bitwarden-crypto 3.0.0

Internal crate for the bitwarden crate. Do not use.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

//! This example demonstrates how to seal a piece of data.
//!
//! If there is a struct that should be kept secret, in can be sealed with a `DataEnvelope`. This
//! will automatically create a content-encryption-key. This is useful because the key is stored
//! separately. Rotating the encrypting key now only requires re-uploading the
//! content-encryption-key instead of the entire data. Further, server-side tampering (swapping of
//! individual fields encrypted by the same key) is prevented.
//!
//! In general, if a struct of data should be protected, the `DataEnvelope` should be used.

use bitwarden_crypto::{
    generate_versioned_sealable, key_slot_ids,
    safe::{DataEnvelope, DataEnvelopeNamespace, SealableData, SealableVersionedData},
};
use serde::{Deserialize, Serialize};

#[derive(Serialize, Deserialize, PartialEq, Debug)]
struct MyItemV1 {
    a: u32,
    b: String,
}
impl SealableData for MyItemV1 {}

#[derive(Serialize, Deserialize, PartialEq, Debug)]
struct MyItemV2 {
    a: u32,
    b: bool,
    c: bool,
}
impl SealableData for MyItemV2 {}

generate_versioned_sealable!(
    MyItem,
    DataEnvelopeNamespace::VaultItem,
    [
        MyItemV1 => "1",
        MyItemV2 => "2",
    ]
);

fn main() {
    let store: bitwarden_crypto::KeyStore<ExampleIds> =
        bitwarden_crypto::KeyStore::<ExampleIds>::default();
    let mut ctx: bitwarden_crypto::KeyStoreContext<'_, ExampleIds> = store.context_mut();
    let mut disk = MockDisk::new();

    let my_item: MyItem = MyItemV1 {
        a: 42,
        b: "Hello, World!".to_string(),
    }
    .into();

    // Seals the item into an encrypted blob, and stores the content-encryption-key in the context.
    // Returned is the sealed item, along with the id of the content-encryption-key used to seal it
    // on the context. The cek has to be protected separately. Alternatively
    // `seal_with_wrapping_key` can be used to directly obtain back the wrapped cek.
    let (sealed_item, cek) = DataEnvelope::seal(my_item, &mut ctx).expect("Sealing should work");

    // Store the sealed item on disk
    disk.save("sealed_item", (&sealed_item).into());
    let sealed_item = disk
        .load("sealed_item")
        .expect("Failed to load sealed item")
        .clone();
    let sealed_item = DataEnvelope::from(sealed_item);

    // Unseal the item again, using the content-encryption-key stored in the context.
    let my_item: MyItem = sealed_item
        .unseal(cek, &mut ctx)
        .expect("Unsealing should work");
    assert!(matches!(my_item, MyItem::MyItemV1(item) if item.a == 42 && item.b == "Hello, World!"));
}

pub(crate) struct MockDisk {
    map: std::collections::HashMap<String, Vec<u8>>,
}

impl MockDisk {
    pub(crate) fn new() -> Self {
        MockDisk {
            map: std::collections::HashMap::new(),
        }
    }

    pub(crate) fn save(&mut self, key: &str, value: Vec<u8>) {
        self.map.insert(key.to_string(), value);
    }

    pub(crate) fn load(&self, key: &str) -> Option<&Vec<u8>> {
        self.map.get(key)
    }
}

key_slot_ids! {
    #[symmetric]
    pub enum ExampleSymmetricKey {
        #[local]
        ItemKey(LocalId)
    }

    #[private]
    pub enum ExamplePrivateKey {
        Key(u8),
        #[local]
        Local(LocalId),
    }

    #[signing]
    pub enum ExampleSigningKey {
        Key(u8),
        #[local]
        Local(LocalId),
    }
    pub ExampleIds => ExampleSymmetricKey, ExamplePrivateKey, ExampleSigningKey;
}