bitwarden_core/client/
encryption_settings.rs

1#[cfg(any(feature = "internal", feature = "secrets"))]
2use bitwarden_crypto::KeyStore;
3#[cfg(feature = "secrets")]
4use bitwarden_crypto::SymmetricCryptoKey;
5#[cfg(feature = "internal")]
6use bitwarden_crypto::UnsignedSharedKey;
7use bitwarden_error::bitwarden_error;
8use thiserror::Error;
9#[cfg(feature = "internal")]
10use tracing::{info, instrument};
11
12#[cfg(any(feature = "secrets", feature = "internal"))]
13use crate::OrganizationId;
14#[cfg(any(feature = "internal", feature = "secrets"))]
15use crate::key_management::{KeySlotIds, SymmetricKeySlotId};
16use crate::{MissingPrivateKeyError, error::UserIdAlreadySetError};
17
18#[allow(missing_docs)]
19#[bitwarden_error(flat)]
20#[derive(Debug, Error)]
21pub enum EncryptionSettingsError {
22    #[error("Cryptography error, {0}")]
23    Crypto(#[from] bitwarden_crypto::CryptoError),
24
25    #[error("Cryptography Initialization error")]
26    CryptoInitialization,
27
28    #[error(transparent)]
29    MissingPrivateKey(#[from] MissingPrivateKeyError),
30
31    #[error(transparent)]
32    UserIdAlreadySet(#[from] UserIdAlreadySetError),
33
34    #[error("Wrong Pin")]
35    WrongPin,
36
37    /// The user-key could not be set to the state, and the sdk will remain locked
38    #[error("Unable to set user-key to state")]
39    UserKeyStateUpdateFailed,
40
41    #[error("Unable to retrieve user-key from state")]
42    UserKeyStateRetrievalFailed,
43
44    #[error("Invalid upgrade token")]
45    InvalidUpgradeToken,
46
47    /// Retrieval of the key-connector-key from key-connector failed
48    #[error("Key connector retrieval failed")]
49    KeyConnectorRetrievalFailed,
50
51    /// The local user data key could not be initialized.
52    #[error("Unable to initialize local user data key")]
53    LocalUserDataKeyInitFailed,
54
55    /// The local user data key could not be loaded into the key store context.
56    #[error("Unable to load local user data key into key store")]
57    LocalUserDataKeyLoadFailed,
58
59    /// The migration (re-wrap) of the local user data key failed after a user key upgrade
60    #[error("Unable to migrate local user data key after user key upgrade")]
61    LocalUserDataMigrationFailed,
62}
63
64#[allow(missing_docs)]
65pub struct EncryptionSettings {}
66
67impl EncryptionSettings {
68    /// Initialize the encryption settings with only a single decrypted organization key.
69    /// This is used only for logging in Secrets Manager with an access token
70    #[cfg(feature = "secrets")]
71    pub(crate) fn new_single_org_key(
72        organization_id: OrganizationId,
73        key: SymmetricCryptoKey,
74        store: &KeyStore<KeySlotIds>,
75    ) {
76        // FIXME: [PM-18098] When this is part of crypto we won't need to use deprecated methods
77        #[allow(deprecated)]
78        store
79            .context_mut()
80            .set_symmetric_key(SymmetricKeySlotId::Organization(organization_id), key)
81            .expect("Mutable context");
82    }
83
84    #[cfg(feature = "internal")]
85    #[instrument(err, skip_all)]
86    pub(crate) fn set_org_keys(
87        org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
88        store: &KeyStore<KeySlotIds>,
89    ) -> Result<(), EncryptionSettingsError> {
90        use crate::key_management::PrivateKeySlotId;
91
92        let mut ctx = store.context_mut();
93
94        // FIXME: [PM-11690] - Early abort to handle private key being corrupt
95        if org_enc_keys.is_empty() {
96            info!("No organization keys to set");
97            return Ok(());
98        }
99
100        if !ctx.has_private_key(PrivateKeySlotId::UserPrivateKey) {
101            info!("User private key is missing, cannot set organization keys");
102            return Err(MissingPrivateKeyError.into());
103        }
104
105        // Make sure we only keep the keys given in the arguments and not any of the previous
106        // ones, which might be from organizations that the user is no longer a part of anymore
107        ctx.retain_symmetric_keys(|key_ref| {
108            !matches!(key_ref, SymmetricKeySlotId::Organization(_))
109        });
110
111        info!("Decrypting organization keys");
112        // Decrypt the org keys with the private key
113        for (org_id, org_enc_key) in org_enc_keys {
114            let _span =
115                tracing::span!(tracing::Level::INFO, "decapsulate_org_key", org_id = %org_id)
116                    .entered();
117            match org_enc_key.decapsulate(PrivateKeySlotId::UserPrivateKey, &mut ctx) {
118                Err(e) => {
119                    tracing::error!("Failed to decapsulate organization key: {}", e);
120                    return Err(e.into());
121                }
122                Ok(org_symmetric_key) => {
123                    tracing::info!(
124                        org_id = %org_id,
125                        "Successfully decapsulated organization key for org",
126                    );
127                    ctx.persist_symmetric_key(
128                        org_symmetric_key,
129                        SymmetricKeySlotId::Organization(org_id),
130                    )?;
131                }
132            }
133        }
134
135        Ok(())
136    }
137}
bitwarden_core/client/encryption_settings.rs

bitwarden_core/client/
encryption_settings.rs
