Skip to content

[PM-24051] Init crypto and update kdf with MasterPasswordUnlock #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 81 commits into from
Oct 16, 2025
Merged

[PM-24051] Init crypto and update kdf with MasterPasswordUnlock #399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
81 commits
Select commit Hold shift + click to select a range
44773f7
Adds MasterPasswordUnlock into identity's response user decryption opโ€ฆ
mzieniukbw Aug 4, 2025
0712878
Adds MasterPasswordUnlock KDF change handling in sync
mzieniukbw Aug 4, 2025
8ca20a8
simplification
mzieniukbw Aug 5, 2025
28a8423
clippy fix
mzieniukbw Aug 5, 2025
b089ea0
formatting
mzieniukbw Aug 5, 2025
0d35393
no handling, just response parsing
mzieniukbw Aug 5, 2025
a08179d
test coverage
mzieniukbw Aug 5, 2025
b3647f2
wasm
mzieniukbw Aug 5, 2025
36d3136
wasm unit test coverage
mzieniukbw Aug 5, 2025
7c8664d
wasm unit test coverage
mzieniukbw Aug 5, 2025
9c7d50d
Added UserDecryption data, response model with handling
mzieniukbw Aug 5, 2025
70ad9d3
autogenerated wasm responses, UserDecryption struct, use of TryFrom
mzieniukbw Aug 7, 2025
110f4db
failing unit test
mzieniukbw Aug 7, 2025
ff86adf
lint
mzieniukbw Aug 7, 2025
fa253a3
lint
mzieniukbw Aug 7, 2025
4a95dc5
KdfType enum duplicate
mzieniukbw Aug 7, 2025
cd37e31
revert identity crate wasm, since there it's not used right now
mzieniukbw Aug 8, 2025
3bf880f
docs
mzieniukbw Aug 8, 2025
93a3d0c
formatting
mzieniukbw Aug 8, 2025
f0c4f2a
Merge branch 'main' into km/pm-24051-add-master-password-unlock-decryโ€ฆ
mzieniukbw Aug 13, 2025
3e6a46a
revert user decryption response parsing in wasm
mzieniukbw Aug 13, 2025
7c34725
fixed unit test
mzieniukbw Aug 13, 2025
042678c
revert wasm dependencies
mzieniukbw Aug 13, 2025
9676069
bring back wasm and uniffi bindings to MasterPasswordUnlockData, erroโ€ฆ
mzieniukbw Aug 13, 2025
7973f12
identity separate user decryption options response model
mzieniukbw Aug 15, 2025
5a4f314
review suggestions
mzieniukbw Aug 15, 2025
7e425ca
identity name prefix for UserDecryptionOptions
mzieniukbw Aug 15, 2025
c9aaa8c
IdentityUserDecryptionOptionsResponseModel mapping to UserDecryptionData
mzieniukbw Aug 15, 2025
2591773
clippy
mzieniukbw Aug 15, 2025
3212002
Merge branch 'main' into km/pm-24051-add-master-password-unlock-decryโ€ฆ
mzieniukbw Aug 19, 2025
9b293c7
introduce initialize_user_crypto_master_password_unlock
mzieniukbw Aug 19, 2025
5b3ecf8
build fix
mzieniukbw Aug 19, 2025
77c2d68
missing kdf fields treated as missing field error
mzieniukbw Aug 19, 2025
a487fff
Merge branch 'main' into km/pm-24051-add-master-password-unlock-decryโ€ฆ
mzieniukbw Aug 19, 2025
00811a9
Merge branch 'km/pm-24051-add-master-password-unlock-decryption-optioโ€ฆ
mzieniukbw Aug 19, 2025
da700c0
login method not being overridden by initialize_user_crypto
mzieniukbw Aug 20, 2025
ecfde52
Merge branch 'main' into km/pm-24051-add-master-password-unlock-decryโ€ฆ
mzieniukbw Aug 20, 2025
debf701
Merge branch 'km/pm-24051-add-master-password-unlock-decryption-optioโ€ฆ
mzieniukbw Aug 20, 2025
ac64be7
update kdf on sync
mzieniukbw Aug 20, 2025
92d710d
function order
mzieniukbw Aug 20, 2025
8c3b599
sync unit tests
mzieniukbw Aug 21, 2025
70dee0c
reducing the public scope
mzieniukbw Aug 25, 2025
ad732ce
UserDecryptionOptions rename
mzieniukbw Aug 25, 2025
5e6f1dd
UserDecryptionOptions documentation
mzieniukbw Aug 25, 2025
d11f653
simplify error with MasterPasswordError
mzieniukbw Aug 25, 2025
0e104bb
remove wasm and uniffi
mzieniukbw Aug 25, 2025
a9f46db
Merge branch 'main' into km/pm-24051-add-master-password-unlock-decryโ€ฆ
mzieniukbw Aug 25, 2025
3cef902
api crate private error
mzieniukbw Aug 25, 2025
ae10e35
public crate user decryption options
mzieniukbw Aug 25, 2025
1f32993
Merge branch 'km/pm-24051-add-master-password-unlock-decryption-optioโ€ฆ
mzieniukbw Aug 25, 2025
b5218cd
fix build
mzieniukbw Aug 25, 2025
6861006
change from unused_imports to dead_code
mzieniukbw Aug 27, 2025
b22537f
Merge branch 'km/pm-24051-add-master-password-unlock-decryption-optioโ€ฆ
mzieniukbw Aug 27, 2025
edd0cbf
use UserDecryptionData instead of MasterPasswordUnlockData
mzieniukbw Aug 27, 2025
af667b0
require! stringify without reference
mzieniukbw Aug 27, 2025
7d538ca
update InternalClient using MasterPasswordUnlockData
mzieniukbw Aug 27, 2025
e5f16dc
rename to update_user_master_password_unlock
mzieniukbw Aug 27, 2025
3cf5cc4
user friendly require! error message
mzieniukbw Aug 27, 2025
13ecd8e
increased test coverage
mzieniukbw Aug 29, 2025
1b8ccee
fix clippy
mzieniukbw Aug 29, 2025
6b98aaf
allow dead code on struct
mzieniukbw Sep 1, 2025
4a00571
Merge branch 'main' into km/pm-24051-add-master-password-unlock-decryโ€ฆ
mzieniukbw Sep 1, 2025
308066b
Merge branch 'km/pm-24051-add-master-password-unlock-decryption-optioโ€ฆ
mzieniukbw Sep 1, 2025
260078b
Merge branch 'main' into km/pm-24051-setting-master-password-unlock-iโ€ฆ
mzieniukbw Sep 3, 2025
ef76b78
match for readability, remove redundant `set_login_method`, use `clonโ€ฆ
mzieniukbw Sep 8, 2025
cfa499c
reducing access
mzieniukbw Sep 8, 2025
e65d08d
Merge branch 'main' into km/pm-24051-setting-master-password-unlock-iโ€ฆ
mzieniukbw Sep 8, 2025
ec4d3f9
Merge branch 'main' into km/pm-24051-setting-master-password-unlock-iโ€ฆ
mzieniukbw Sep 12, 2025
85eba26
use referenced simplification
mzieniukbw Sep 15, 2025
3f2ec18
Merge branch 'main' into km/pm-24051-setting-master-password-unlock-iโ€ฆ
mzieniukbw Sep 18, 2025
dc2aa72
remove MasterPasswordUnlock and re-use MasterKey
mzieniukbw Sep 19, 2025
65ec578
revert public member fields of TestAccount, fix tests
mzieniukbw Sep 20, 2025
5d5447a
Merge branch 'main' into km/pm-24051-setting-master-password-unlock-iโ€ฆ
mzieniukbw Sep 22, 2025
3f63f51
auth_request correct kdf and salt source
mzieniukbw Sep 22, 2025
730ea12
Merge branch 'main' into km/pm-24051-setting-master-password-unlock-iโ€ฆ
mzieniukbw Oct 7, 2025
9e2e22d
New MasterPasswordUnlock init user crypto method
mzieniukbw Oct 7, 2025
7327785
remove dangerous_get_symmetric_key usage
mzieniukbw Oct 7, 2025
36cdcf2
remove initialize_user_crypto_master_key from unused code
mzieniukbw Oct 7, 2025
9e28971
move sync to `bw` crate
mzieniukbw Oct 10, 2025
db74a54
missing serialization alias
mzieniukbw Oct 10, 2025
7444ee6
better naming for set state
mzieniukbw Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion crates/bitwarden-core/src/auth/api/response/identity_success_response.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ pub(crate) struct IdentityTokenSuccessResponse {
key_connector_url: Option<String>,

#[serde(rename = "userDecryptionOptions", alias = "UserDecryptionOptions")]
user_decryption_options: Option<UserDecryptionOptionsResponseModel>,
pub(crate) user_decryption_options: Option<UserDecryptionOptionsResponseModel>,

/// Stores unknown api response fields
extra: Option<HashMap<String, Value>>,
Expand Down
1 change: 1 addition & 0 deletions crates/bitwarden-core/src/auth/api/response/user_decryption_options_response.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ pub(crate) struct UserDecryptionOptionsResponseModel {
/// None when user have no master password.
#[serde(
rename = "masterPasswordUnlock",
alias = "MasterPasswordUnlock",
skip_serializing_if = "Option::is_none"
)]
pub(crate) master_password_unlock: Option<MasterPasswordUnlockResponseModel>,
Expand Down
9 changes: 5 additions & 4 deletions crates/bitwarden-core/src/auth/login/access_token.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,11 @@ pub(crate) async fn login_access_token(
r.refresh_token.clone(),
r.expires_in,
);

client
.internal
.initialize_crypto_single_org_key(organization_id, encryption_key);

client
.internal
.set_login_method(LoginMethod::ServiceAccount(
Expand All @@ -94,10 +99,6 @@ pub(crate) async fn login_access_token(
state_file: input.state_file.clone(),
},
));

client
.internal
.initialize_crypto_single_org_key(organization_id, encryption_key);
}

AccessTokenLoginResponse::process_response(response)
Expand Down
68 changes: 34 additions & 34 deletions crates/bitwarden-core/src/auth/login/api_key.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
use bitwarden_crypto::{EncString, MasterKey};
use bitwarden_crypto::EncString;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};

use crate::{
Client,
auth::{
JwtToken,
api::{request::ApiTokenRequest, response::IdentityTokenResponse},
login::{LoginError, PasswordLoginResponse, response::two_factor::TwoFactorProviders},
},
client::{LoginMethod, UserLoginMethod, internal::UserKeyState},
key_management::UserDecryptionData,
require,
};

Expand All @@ -23,44 +23,44 @@ pub(crate) async fn login_api_key(
let response = request_api_identity_tokens(client, input).await?;

if let IdentityTokenResponse::Authenticated(r) = &response {
let access_token_obj: JwtToken = r.access_token.parse()?;

// This should always be Some() when logging in with an api key
let email = access_token_obj
.email
.ok_or(LoginError::JwtTokenMissingEmail)?;

let kdf = client.auth().prelogin(email.clone()).await?;

client.internal.set_tokens(
r.access_token.clone(),
r.refresh_token.clone(),
r.expires_in,
);

let master_key = MasterKey::derive(&input.password, &email, &kdf)?;

client
.internal
.set_login_method(LoginMethod::User(UserLoginMethod::ApiKey {
client_id: input.client_id.to_owned(),
client_secret: input.client_secret.to_owned(),
email,
kdf,
}));

let user_key: EncString = require!(r.key.as_deref()).parse()?;
let private_key: EncString = require!(r.private_key.as_deref()).parse()?;

client.internal.initialize_user_crypto_master_key(
master_key,
user_key,
UserKeyState {
private_key,
signing_key: None,
security_state: None,
},
)?;
let private_key: EncString = require!(&r.private_key).parse()?;

let user_key_state = UserKeyState {
private_key,
signing_key: None,
security_state: None,
};

let master_password_unlock = r
.user_decryption_options
.as_ref()
.map(UserDecryptionData::try_from)
.transpose()?
.and_then(|user_decryption| user_decryption.master_password_unlock);
if let Some(master_password_unlock) = master_password_unlock {
client
.internal
.initialize_user_crypto_master_password_unlock(
input.password.clone(),
master_password_unlock.clone(),
user_key_state,
)?;

client
.internal
.set_login_method(LoginMethod::User(UserLoginMethod::ApiKey {
client_id: input.client_id.clone(),
client_secret: input.client_secret.clone(),
email: master_password_unlock.salt,
kdf: master_password_unlock.kdf,
}));
}
}

Ok(ApiKeyLoginResponse::process_response(response))
Expand Down
32 changes: 20 additions & 12 deletions crates/bitwarden-core/src/auth/login/auth_request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@ use crate::{
api::{request::AuthRequestTokenRequest, response::IdentityTokenResponse},
auth_request::new_auth_request,
},
client::{LoginMethod, UserLoginMethod},
key_management::crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
key_management::{
UserDecryptionData,
crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
},
require,
};

Expand Down Expand Up @@ -88,20 +90,11 @@ pub(crate) async fn complete_auth_request(
.await?;

if let IdentityTokenResponse::Authenticated(r) = response {
let kdf = Kdf::default();

client.internal.set_tokens(
r.access_token.clone(),
r.refresh_token.clone(),
r.expires_in,
);
client
.internal
.set_login_method(LoginMethod::User(UserLoginMethod::Username {
client_id: "web".to_owned(),
email: auth_req.email.to_owned(),
kdf: kdf.clone(),
}));

let method = match res.master_password_hash {
Some(_) => AuthRequestMethod::MasterKey {
Expand All @@ -113,12 +106,27 @@ pub(crate) async fn complete_auth_request(
},
};

let master_password_unlock = r
.user_decryption_options
.as_ref()
.map(UserDecryptionData::try_from)
.transpose()?
.and_then(|user_decryption| user_decryption.master_password_unlock);
let kdf = master_password_unlock
.as_ref()
.map(|mpu| mpu.kdf.clone())
.unwrap_or_else(Kdf::default);
let salt = master_password_unlock
.as_ref()
.map(|mpu| mpu.salt.clone())
.unwrap_or_else(|| auth_req.email.clone());

client
.crypto()
.initialize_user_crypto(InitUserCryptoRequest {
user_id: None,
kdf_params: kdf,
email: auth_req.email,
email: salt,
private_key: require!(r.private_key).parse()?,
signing_key: None,
security_state: None,
Expand Down
4 changes: 4 additions & 0 deletions crates/bitwarden-core/src/auth/login/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,8 @@ pub enum LoginError {

#[error("Failed to authenticate")]
AuthenticationFailed,

#[cfg(feature = "internal")]
#[error(transparent)]
MasterPassword(#[from] crate::key_management::MasterPasswordError),
}
72 changes: 43 additions & 29 deletions crates/bitwarden-core/src/auth/login/password.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
#[cfg(feature = "internal")]
use bitwarden_crypto::Kdf;
#[cfg(feature = "internal")]
use log::info;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
Expand All @@ -13,14 +11,15 @@ use crate::{
Client,
auth::{api::request::PasswordTokenRequest, login::LoginError, login::TwoFactorRequest},
client::LoginMethod,
key_management::{MasterPasswordAuthenticationData, UserDecryptionData},
};

#[cfg(feature = "internal")]
pub(crate) async fn login_password(
client: &Client,
input: &PasswordLoginRequest,
) -> Result<PasswordLoginResponse, LoginError> {
use bitwarden_crypto::{EncString, HashPurpose, MasterKey};
use bitwarden_crypto::EncString;

use crate::{
client::{UserLoginMethod, internal::UserKeyState},
Expand All @@ -29,38 +28,55 @@ pub(crate) async fn login_password(

info!("password logging in");

let master_key = MasterKey::derive(&input.password, &input.email, &input.kdf)?;
let password_hash = master_key
.derive_master_key_hash(input.password.as_bytes(), HashPurpose::ServerAuthorization);
let kdf = client.auth().prelogin(input.email.clone()).await?;

let master_password_authentication =
MasterPasswordAuthenticationData::derive(&input.password, &kdf, &input.email)?;

let password_hash = master_password_authentication
.master_password_authentication_hash
.to_string();

let response = request_identity_tokens(client, input, &password_hash.to_string()).await?;
let response = request_identity_tokens(client, input, &password_hash).await?;

if let IdentityTokenResponse::Authenticated(r) = &response {
client.internal.set_tokens(
r.access_token.clone(),
r.refresh_token.clone(),
r.expires_in,
);
client
.internal
.set_login_method(LoginMethod::User(UserLoginMethod::Username {
client_id: "web".to_owned(),
email: input.email.to_owned(),
kdf: input.kdf.to_owned(),
}));

let user_key: EncString = require!(r.key.as_deref()).parse()?;
let private_key: EncString = require!(r.private_key.as_deref()).parse()?;

client.internal.initialize_user_crypto_master_key(
master_key,
user_key,
UserKeyState {
private_key,
signing_key: None,
security_state: None,
},
)?;

let private_key: EncString = require!(&r.private_key).parse()?;

let user_key_state = UserKeyState {
private_key,
signing_key: None,
security_state: None,
};

let master_password_unlock = r
.user_decryption_options
.as_ref()
.map(UserDecryptionData::try_from)
.transpose()?
.and_then(|user_decryption| user_decryption.master_password_unlock);
if let Some(master_password_unlock) = master_password_unlock {
client
.internal
.initialize_user_crypto_master_password_unlock(
input.password.clone(),
master_password_unlock.clone(),
user_key_state,
)?;

client
.internal
.set_login_method(LoginMethod::User(UserLoginMethod::Username {
client_id: "web".to_owned(),
email: master_password_unlock.salt,
kdf: master_password_unlock.kdf,
}));
}
}

Ok(PasswordLoginResponse::process_response(response))
Expand Down Expand Up @@ -97,8 +113,6 @@ pub struct PasswordLoginRequest {
pub password: String,
/// Two-factor authentication
pub two_factor: Option<TwoFactorRequest>,
/// Kdf from prelogin
pub kdf: Kdf,
}

#[allow(missing_docs)]
Expand Down
19 changes: 10 additions & 9 deletions crates/bitwarden-core/src/auth/tde.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,6 @@ pub(super) fn make_register_tde_keys(
None
};

client
.internal
.set_login_method(crate::client::LoginMethod::User(
crate::client::UserLoginMethod::Username {
client_id: "".to_owned(),
email,
kdf: Kdf::default(),
},
));
client.internal.initialize_user_crypto_decrypted_key(
user_key.0,
UserKeyState {
Expand All @@ -52,6 +43,16 @@ pub(super) fn make_register_tde_keys(
},
)?;

client
.internal
.set_login_method(crate::client::LoginMethod::User(
crate::client::UserLoginMethod::Username {
client_id: "".to_owned(),
email,
kdf: Kdf::default(),
},
));

Ok(RegisterTdeKeyResponse {
private_key: key_pair.private,
public_key: key_pair.public,
Expand Down
Loading