bitwarden_core/key_management/
crypto_client.rs

1use bitwarden_crypto::CryptoError;
2#[cfg(feature = "internal")]
3use bitwarden_crypto::{EncString, UnsignedSharedKey};
4#[cfg(feature = "wasm")]
5use wasm_bindgen::prelude::*;
6
7use super::crypto::{
8    derive_key_connector, make_key_pair, make_user_signing_keys_for_enrollment,
9    verify_asymmetric_keys, DeriveKeyConnectorError, DeriveKeyConnectorRequest,
10    EnrollAdminPasswordResetError, MakeKeyPairResponse, MakeUserSigningKeysResponse,
11    VerifyAsymmetricKeysRequest, VerifyAsymmetricKeysResponse,
12};
13#[cfg(feature = "internal")]
14use crate::key_management::crypto::{
15    derive_pin_key, derive_pin_user_key, enroll_admin_password_reset, get_user_encryption_key,
16    initialize_org_crypto, initialize_user_crypto, update_password, DerivePinKeyResponse,
17    InitOrgCryptoRequest, InitUserCryptoRequest, UpdatePasswordResponse,
18};
19use crate::{
20    client::encryption_settings::EncryptionSettingsError,
21    key_management::crypto::CryptoClientError, Client,
22};
23
24/// A client for the crypto operations.
25#[cfg_attr(feature = "wasm", wasm_bindgen)]
26pub struct CryptoClient {
27    pub(crate) client: crate::Client,
28}
29
30#[cfg_attr(feature = "wasm", wasm_bindgen)]
31impl CryptoClient {
32    /// Initialization method for the user crypto. Needs to be called before any other crypto
33    /// operations.
34    pub async fn initialize_user_crypto(
35        &self,
36        req: InitUserCryptoRequest,
37    ) -> Result<(), EncryptionSettingsError> {
38        initialize_user_crypto(&self.client, req).await
39    }
40
41    /// Initialization method for the organization crypto. Needs to be called after
42    /// `initialize_user_crypto` but before any other crypto operations.
43    pub async fn initialize_org_crypto(
44        &self,
45        req: InitOrgCryptoRequest,
46    ) -> Result<(), EncryptionSettingsError> {
47        initialize_org_crypto(&self.client, req).await
48    }
49
50    /// Generates a new key pair and encrypts the private key with the provided user key.
51    /// Crypto initialization not required.
52    pub fn make_key_pair(&self, user_key: String) -> Result<MakeKeyPairResponse, CryptoError> {
53        make_key_pair(user_key)
54    }
55
56    /// Verifies a user's asymmetric keys by decrypting the private key with the provided user
57    /// key. Returns if the private key is decryptable and if it is a valid matching key.
58    /// Crypto initialization not required.
59    pub fn verify_asymmetric_keys(
60        &self,
61        request: VerifyAsymmetricKeysRequest,
62    ) -> Result<VerifyAsymmetricKeysResponse, CryptoError> {
63        verify_asymmetric_keys(request)
64    }
65
66    /// Makes a new signing key pair and signs the public key for the user
67    pub fn make_user_signing_keys_for_enrollment(
68        &self,
69    ) -> Result<MakeUserSigningKeysResponse, CryptoError> {
70        make_user_signing_keys_for_enrollment(&self.client)
71    }
72}
73
74impl CryptoClient {
75    /// Get the uses's decrypted encryption key. Note: It's very important
76    /// to keep this key safe, as it can be used to decrypt all of the user's data
77    pub async fn get_user_encryption_key(&self) -> Result<String, CryptoClientError> {
78        get_user_encryption_key(&self.client).await
79    }
80
81    /// Update the user's password, which will re-encrypt the user's encryption key with the new
82    /// password. This returns the new encrypted user key and the new password hash.
83    pub fn update_password(
84        &self,
85        new_password: String,
86    ) -> Result<UpdatePasswordResponse, CryptoClientError> {
87        update_password(&self.client, new_password)
88    }
89
90    /// Generates a PIN protected user key from the provided PIN. The result can be stored and later
91    /// used to initialize another client instance by using the PIN and the PIN key with
92    /// `initialize_user_crypto`.
93    pub fn derive_pin_key(&self, pin: String) -> Result<DerivePinKeyResponse, CryptoClientError> {
94        derive_pin_key(&self.client, pin)
95    }
96
97    /// Derives the pin protected user key from encrypted pin. Used when pin requires master
98    /// password on first unlock.
99    pub fn derive_pin_user_key(
100        &self,
101        encrypted_pin: EncString,
102    ) -> Result<EncString, CryptoClientError> {
103        derive_pin_user_key(&self.client, encrypted_pin)
104    }
105
106    /// Prepares the account for being enrolled in the admin password reset feature. This encrypts
107    /// the users [UserKey][bitwarden_crypto::UserKey] with the organization's public key.
108    pub fn enroll_admin_password_reset(
109        &self,
110        public_key: String,
111    ) -> Result<UnsignedSharedKey, EnrollAdminPasswordResetError> {
112        enroll_admin_password_reset(&self.client, public_key)
113    }
114
115    /// Derive the master key for migrating to the key connector
116    pub fn derive_key_connector(
117        &self,
118        request: DeriveKeyConnectorRequest,
119    ) -> Result<String, DeriveKeyConnectorError> {
120        derive_key_connector(request)
121    }
122}
123
124impl Client {
125    /// Access to crypto functionality.
126    pub fn crypto(&self) -> CryptoClient {
127        CryptoClient {
128            client: self.clone(),
129        }
130    }
131}