
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = constantKdf,
+            MasterPasswordAuthenticationHash = "new-auth-hash",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = constantKdf,
+            MasterKeyWrappedUserKey = "new-wrapped-key",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+        sutProvider.GetDependency<IUserService>().UpdatePasswordHash(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(IdentityResult.Success));
+
+        await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData);
+
+        await sutProvider.GetDependency<IUserRepository>().Received(1).ReplaceAsync(Arg.Is<User>(u =>
+            u.Id == user.Id
+            && u.Kdf == constantKdf.KdfType
+            && u.KdfIterations == constantKdf.Iterations
+            && u.KdfMemory == constantKdf.Memory
+            && u.KdfParallelism == constantKdf.Parallelism
+            && u.Key == "new-wrapped-key"
+        ));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_KdfNotEqualBetweenAuthAndUnlock_ThrowsBadRequestException(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = new KdfSettings { KdfType = Enums.KdfType.Argon2id, Iterations = 4, Memory = 512, Parallelism = 4 },
+            MasterPasswordAuthenticationHash = "new-auth-hash",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = new KdfSettings { KdfType = Enums.KdfType.PBKDF2_SHA256, Iterations = 100000 },
+            MasterKeyWrappedUserKey = "new-wrapped-key",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_AuthDataSaltMismatch_Throws(SutProvider<ChangeKdfCommand> sutProvider, User user, KdfSettings kdf)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "new-auth-hash",
+            Salt = "different-salt"
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = kdf,
+            MasterKeyWrappedUserKey = "new-wrapped-key",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        await Assert.ThrowsAsync<ArgumentException>(async () =>
+            await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_UnlockDataSaltMismatch_Throws(SutProvider<ChangeKdfCommand> sutProvider, User user, KdfSettings kdf)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "new-auth-hash",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = kdf,
+            MasterKeyWrappedUserKey = "new-wrapped-key",
+            Salt = "different-salt"
+        };
+        await Assert.ThrowsAsync<ArgumentException>(async () =>
+            await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_UpdatePasswordHashFails_ReturnsFailure(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+        var failedResult = IdentityResult.Failed(new IdentityError { Code = "TestFail", Description = "Test fail" });
+        sutProvider.GetDependency<IUserService>().UpdatePasswordHash(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(failedResult));
+
+        var kdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.Argon2id,
+            Iterations = 4,
+            Memory = 512,
+            Parallelism = 4
+        };
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = kdf,
+            MasterPasswordAuthenticationHash = "newMasterPassword",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = kdf,
+            MasterKeyWrappedUserKey = "masterKeyWrappedUserKey",
+            Salt = user.GetMasterPasswordSalt()
+        };
+
+        var result = await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData);
+
+        Assert.False(result.Succeeded);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_InvalidKdfSettings_ThrowsBadRequestException(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+
+        // Create invalid KDF settings (iterations too low for PBKDF2)
+        var invalidKdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.PBKDF2_SHA256,
+            Iterations = 1000, // This is below the minimum of 600,000
+            Memory = null,
+            Parallelism = null
+        };
+
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = invalidKdf,
+            MasterPasswordAuthenticationHash = "new-auth-hash",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = invalidKdf,
+            MasterKeyWrappedUserKey = "new-wrapped-key",
+            Salt = user.GetMasterPasswordSalt()
+        };
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData));
+
+        Assert.Equal("KDF settings are invalid.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ChangeKdfAsync_InvalidArgon2Settings_ThrowsBadRequestException(SutProvider<ChangeKdfCommand> sutProvider, User user)
+    {
+        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(Arg.Any<User>(), Arg.Any<string>()).Returns(Task.FromResult(true));
+
+        // Create invalid Argon2 KDF settings (memory too high)
+        var invalidKdf = new KdfSettings
+        {
+            KdfType = Enums.KdfType.Argon2id,
+            Iterations = 3, // Valid
+            Memory = 2048, // This is above the maximum of 1024
+            Parallelism = 4 // Valid
+        };
+
+        var authenticationData = new MasterPasswordAuthenticationData
+        {
+            Kdf = invalidKdf,
+            MasterPasswordAuthenticationHash = "new-auth-hash",
+            Salt = user.GetMasterPasswordSalt()
+        };
+        var unlockData = new MasterPasswordUnlockData
+        {
+            Kdf = invalidKdf,
+            MasterKeyWrappedUserKey = "new-wrapped-key",
+            Salt = user.GetMasterPasswordSalt()
+        };
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ChangeKdfAsync(user, "masterPassword", authenticationData, unlockData));
+
+        Assert.Equal("KDF settings are invalid.", exception.Message);
+    }
+
+}