Skip to main content

bitwarden_core/client/
encryption_settings.rs

1#[cfg(any(feature = "internal", feature = "secrets"))]
2use bitwarden_crypto::KeyStore;
3#[cfg(feature = "secrets")]
4use bitwarden_crypto::SymmetricCryptoKey;
5#[cfg(feature = "internal")]
6use bitwarden_crypto::UnsignedSharedKey;
7use bitwarden_error::bitwarden_error;
8use thiserror::Error;
9#[cfg(feature = "internal")]
10use tracing::{info, instrument};
11
12#[cfg(any(feature = "secrets", feature = "internal"))]
13use crate::OrganizationId;
14#[cfg(any(feature = "internal", feature = "secrets"))]
15use crate::key_management::{KeySlotIds, SymmetricKeySlotId};
16use crate::{MissingPrivateKeyError, error::UserIdAlreadySetError};
17
18#[allow(missing_docs)]
19#[bitwarden_error(flat)]
20#[derive(Debug, Error)]
21pub enum EncryptionSettingsError {
22    #[error("Cryptography error, {0}")]
23    Crypto(#[from] bitwarden_crypto::CryptoError),
24
25    #[error("Cryptography Initialization error")]
26    CryptoInitialization,
27
28    #[error(transparent)]
29    MissingPrivateKey(#[from] MissingPrivateKeyError),
30
31    #[error(transparent)]
32    UserIdAlreadySet(#[from] UserIdAlreadySetError),
33
34    #[error("Wrong Pin")]
35    WrongPin,
36
37    /// The user-key could not be set to the state, and the sdk will remain locked
38    #[error("Unable to set user-key to state")]
39    UserKeyStateUpdateFailed,
40
41    #[error("Unable to retrieve user-key from state")]
42    UserKeyStateRetrievalFailed,
43
44    #[error("Invalid upgrade token")]
45    InvalidUpgradeToken,
46
47    /// Retrieval of the key-connector-key from key-connector failed
48    #[error("Key connector retrieval failed")]
49    KeyConnectorRetrievalFailed,
50
51    /// The local user data key could not be initialized.
52    #[error("Unable to initialize local user data key")]
53    LocalUserDataKeyInitFailed,
54
55    /// The local user data key could not be loaded into the key store context.
56    #[error("Unable to load local user data key into key store")]
57    LocalUserDataKeyLoadFailed,
58}
59
60#[allow(missing_docs)]
61pub struct EncryptionSettings {}
62
63impl EncryptionSettings {
64    /// Initialize the encryption settings with only a single decrypted organization key.
65    /// This is used only for logging in Secrets Manager with an access token
66    #[cfg(feature = "secrets")]
67    pub(crate) fn new_single_org_key(
68        organization_id: OrganizationId,
69        key: SymmetricCryptoKey,
70        store: &KeyStore<KeySlotIds>,
71    ) {
72        // FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
73        #[allow(deprecated)]
74        store
75            .context_mut()
76            .set_symmetric_key(SymmetricKeySlotId::Organization(organization_id), key)
77            .expect("Mutable context");
78    }
79
80    #[cfg(feature = "internal")]
81    #[instrument(err, skip_all)]
82    pub(crate) fn set_org_keys(
83        org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
84        store: &KeyStore<KeySlotIds>,
85    ) -> Result<(), EncryptionSettingsError> {
86        use crate::key_management::PrivateKeySlotId;
87
88        let mut ctx = store.context_mut();
89
90        // FIXME: [PM-11690] - Early abort to handle private key being corrupt
91        if org_enc_keys.is_empty() {
92            info!("No organization keys to set");
93            return Ok(());
94        }
95
96        if !ctx.has_private_key(PrivateKeySlotId::UserPrivateKey) {
97            info!("User private key is missing, cannot set organization keys");
98            return Err(MissingPrivateKeyError.into());
99        }
100
101        // Make sure we only keep the keys given in the arguments and not any of the previous
102        // ones, which might be from organizations that the user is no longer a part of anymore
103        ctx.retain_symmetric_keys(|key_ref| {
104            !matches!(key_ref, SymmetricKeySlotId::Organization(_))
105        });
106
107        info!("Decrypting organization keys");
108        // Decrypt the org keys with the private key
109        for (org_id, org_enc_key) in org_enc_keys {
110            let _span =
111                tracing::span!(tracing::Level::INFO, "decapsulate_org_key", org_id = %org_id)
112                    .entered();
113            match org_enc_key.decapsulate(PrivateKeySlotId::UserPrivateKey, &mut ctx) {
114                Err(e) => {
115                    tracing::error!("Failed to decapsulate organization key: {}", e);
116                    return Err(e.into());
117                }
118                Ok(org_symmetric_key) => {
119                    tracing::info!(
120                        org_id = %org_id,
121                        "Successfully decapsulated organization key for org",
122                    );
123                    ctx.persist_symmetric_key(
124                        org_symmetric_key,
125                        SymmetricKeySlotId::Organization(org_id),
126                    )?;
127                }
128            }
129        }
130
131        Ok(())
132    }
133}