Skip to content

[Innovation-Sprint/PM-19065] Add opaque authentication / unlock #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 28 commits into
base: main
Choose a base branch
from
+964 โˆ’3
Draft

[Innovation-Sprint/PM-19065] Add opaque authentication / unlock #185

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
582854f
Add opaque
quexten Mar 11, 2025
d6ba83b
Add login
quexten Mar 11, 2025
c17a752
Make tsify optional
quexten Mar 11, 2025
116ab8b
Add errors to opaque
quexten Mar 11, 2025
24fff58
Cargo fmt
quexten Mar 11, 2025
a82287a
Fix build
quexten Mar 11, 2025
29eb7ed
Fix formatting
quexten Mar 11, 2025
bc17bf0
Add encryption
quexten Mar 11, 2025
697f9aa
Add rotateable keyset
quexten Mar 11, 2025
8cfef9b
Update formatting
quexten Mar 11, 2025
c89c0eb
Cargo fmt
quexten Mar 11, 2025
2b1cb0e
Formatting
quexten Mar 11, 2025
435d6bf
Merge branch 'main' into innovation/opaque
quexten Mar 11, 2025
33ddf6a
Fix formatting
quexten Mar 11, 2025
27aadef
Fix clippy warning
quexten Mar 11, 2025
27f94e1
Fix clippy
quexten Mar 11, 2025
8796b4f
Fix clippy warning
quexten Mar 11, 2025
06c759e
Add tests
quexten Mar 11, 2025
cc36109
Add test for login finish
quexten Mar 12, 2025
7da2f7b
More tests, separate decryption of keyset
quexten Mar 12, 2025
f1bd00c
Cleanup
quexten Mar 12, 2025
d9964a9
Format
quexten Mar 12, 2025
b9fa0e9
Fix tests
quexten Mar 12, 2025
83b1218
Rename
quexten Mar 12, 2025
7cdfcae
Fix exported type
quexten Mar 12, 2025
a2e7e4f
Cleanup structure
quexten Mar 13, 2025
7c74150
Merge branch 'main' into innovation/opaque
quexten Mar 21, 2025
6155e1d
Merge branch 'main' into innovation/opaque
quexten Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

52 changes: 51 additions & 1 deletion crates/bitwarden-core/src/mobile/crypto_client.rs
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: There seems to be little reason to use the client at all here since it's just obfuscating direct calls to types?

This is related to my comment about CipherConfiguration leaking sensitive values.

Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use bitwarden_crypto::CryptoError;
#[cfg(feature = "internal")]
use bitwarden_crypto::{AsymmetricEncString, EncString};
use bitwarden_crypto::{CryptoError, SymmetricCryptoKey};

use super::crypto::{
derive_key_connector, make_key_pair, verify_asymmetric_keys, DeriveKeyConnectorError,
Expand Down Expand Up @@ -81,6 +81,56 @@ impl CryptoClient<'_> {
) -> Result<VerifyAsymmetricKeysResponse, CryptoError> {
verify_asymmetric_keys(request)
}

pub fn opaque_register_start(
&self,
password: &[u8],
) -> Result<bitwarden_crypto::opaque_ke::RegistrationStartResult, bitwarden_crypto::OpaqueError>
{
bitwarden_crypto::opaque_ke::register_start(&password)
}

pub fn opaque_register_finish(
&self,
registration_start_state: &[u8],
registration_start_response: &[u8],
password: &[u8],
config: &bitwarden_crypto::opaque_ke::CipherConfiguration,
userkey: SymmetricCryptoKey,
) -> Result<bitwarden_crypto::opaque_ke::RegistrationFinishResult, bitwarden_crypto::OpaqueError>
{
bitwarden_crypto::opaque_ke::register_finish(
registration_start_state,
registration_start_response,
password,
config,
userkey,
)
}

pub fn opaque_login_start(
&self,
password: &[u8],
) -> Result<bitwarden_crypto::opaque_ke::LoginStartResult, bitwarden_crypto::OpaqueError> {
bitwarden_crypto::opaque_ke::login_start(password)
}

pub fn opaque_login_finish(
&self,
login_start_state: &[u8],
login_start_response: &[u8],
password: &[u8],
config: &bitwarden_crypto::opaque_ke::CipherConfiguration,
keyset: bitwarden_crypto::rotateable_keyset::RotateableKeyset,
) -> Result<bitwarden_crypto::opaque_ke::LoginFinishResult, bitwarden_crypto::OpaqueError> {
bitwarden_crypto::opaque_ke::login_finish(
login_start_state,
login_start_response,
password,
config,
keyset,
)
}
}

impl<'a> Client {
Expand Down
2 changes: 2 additions & 0 deletions crates/bitwarden-crypto/Cargo.toml
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: These does not follow https://contributing.bitwarden.com/architecture/sdk/dependencies/#explicit-ranges

Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,14 @@ hkdf = ">=0.12.3, <0.13"
hmac = ">=0.12.1, <0.13"
num-bigint = ">=0.4, <0.5"
num-traits = ">=0.2.15, <0.3"
opaque-ke = "3.0.0"
pbkdf2 = { version = ">=0.12.1, <0.13", default-features = false }
rand = ">=0.8.5, <0.9"
rayon = ">=1.8.1, <2.0"
rsa = ">=0.9.2, <0.10"
schemars = { workspace = true }
serde = { workspace = true }
serde_bytes = "0.11.17"
sha1 = ">=0.10.5, <0.11"
sha2 = ">=0.10.6, <0.11"
subtle = ">=2.5.0, <3.0"
Expand Down
12 changes: 12 additions & 0 deletions crates/bitwarden-crypto/src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
use std::fmt::Debug;

use bitwarden_error::bitwarden_error;
use serde::{Deserialize, Serialize};
use thiserror::Error;
#[cfg(feature = "wasm")]
use tsify_next::Tsify;
use uuid::Uuid;

use crate::fingerprint::FingerprintError;
Expand Down Expand Up @@ -87,3 +90,12 @@ pub enum RsaError {

/// Alias for `Result<T, CryptoError>`.
pub(crate) type Result<T, E = CryptoError> = std::result::Result<T, E>;

#[derive(Debug, Error, Deserialize, Serialize)]
#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
pub enum OpaqueError {
#[error("Error creating message {0}")]
Message(String),
#[error("Error deserializing message")]
Deserialize,
}
1 change: 1 addition & 0 deletions crates/bitwarden-crypto/src/keys/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,4 @@ pub use kdf::{
default_pbkdf2_iterations, Kdf,
};
mod utils;
pub(crate) use utils::stretch_key;
2 changes: 1 addition & 1 deletion crates/bitwarden-crypto/src/keys/utils.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ use crate::{util::hkdf_expand, Result};
/// Stretch the given key using HKDF.
/// This can be either a kdf-derived key (PIN/Master password) or
/// a random key from key connector
pub(super) fn stretch_key(key: &Pin<Box<GenericArray<u8, U32>>>) -> Result<Aes256CbcHmacKey> {
pub(crate) fn stretch_key(key: &Pin<Box<GenericArray<u8, U32>>>) -> Result<Aes256CbcHmacKey> {
Ok(Aes256CbcHmacKey {
enc_key: hkdf_expand(key, Some("enc"))?,
mac_key: hkdf_expand(key, Some("mac"))?,
Expand Down
4 changes: 3 additions & 1 deletion crates/bitwarden-crypto/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,8 @@ mod aes;
mod enc_string;
pub use enc_string::{AsymmetricEncString, EncString};
mod error;
pub use error::CryptoError;
pub(crate) use error::Result;
pub use error::{CryptoError, OpaqueError};
mod fingerprint;
pub use fingerprint::fingerprint;
mod keys;
Expand All @@ -93,6 +93,8 @@ pub use store::{KeyStore, KeyStoreContext};
mod traits;
pub use traits::{Decryptable, Encryptable, IdentifyKey, KeyId, KeyIds};
pub use zeroizing_alloc::ZeroAlloc as ZeroizingAllocator;
pub mod opaque_ke;
pub mod rotateable_keyset;

#[cfg(feature = "uniffi")]
uniffi::setup_scaffolding!();
Expand Down
Loading
Loading