Merge branch 'km/data-envelope-follow-up' into km/beeep/safe-data-envelope

Author: quexten

crates/bitwarden-crypto/examples/seal_struct.rs

@@ -51,8 +51,7 @@ fn main() {
     .into();
 
     // Seal the item into an encrypted blob, and store the content-encryption-key in the context.
-    let sealed_item = DataEnvelope::seal(my_item, ExampleSymmetricKey::ItemKey, &mut ctx)
-        .expect("Sealing should work");
+    let (sealed_item, cek) = DataEnvelope::seal(my_item, &mut ctx).expect("Sealing should work");
 
     // Store the sealed item on disk
     disk.save("sealed_item", (&sealed_item).into());

crates/bitwarden-crypto/src/safe/data_envelope.rs

@@ -10,7 +10,7 @@ use thiserror::Error;
 use wasm_bindgen::convert::FromWasmAbi;
 
 use crate::{
-    CONTENT_TYPE_PADDED_CBOR, CoseEncrypt0Bytes, CryptoError, EncodingError, KeyIds,
+    CONTENT_TYPE_PADDED_CBOR, CoseEncrypt0Bytes, CryptoError, EncString, EncodingError, KeyIds,
     SerializedMessage, SymmetricCryptoKey, XChaCha20Poly1305Key,
     cose::{DATA_ENVELOPE_NAMESPACE, XCHACHA20_POLY1305},
     ensure_equal, ensure_matches,
@@ -71,16 +71,37 @@ impl DataEnvelope {
     /// context.
     pub fn seal<Ids: KeyIds, T>(
         data: T,
-        cek_keyslot: Ids::Symmetric,
         ctx: &mut crate::store::KeyStoreContext<Ids>,
-    ) -> Result<Self, DataEnvelopeError>
+    ) -> Result<(Self, Ids::Symmetric), DataEnvelopeError>
     where
         T: Serialize + SealableVersionedData,
     {
         let (envelope, cek) = Self::seal_ref(&data, &T::NAMESPACE)?;
-        ctx.set_symmetric_key_internal(cek_keyslot, SymmetricCryptoKey::XChaCha20Poly1305Key(cek))
+        let cek_id = ctx
+            .generate_symmetric_key()
+            .map_err(|_| DataEnvelopeError::KeyStoreError)?;
+        ctx.set_symmetric_key_internal(cek_id, SymmetricCryptoKey::XChaCha20Poly1305Key(cek))
             .map_err(|_| DataEnvelopeError::KeyStoreError)?;
-        Ok(envelope)
+        Ok((envelope, cek_id))
+    }
+
+    /// Seals a struct into an encrypted blob. The content encryption key is wrapped with the
+    /// provided wrapping key
+    pub fn seal_with_wrapping_key<Ids: KeyIds, T>(
+        data: T,
+        wrapping_key: &Ids::Symmetric,
+        ctx: &mut crate::store::KeyStoreContext<Ids>,
+    ) -> Result<(Self, EncString), DataEnvelopeError>
+    where
+        T: Serialize + SealableVersionedData,
+    {
+        let (envelope, cek) = Self::seal(data, ctx)?;
+
+        let wrapped_cek = ctx
+            .wrap_symmetric_key(*wrapping_key, cek)
+            .map_err(|_| DataEnvelopeError::EncryptionError)?;
+
+        Ok((envelope, wrapped_cek))
     }
 
     /// Seals a struct into an encrypted blob, and returns the encrypted blob and the
@@ -159,6 +180,22 @@ impl DataEnvelope {
         }
     }
 
+    /// Unseals the data from the encrypted blob and wrapped content-encryption-key.
+    pub fn unseal_with_wrapping_key<Ids: KeyIds, T>(
+        &self,
+        wrapping_key: &Ids::Symmetric,
+        wrapped_cek: &EncString,
+        ctx: &mut crate::store::KeyStoreContext<Ids>,
+    ) -> Result<T, DataEnvelopeError>
+    where
+        T: DeserializeOwned + SealableVersionedData,
+    {
+        let cek = ctx
+            .unwrap_symmetric_key(*wrapping_key, wrapped_cek)
+            .map_err(|_| DataEnvelopeError::DecryptionError)?;
+        self.unseal(cek, ctx)
+    }
+
     /// Unseals the data from the encrypted blob using the provided content-encryption-key.
     fn unseal_ref<T>(
         &self,