bitwarden_core/auth/
tde.rs

1use base64::{engine::general_purpose::STANDARD, Engine};
2use bitwarden_crypto::{
3    AsymmetricPublicCryptoKey, DeviceKey, EncString, Kdf, SpkiPublicKeyBytes, SymmetricCryptoKey,
4    TrustDeviceResponse, UnsignedSharedKey, UserKey,
5};
6
7use crate::{
8    client::{encryption_settings::EncryptionSettingsError, internal::UserKeyState},
9    Client,
10};
11
12/// This function generates a new user key and key pair, initializes the client's crypto with the
13/// generated user key, and encrypts the user key with the organization public key for admin
14/// password reset. If remember_device is true, it also generates a device key.
15pub(super) fn make_register_tde_keys(
16    client: &Client,
17    email: String,
18    org_public_key: String,
19    remember_device: bool,
20) -> Result<RegisterTdeKeyResponse, EncryptionSettingsError> {
21    let public_key = AsymmetricPublicCryptoKey::from_der(&SpkiPublicKeyBytes::from(
22        STANDARD.decode(org_public_key)?,
23    ))?;
24
25    let user_key = UserKey::new(SymmetricCryptoKey::make_aes256_cbc_hmac_key());
26    let key_pair = user_key.make_key_pair()?;
27
28    let admin_reset = UnsignedSharedKey::encapsulate_key_unsigned(&user_key.0, &public_key)?;
29
30    let device_key = if remember_device {
31        Some(DeviceKey::trust_device(&user_key.0)?)
32    } else {
33        None
34    };
35
36    client
37        .internal
38        .set_login_method(crate::client::LoginMethod::User(
39            crate::client::UserLoginMethod::Username {
40                client_id: "".to_owned(),
41                email,
42                kdf: Kdf::default(),
43            },
44        ));
45    client.internal.initialize_user_crypto_decrypted_key(
46        user_key.0,
47        UserKeyState {
48            private_key: key_pair.private.clone(),
49            // TODO (https://bitwarden.atlassian.net/browse/PM-21771) Signing keys are not supported on registration yet. This needs to be changed as
50            // soon as registration is supported.
51            signing_key: None,
52            security_state: None,
53        },
54    )?;
55
56    Ok(RegisterTdeKeyResponse {
57        private_key: key_pair.private,
58        public_key: key_pair.public,
59
60        admin_reset,
61        device_key,
62    })
63}
64
65#[allow(missing_docs)]
66#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
67pub struct RegisterTdeKeyResponse {
68    pub private_key: EncString,
69    pub public_key: String,
70
71    pub admin_reset: UnsignedSharedKey,
72    pub device_key: Option<TrustDeviceResponse>,
73}