[PM-20614] Cose Content Type

bitwarden_license/bitwarden-sm/src/projects/create.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::ProjectCreateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::Encryptable;
+use bitwarden_crypto::PrimitiveEncryptableWithContentType;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

bitwarden_license/bitwarden-sm/src/projects/update.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::ProjectUpdateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::Encryptable;
+use bitwarden_crypto::PrimitiveEncryptableWithContentType;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

bitwarden_license/bitwarden-sm/src/secrets/create.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::SecretCreateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::Encryptable;
+use bitwarden_crypto::PrimitiveEncryptableWithContentType;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

bitwarden_license/bitwarden-sm/src/secrets/update.rs

@@ -1,6 +1,6 @@
 use bitwarden_api_api::models::SecretUpdateRequestModel;
 use bitwarden_core::{key_management::SymmetricKeyId, Client};
-use bitwarden_crypto::Encryptable;
+use bitwarden_crypto::PrimitiveEncryptableWithContentType;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;

crates/bitwarden-core/src/key_management/mod.rs

@@ -6,7 +6,10 @@
 //! - [KeyIds] is a helper type that combines both symmetric and asymmetric key identifiers. This is
 //!   usually used in the type bounds of [KeyStore],
 //!   [KeyStoreContext](bitwarden_crypto::KeyStoreContext),
-//!   [Encryptable](bitwarden_crypto::Encryptable) and [Decryptable](bitwarden_crypto::Encryptable).
+//!   [PrimitiveEncryptable](bitwarden_crypto::PrimitiveEncryptable),
+//!   [PrimitiveEncryptableWithContentType](bitwarden_crypto::PrimitiveEncryptableWithContentType),
+//!   [CompositeEncryptable](bitwarden_crypto::CompositeEncryptable), and
+//!   [Decryptable](bitwarden_crypto::Decryptable).
 use bitwarden_crypto::{key_ids, KeyStore, SymmetricCryptoKey};
 
 key_ids! {

crates/bitwarden-core/src/mobile/crypto.rs

@@ -8,8 +8,8 @@ use std::collections::HashMap;
 
 use base64::{engine::general_purpose::STANDARD, Engine};
 use bitwarden_crypto::{
-    AsymmetricCryptoKey, CryptoError, EncString, Kdf, KeyDecryptable, KeyEncryptable, MasterKey,
-    SymmetricCryptoKey, UnsignedSharedKey, UserKey,
+    AsymmetricCryptoKey, ContentFormat, CryptoError, EncString, Kdf, KeyDecryptable,
+    KeyEncryptable, MasterKey, SymmetricCryptoKey, UnsignedSharedKey, UserKey,
 };
 use serde::{Deserialize, Serialize};
 #[cfg(feature = "wasm")]
@@ -334,7 +334,7 @@ pub(super) fn derive_pin_key(
 
     Ok(DerivePinKeyResponse {
         pin_protected_user_key,
-        encrypted_pin: pin.encrypt_with_key(user_key)?,
+        encrypted_pin: pin.encrypt_with_key(user_key, ContentFormat::Utf8)?,
     })
 }
 
@@ -870,7 +870,7 @@ mod tests {
         let invalid_private_key = "bad_key"
             .to_string()
             .into_bytes()
-            .encrypt_with_key(&user_key.0)
+            .encrypt_with_key(&user_key.0, ContentFormat::Utf8)
             .unwrap();
 
         let request = VerifyAsymmetricKeysRequest {

crates/bitwarden-core/src/secrets_manager/state.rs

@@ -5,7 +5,7 @@
 
 use std::{fmt::Debug, path::Path};
 
-use bitwarden_crypto::{EncString, KeyDecryptable, KeyEncryptable};
+use bitwarden_crypto::{ContentFormat, EncString, KeyDecryptable, KeyEncryptable};
 use serde::{Deserialize, Serialize};
 
 use crate::auth::AccessToken;
@@ -73,7 +73,7 @@
 ) -> Result<(), StateFileError> {
     let serialized_state: String = serde_json::to_string(&state)?;
     let encrypted_state: EncString =
-        serialized_state.encrypt_with_key(&access_token.encryption_key)?;
+        serialized_state.encrypt_with_key(&access_token.encryption_key, ContentFormat::Utf8)?;
     let state_string: String = encrypted_state.to_string();
 
     Ok(std::fs::write(state_file, state_string)?)

crates/bitwarden-crypto/README.md

@@ -13,13 +13,13 @@ secure.
 ## Example:
 
 ```rust
-use bitwarden_crypto::{SymmetricCryptoKey, KeyEncryptable, KeyDecryptable, CryptoError};
+use bitwarden_crypto::{SymmetricCryptoKey, KeyEncryptable, KeyDecryptable, CryptoError, ContentFormat};
 
 async fn example() -> Result<(), CryptoError> {
   let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
 
   let data = "Hello, World!".to_owned();
-  let encrypted = data.clone().encrypt_with_key(&key)?;
+  let encrypted = data.clone().encrypt_with_key(&key, ContentFormat::Utf8)?;
   let decrypted: String = encrypted.decrypt_with_key(&key)?;
 
   assert_eq!(data, decrypted);

crates/bitwarden-crypto/src/cose.rs

@@ -3,8 +3,14 @@
 //! unless there is a a clear benefit, such as a clear cryptographic benefit, which MUST
 //! be documented publicly.
 
-use coset::{iana, CborSerializable, Label};
+use coset::{
+    iana::{self, CoapContentFormat},
+    CborSerializable, ContentType, Label,
+};
 use generic_array::GenericArray;
+use serde::{Deserialize, Serialize};
+#[cfg(feature = "wasm")]
+use tsify_next::Tsify;
 use typenum::U32;
 
 use crate::{
@@ -15,13 +21,42 @@
 /// to be able to randomly generate nonces, and to not have to worry about key wearout. Since
 /// the draft was never published as an RFC, we use a private-use value for the algorithm.
 pub(crate) const XCHACHA20_POLY1305: i64 = -70000;
+const XCHACHA20_TEXT_PAD_BLOCK_SIZE: usize = 32;
+const CONTENT_TYPE_PADDED_UTF8: &str = "application/utf8-padded";
+
+/// The content format describes the format of the contained bytes. Message encryption always
+/// happens on the byte level, and this allows determining what format the contained data has. For
+/// instance, an `EncString` in most cases contains UTF-8 encoded text. In some cases it may contain
+/// a Pkcs8 private key, or a COSE key. Specifically, for COSE keys, this allows distinguishing
+/// between the old symmetric key format, represented as `ContentFormat::OctetStream`, and the new
+/// COSE key format, represented as `ContentFormat::CoseKey`.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
+pub enum ContentFormat {
+    /// UTF-8 encoded text
+    Utf8,
+    /// Pkcs8 private key DER
+    Pkcs8,
+    /// COSE serialized CoseKey
+    CoseKey,
+    /// Stream of bytes
+    OctetStream,
+}
 
 /// Encrypts a plaintext message using XChaCha20Poly1305 and returns a COSE Encrypt0 message
 pub(crate) fn encrypt_xchacha20_poly1305(
     plaintext: &[u8],
     key: &crate::XChaCha20Poly1305Key,
+    content_format: ContentFormat,
 ) -> Result<Vec<u8>, CryptoError> {
-    let mut protected_header = coset::HeaderBuilder::new().build();
+    let mut plaintext = plaintext.to_vec();
+
+    let mut protected_header: coset::Header = content_format.into();
+
+    if should_pad_content(&content_format) {
+        // Pad the data to a block size in order to hide plaintext length
+        crate::keys::utils::pad_bytes(&mut plaintext, XCHACHA20_TEXT_PAD_BLOCK_SIZE);
+    }
     // This should be adjusted to use the builder pattern once implemented in coset.
     // The related coset upstream issue is:
     // https://github.com/google/coset/issues/105
@@ -30,7 +65,7 @@
     let mut nonce = [0u8; xchacha20::NONCE_SIZE];
     let cose_encrypt0 = coset::CoseEncrypt0Builder::new()
         .protected(protected_header)
-        .create_ciphertext(plaintext, &[], |data, aad| {
+        .create_ciphertext(&plaintext, &[], |data, aad| {
             let ciphertext =
                 crate::xchacha20::encrypt_xchacha20_poly1305(&(*key.enc_key).into(), data, aad);
             nonce = ciphertext.nonce();
@@ -48,9 +83,10 @@
 pub(crate) fn decrypt_xchacha20_poly1305(
     cose_encrypt0_message: &[u8],
     key: &crate::XChaCha20Poly1305Key,
-) -> Result<Vec<u8>, CryptoError> {
+) -> Result<(Vec<u8>, ContentFormat), CryptoError> {
     let msg = coset::CoseEncrypt0::from_slice(cose_encrypt0_message)
         .map_err(|err| CryptoError::EncString(EncStringParseError::InvalidCoseEncoding(err)))?;
+
     let Some(ref alg) = msg.protected.header.alg else {
         return Err(CryptoError::EncString(
             EncStringParseError::CoseMissingAlgorithm,
@@ -59,6 +95,8 @@
     if *alg != coset::Algorithm::PrivateUse(XCHACHA20_POLY1305) {
         return Err(CryptoError::WrongKeyType);
     }
+    let content_format = ContentFormat::try_from(&msg.protected.header)
+        .map_err(|_| CryptoError::EncString(EncStringParseError::CoseMissingContentType))?;
 
     let decrypted_message = msg.decrypt(&[], |data, aad| {
         let nonce = msg.unprotected.iv.as_slice();
@@ -71,7 +109,14 @@
             aad,
         )
     })?;
-    Ok(decrypted_message)
+
+    if should_pad_content(&content_format) {
+        // Unpad the data to get the original plaintext
+        let data = crate::keys::utils::unpad_bytes(&decrypted_message)?;
+        return Ok((data.to_vec(), content_format));
+    }
+
+    Ok((decrypted_message, content_format))
 }
 
 const SYMMETRIC_KEY: Label = Label::Int(iana::SymmetricKeyParameter::K as i64);
@@ -112,21 +157,106 @@
     }
 }
 
+impl From<ContentFormat> for coset::Header {
+    fn from(format: ContentFormat) -> Self {
+        let header = coset::HeaderBuilder::new();
+        let header = match format {
+            ContentFormat::Utf8 => header.content_type(CONTENT_TYPE_PADDED_UTF8.to_string()),
+            ContentFormat::Pkcs8 => header.content_format(CoapContentFormat::Pkcs8),
+            ContentFormat::CoseKey => header.content_format(CoapContentFormat::CoseKey),
+            ContentFormat::OctetStream => header.content_format(CoapContentFormat::OctetStream),
+        };
+        let mut header = header.build();
+        // This should be adjusted to use the builder pattern once implemented in coset.
+        // The related coset upstream issue is:
+        // https://github.com/google/coset/issues/105
+        header.alg = Some(coset::Algorithm::PrivateUse(XCHACHA20_POLY1305));
+        header
+    }
+}
+
+impl TryFrom<&coset::Header> for ContentFormat {
+    type Error = CryptoError;
+
+    fn try_from(header: &coset::Header) -> Result<Self, Self::Error> {
+        match header.content_type.as_ref() {
+            Some(ContentType::Text(format)) if format == CONTENT_TYPE_PADDED_UTF8 => {
+                Ok(ContentFormat::Utf8)
+            }
+            Some(ContentType::Assigned(CoapContentFormat::Pkcs8)) => Ok(ContentFormat::Pkcs8),
+            Some(ContentType::Assigned(CoapContentFormat::CoseKey)) => Ok(ContentFormat::CoseKey),
+            Some(ContentType::Assigned(CoapContentFormat::OctetStream)) => {
+                Ok(ContentFormat::OctetStream)
+            }
+            _ => Err(CryptoError::EncString(
+                EncStringParseError::CoseMissingContentType,
+            )),
+        }
+    }
+}
+
+fn should_pad_content(format: &ContentFormat) -> bool {
+    matches!(format, ContentFormat::Utf8)
+}
+
 #[cfg(test)]
 mod test {
     use super::*;
 
     #[test]
-    fn test_encrypt_decrypt_roundtrip() {
+    fn test_encrypt_decrypt_roundtrip_octetstream() {
+        let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
+            SymmetricCryptoKey::make_xchacha20_poly1305_key()
+        else {
+            panic!("Failed to create XChaCha20Poly1305Key");
+        };
+
+        let plaintext = b"Hello, world!";
+        let encrypted =
+            encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::OctetStream).unwrap();
+        let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::OctetStream));
+    }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip_utf8() {
+        let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
+            SymmetricCryptoKey::make_xchacha20_poly1305_key()
+        else {
+            panic!("Failed to create XChaCha20Poly1305Key");
+        };
+
+        let plaintext = b"Hello, world!";
+        let encrypted = encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::Utf8).unwrap();
+        let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::Utf8));
+    }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip_pkcs8() {
+        let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
+            SymmetricCryptoKey::make_xchacha20_poly1305_key()
+        else {
+            panic!("Failed to create XChaCha20Poly1305Key");
+        };
+
+        let plaintext = b"Hello, world!";
+        let encrypted = encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::Pkcs8).unwrap();
+        let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::Pkcs8));
+    }
+
+    #[test]
+    fn test_encrypt_decrypt_roundtrip_cosekey() {
         let SymmetricCryptoKey::XChaCha20Poly1305Key(ref key) =
             SymmetricCryptoKey::make_xchacha20_poly1305_key()
         else {
             panic!("Failed to create XChaCha20Poly1305Key");
         };
 
         let plaintext = b"Hello, world!";
-        let encrypted = encrypt_xchacha20_poly1305(plaintext, key).unwrap();
+        let encrypted = encrypt_xchacha20_poly1305(plaintext, key, ContentFormat::CoseKey).unwrap();
         let decrypted = decrypt_xchacha20_poly1305(&encrypted, key).unwrap();
-        assert_eq!(decrypted, plaintext);
+        assert_eq!(decrypted, (plaintext.to_vec(), ContentFormat::CoseKey));
     }
 }