Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PM-5691] Extract crypto to separate crate #402

Merged
merged 40 commits into from
Jan 15, 2024
Merged
Show file tree
Hide file tree
Changes from 33 commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
3c55a87
Experiment with using a separate crate for crypto
Hinton Dec 5, 2023
b454601
Move more code to bitwarden-crypto
Hinton Dec 7, 2023
f4e4827
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 1, 2024
7e0b392
Move remaining files, improve docs
Hinton Jan 4, 2024
b96f219
Merge branch 'main' into ps/crypto-crate
Hinton Jan 4, 2024
0af379f
Fix build error
Hinton Jan 4, 2024
3c4e603
Fix naming
Hinton Jan 4, 2024
9d7126b
Fix clippy
Hinton Jan 4, 2024
05a761d
Improve comments
Hinton Jan 8, 2024
0e96011
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 8, 2024
9e446cf
Fix ambigous
Hinton Jan 8, 2024
c1e7f6f
Fix android
Hinton Jan 8, 2024
1c571f4
Use mobile feature for crypto
Hinton Jan 8, 2024
c26c888
Move uniffi AsymmEncString to bitwarden crate
Hinton Jan 8, 2024
30c4489
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 8, 2024
7e3f8a2
Fix ios
Hinton Jan 8, 2024
075f175
Fix test
Hinton Jan 8, 2024
63e922e
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 9, 2024
2e8fba1
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 9, 2024
254c0db
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 9, 2024
490abc6
Fix clippy
Hinton Jan 9, 2024
bff92d5
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 11, 2024
e5584fd
fmt
Hinton Jan 11, 2024
b0c1a7b
Don't re-export HashPurpose
Hinton Jan 11, 2024
6188a5e
Forgot to update a place
Hinton Jan 11, 2024
16cbe12
Fix uniffi doc
Hinton Jan 11, 2024
d319867
Remove unused dependencies
Hinton Jan 11, 2024
0ae213a
Remove bitwarden::Kdf
Hinton Jan 11, 2024
4d686dd
Minor import tweaks
Hinton Jan 11, 2024
4bf7bb2
Remove unnecessary into
Hinton Jan 11, 2024
d9481b3
Remove InvalidLen
Hinton Jan 11, 2024
5cc63b0
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 11, 2024
6116292
Resolve linting errors
Hinton Jan 11, 2024
de160d9
Merge branch 'main' of github.com:bitwarden/sdk into ps/crypto-crate
Hinton Jan 12, 2024
dd70d0a
fmt and clippy
Hinton Jan 12, 2024
6bf18e1
Fix doc
Hinton Jan 15, 2024
f9d83e0
Remove test feature in crypto
Hinton Jan 15, 2024
f9dca85
Fix tests
Hinton Jan 15, 2024
fb300ba
Remove crypto/mod.rs, remove rsa from bitwarden crate
Hinton Jan 15, 2024
cf2a3b6
Update bump and publish workflows
Hinton Jan 15, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/build-rust-crates.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ jobs:

package:
- bitwarden
- bitwarden-crypto
- bitwarden-api-api
- bitwarden-api-identity

Expand Down
3 changes: 1 addition & 2 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,7 @@ languages/swift/BitwardenFFI.xcframework
languages/swift/tmp
languages/swift/.build
languages/swift/.swiftpm
languages/kotlin/sdk/src/main/java/com/bitwarden/sdk/bitwarden_uniffi.kt
languages/kotlin/sdk/src/main/java/com/bitwarden/core/bitwarden.kt
languages/kotlin/sdk/src/main/java/com/bitwarden/**/*.kt

# Schemas
crates/bitwarden-napi/src-ts/bitwarden_client/schemas.ts
Expand Down
38 changes: 29 additions & 9 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

45 changes: 45 additions & 0 deletions crates/bitwarden-crypto/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
[package]
name = "bitwarden-crypto"
version = "0.1.0"
authors = ["Bitwarden Inc"]
license-file = "LICENSE"
repository = "https://github.com/bitwarden/sdk"
homepage = "https://bitwarden.com"
description = """
Bitwarden Cryptographic primitives
"""
keywords = ["bitwarden"]
edition = "2021"
rust-version = "1.57"

[features]
default = []

mobile = ["uniffi"]

[dependencies]
aes = ">=0.8.2, <0.9"
argon2 = { version = ">=0.5.0, <0.6", features = [
"alloc",
], default-features = false }
base64 = ">=0.21.2, <0.22"
cbc = { version = ">=0.1.2, <0.2", features = ["alloc"] }
hkdf = ">=0.12.3, <0.13"
hmac = ">=0.12.1, <0.13"
num-bigint = ">=0.4, <0.5"
num-traits = ">=0.2.15, <0.3"
pbkdf2 = { version = ">=0.12.1, <0.13", default-features = false }
rand = ">=0.8.5, <0.9"
rsa = ">=0.9.2, <0.10"
schemars = { version = ">=0.8, <0.9", features = ["uuid1"] }
serde = { version = ">=1.0, <2.0", features = ["derive"] }
sha1 = ">=0.10.5, <0.11"
sha2 = ">=0.10.6, <0.11"
subtle = ">=2.5.0, <3.0"
thiserror = ">=1.0.40, <2.0"
uniffi = { version = "=0.25.2", optional = true }
uuid = { version = ">=1.3.3, <2.0", features = ["serde"] }

[dev-dependencies]
rand_chacha = "0.3.1"
serde_json = ">=1.0.96, <2.0"
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,8 @@
//!
//! Contains low level AES operations used by the rest of the library.
//!
//! **Warning**: Consider carefully if you have to use these functions directly, as generally we
//! expose higher level functions that are easier to use and more secure.
//!
//! In most cases you should use the [EncString] with [KeyEncryptable][super::KeyEncryptable] &
//! [KeyDecryptable][super::KeyDecryptable] instead.
//! In most cases you should use the [EncString][crate::EncString] with
//! [KeyEncryptable][crate::KeyEncryptable] & [KeyDecryptable][crate::KeyDecryptable] instead.

use aes::cipher::{
block_padding::Pkcs7, generic_array::GenericArray, typenum::U32, BlockDecryptMut,
Expand All @@ -16,14 +13,18 @@
use subtle::ConstantTimeEq;

use crate::{
crypto::{PbkdfSha256Hmac, PBKDF_SHA256_HMAC_OUT_SIZE},
error::{CryptoError, Result},
util::{PbkdfSha256Hmac, PBKDF_SHA256_HMAC_OUT_SIZE},
};

/// Decrypt using AES-256 in CBC mode.
///
/// Behaves similar to [decrypt_aes256_hmac], but does not validate the MAC.
pub fn decrypt_aes256(iv: &[u8; 16], data: Vec<u8>, key: GenericArray<u8, U32>) -> Result<Vec<u8>> {
pub(crate) fn decrypt_aes256(
iv: &[u8; 16],
data: Vec<u8>,
key: GenericArray<u8, U32>,
) -> Result<Vec<u8>> {
// Decrypt data
let iv = GenericArray::from_slice(iv);
let mut data = data;
Expand All @@ -41,7 +42,7 @@
/// Decrypt using AES-256 in CBC mode with MAC.
///
/// Behaves similar to [decrypt_aes256], but also validates the MAC.
pub fn decrypt_aes256_hmac(
pub(crate) fn decrypt_aes256_hmac(
iv: &[u8; 16],
mac: &[u8; 32],
data: Vec<u8>,
Expand All @@ -50,7 +51,7 @@
) -> Result<Vec<u8>> {
let res = generate_mac(&mac_key, iv, &data)?;
if res.ct_ne(mac).into() {
return Err(CryptoError::InvalidMac.into());
return Err(CryptoError::InvalidMac);

Check warning on line 54 in crates/bitwarden-crypto/src/aes.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/aes.rs#L54

Added line #L54 was not covered by tests
}
decrypt_aes256(iv, data, key)
}
Expand All @@ -63,7 +64,7 @@
///
/// A AesCbc256_B64 EncString
#[allow(unused)]
pub fn encrypt_aes256(data_dec: &[u8], key: GenericArray<u8, U32>) -> ([u8; 16], Vec<u8>) {
pub(crate) fn encrypt_aes256(data_dec: &[u8], key: GenericArray<u8, U32>) -> ([u8; 16], Vec<u8>) {
let rng = rand::thread_rng();
let (iv, data) = encrypt_aes256_internal(rng, data_dec, key);

Expand All @@ -77,7 +78,7 @@
/// ## Returns
///
/// A AesCbc256_HmacSha256_B64 EncString
pub fn encrypt_aes256_hmac(
pub(crate) fn encrypt_aes256_hmac(
data_dec: &[u8],
mac_key: GenericArray<u8, U32>,
key: GenericArray<u8, U32>,
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,11 @@
use std::{fmt::Display, str::FromStr};

use base64::{engine::general_purpose::STANDARD, Engine};
#[cfg(feature = "internal")]
use rsa::{Oaep, RsaPrivateKey};
use serde::Deserialize;

use crate::error::{EncStringParseError, Error, Result};

#[cfg(feature = "internal")]
use crate::error::CryptoError;

use super::{from_b64_vec, split_enc_string};
use crate::error::{CryptoError, EncStringParseError, Result};

/// # Encrypted string primitive
///
Expand Down Expand Up @@ -65,7 +60,7 @@ impl std::fmt::Debug for AsymmEncString {

/// Deserializes an [AsymmEncString] from a string.
impl FromStr for AsymmEncString {
type Err = Error;
type Err = CryptoError;

fn from_str(s: &str) -> Result<Self, Self::Err> {
let (enc_type, parts) = split_enc_string(s);
Expand Down Expand Up @@ -103,9 +98,8 @@ impl FromStr for AsymmEncString {
#[allow(unused)]
impl AsymmEncString {
/// TODO: Convert this to a trait method
#[cfg(feature = "internal")]
pub(crate) fn decrypt(&self, key: &RsaPrivateKey) -> Result<Vec<u8>> {
Ok(match self {
pub fn decrypt(&self, key: &RsaPrivateKey) -> Result<Vec<u8>> {
match self {
Self::Rsa2048_OaepSha256_B64 { data } => key.decrypt(Oaep::new::<sha2::Sha256>(), data),
Self::Rsa2048_OaepSha1_B64 { data } => key.decrypt(Oaep::new::<sha1::Sha1>(), data),
#[allow(deprecated)]
Expand All @@ -117,7 +111,7 @@ impl AsymmEncString {
key.decrypt(Oaep::new::<sha1::Sha1>(), data)
}
}
.map_err(|_| CryptoError::KeyDecrypt)?)
.map_err(|_| CryptoError::KeyDecrypt)
}
}

Expand Down Expand Up @@ -188,7 +182,6 @@ impl schemars::JsonSchema for AsymmEncString {
mod tests {
use super::AsymmEncString;

#[cfg(feature = "internal")]
#[test]
fn test_enc_string_rsa2048_oaep_sha1_hmac_sha256_b64() {
use rsa::{pkcs8::DecodePrivateKey, RsaPrivateKey};
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/// Encrypted string types
mod asymmetric;
mod symmetric;

Expand All @@ -9,7 +10,6 @@ pub use symmetric::EncString;

use crate::error::{EncStringParseError, Result};

#[cfg(feature = "mobile")]
fn check_length(buf: &[u8], expected: usize) -> Result<()> {
if buf.len() < expected {
return Err(EncStringParseError::InvalidLength {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,10 @@
use base64::{engine::general_purpose::STANDARD, Engine};
use serde::Deserialize;

#[cfg(feature = "mobile")]
use super::check_length;
use super::{from_b64, from_b64_vec, split_enc_string};
use super::{check_length, from_b64, from_b64_vec, split_enc_string};
use crate::{
crypto::{decrypt_aes256_hmac, KeyDecryptable, KeyEncryptable, LocateKey, SymmetricCryptoKey},
error::{CryptoError, EncStringParseError, Error, Result},
error::{CryptoError, EncStringParseError, Result},
KeyDecryptable, KeyEncryptable, LocateKey, SymmetricCryptoKey,
};

/// # Encrypted string primitive
Expand Down Expand Up @@ -73,7 +71,7 @@

/// Deserializes an [EncString] from a string.
impl FromStr for EncString {
type Err = Error;
type Err = CryptoError;

fn from_str(s: &str) -> Result<Self, Self::Err> {
let (enc_type, parts) = split_enc_string(s);
Expand Down Expand Up @@ -107,13 +105,11 @@

impl EncString {
/// Synthetic sugar for mapping `Option<String>` to `Result<Option<EncString>>`
#[cfg(feature = "internal")]
pub(crate) fn try_from_optional(s: Option<String>) -> Result<Option<EncString>, Error> {
pub fn try_from_optional(s: Option<String>) -> Result<Option<EncString>, CryptoError> {

Check warning on line 108 in crates/bitwarden-crypto/src/enc_string/symmetric.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/enc_string/symmetric.rs#L108

Added line #L108 was not covered by tests
s.map(|s| s.parse()).transpose()
}

#[cfg(feature = "mobile")]
pub(crate) fn from_buffer(buf: &[u8]) -> Result<Self> {
pub fn from_buffer(buf: &[u8]) -> Result<Self> {
if buf.is_empty() {
return Err(EncStringParseError::NoType.into());
}
Expand Down Expand Up @@ -147,8 +143,7 @@
}
}

#[cfg(feature = "mobile")]
pub(crate) fn to_buffer(&self) -> Result<Vec<u8>> {
pub fn to_buffer(&self) -> Result<Vec<u8>> {
let mut buf;

match self {
Expand Down Expand Up @@ -207,12 +202,12 @@
}

impl EncString {
pub(crate) fn encrypt_aes256_hmac(
pub fn encrypt_aes256_hmac(
data_dec: &[u8],
mac_key: GenericArray<u8, U32>,
key: GenericArray<u8, U32>,
) -> Result<EncString> {
let (iv, mac, data) = crate::crypto::encrypt_aes256_hmac(data_dec, mac_key, key)?;
let (iv, mac, data) = crate::aes::encrypt_aes256_hmac(data_dec, mac_key, key)?;
Ok(EncString::AesCbc256_HmacSha256_B64 { iv, mac, data })
}

Expand All @@ -238,10 +233,10 @@
match self {
EncString::AesCbc256_HmacSha256_B64 { iv, mac, data } => {
let mac_key = key.mac_key.ok_or(CryptoError::InvalidMac)?;
let dec = decrypt_aes256_hmac(iv, mac, data.clone(), mac_key, key.key)?;
let dec = crate::aes::decrypt_aes256_hmac(iv, mac, data.clone(), mac_key, key.key)?;
Ok(dec)
}
_ => Err(CryptoError::InvalidKey.into()),
_ => Err(CryptoError::InvalidKey),

Check warning on line 239 in crates/bitwarden-crypto/src/enc_string/symmetric.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/enc_string/symmetric.rs#L239

Added line #L239 was not covered by tests
}
}
}
Expand All @@ -255,7 +250,7 @@
impl KeyDecryptable<String> for EncString {
fn decrypt_with_key(&self, key: &SymmetricCryptoKey) -> Result<String> {
let dec: Vec<u8> = self.decrypt_with_key(key)?;
String::from_utf8(dec).map_err(|_| CryptoError::InvalidUtf8String.into())
String::from_utf8(dec).map_err(|_| CryptoError::InvalidUtf8String)
}
}

Expand All @@ -274,9 +269,7 @@
#[cfg(test)]
mod tests {
use super::EncString;
use crate::crypto::{
symmetric_crypto_key::derive_symmetric_key, KeyDecryptable, KeyEncryptable,
};
use crate::{derive_symmetric_key, KeyDecryptable, KeyEncryptable};

#[test]
fn test_enc_string_roundtrip() {
Expand Down Expand Up @@ -305,7 +298,6 @@
assert_eq!(serde_json::to_string(&t).unwrap(), serialized);
}

#[cfg(feature = "mobile")]
#[test]
fn test_enc_from_to_buffer() {
let enc_str: &str = "2.pMS6/icTQABtulw52pq2lg==|XXbxKxDTh+mWiN1HjH2N1w==|Q6PkuT+KX/axrgN9ubD5Ajk2YNwxQkgs3WJM0S0wtG8=";
Expand Down
Loading