[BEEEP] Update bitwarden-ssh RustCrypto dependencies, fixing imports of various SSH keys

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-27518

Fixes:
bitwarden/clients#17028
bitwarden/clients#14076

📔 Objective

Updates the bitwarden-ssh dependencies to rc releases from RustCrypto. This allows us to:

• Drop our PKCS5 patch crate
• Fix import of putty keys
• Fix import of various other broken keys (linewidth issues and others)

It also replaces the RSA crate that has a vulnerability (timing attack) - though, it is unlikely that this actually affects import / was abusable.

RSA key generation test vectors are broken because the underlying RSA generation algorithm changed with rustcrypto's massive re-implementation of RSA, hence new test keys are provided.

Note: This pins the dependencies to be different from the workspace crates, as those are not yet ready to be updated. Eventually we will update those bit-by-bit too and then drop the dependency pinning.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – c38cf946-b37e-42b5-97f4-82cb5e468fa5

Great job! No new security vulnerabilities introduced in this pull request

[claude]

Claude finished @quexten's task —— View job

---

Code Review Complete

I've reviewed the changes in this PR focusing on the RustCrypto dependency updates and SSH key import fixes. Overall, the changes are solid and address the stated objectives, but I have several findings that require attention.

---

Findings

💭 Finding 1: PR description mentions that the previous Claude review suggested adding a TODO comment about pinned versions (crates/bitwarden-ssh/Cargo.toml:38), but this was not addressed. While the human reviewers didn't push on this, it would still be valuable to document that these pinned versions are temporary and should be updated when the workspace is ready. This helps future maintainers understand why these crates aren't using workspace dependencies.

⚠️ Finding 2: The dependency update includes a significant jump in the rand crate from 0.9.2 to 0.10.0-rc.5, which introduces breaking API changes (crates/bitwarden-ssh/Cargo.toml:36). While the code correctly adapts to the new API (using &mut R instead of impl CryptoRng), the PR description doesn't mention this breaking change or explain why the RC version was chosen. This could impact downstream consumers if the RC version has stability issues.

⚠️ Finding 3: The RSA key generation test vectors changed (crates/bitwarden-ssh/resources/generator/rsa3072_key, crates/bitwarden-ssh/resources/generator/rsa4096_key), which is expected given the PR description mentions "the underlying RSA generation algorithm changed with rustcrypto's massive re-implementation of RSA." However, there's no verification in the PR that the NEW generated keys are still valid RSA keys that work correctly with SSH clients. While the tests verify they match the new test vectors, they don't validate the keys actually function as SSH keys.

🎨 Finding 4: The wasm build script change adds the getrandom configuration flag (crates/bitwarden-wasm-internal/build.sh:49), and from the review thread, it's clear this is necessary. However, the build script comment at line 46 doesn't explain WHY this flag is needed here when it's already set in cargo config. Consider adding a comment explaining that RUSTFLAGS overrides rather than appends, so this explicit setting is necessary.

💭 Finding 5: The new test cases for PuTTY key import (import.rs:203-218) and the regression test (import.rs:228-234) are excellent additions that directly address the stated issues. However, I notice the test at line 221-225 explicitly tests that PKCS1 format is NOT supported (expects UnsupportedKeyType). Is this intentional? PuTTY can export to PKCS1 format, so this might limit the import functionality.

🎨 Finding 6: The ssh-cipher dependency was added to Cargo.toml (line 40) but appears unused in the codebase. This suggests it might be a transitive dependency that's being explicitly pinned for version control. If so, consider adding a comment explaining why it's explicitly listed.

---

Additional Observations

Security: The PR correctly addresses the RSA timing attack vulnerability by updating to a newer version. The migration away from the vulnerable RSA crate is a security improvement.

Test Coverage: Codecov reports 95.24% patch coverage with only 2 lines missing in generator.rs. This is excellent coverage for a security-sensitive cryptographic module.

Backward Compatibility: The changes maintain backward compatibility for import operations (can still decrypt old keys), but RSA key generation will produce different keys. This is acceptable since generation is non-deterministic by nature (except in tests).

---

Summary

The core changes are well-implemented and address the stated objectives:

• ✅ RustCrypto dependencies updated to RC releases
• ✅ PuTTY key import fixed with new test cases
• ✅ Regression issue #17028 fixed with test coverage
• ✅ Dropped PKCS5 patch dependency
• ✅ RSA timing vulnerability addressed

Action Items:

1. Consider adding TODO comment about temporary dependency pinning (Finding 1)
2. Document why RC versions were chosen for rand crate (Finding 2)
3. Verify new RSA test vectors produce valid SSH keys (Finding 3)
4. Add comment explaining RUSTFLAGS override behavior (Finding 4)
5. Clarify if PKCS1 non-support is intentional (Finding 5)
6. Document or remove unused ssh-cipher dependency (Finding 6)

[codecov]

Codecov Report

❌ Patch coverage is 95.23810% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.52%. Comparing base (0107af7) to head (73c80a9).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
crates/bitwarden-ssh/src/generator.rs	87.50%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #536   +/-   ##
=======================================
  Coverage   79.52%   79.52%           
=======================================
  Files         302      302           
  Lines       32362    32366    +4     
=======================================
+ Hits        25735    25739    +4     
  Misses       6627     6627           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: km/beeep/ssh-import-fix (73c80a9)
Completed: 2025-12-02 10:16:23 UTC
Total Time: 217s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow