[PM-5693] CryptoService using memfd_secret on Linux

crates/bitwarden-crypto/Cargo.toml

@@ -46,6 +46,11 @@ uniffi = { workspace = true, optional = true }
 uuid = { workspace = true }
 zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] }
 
+[target.'cfg(not(target_arch = "wasm32"))'.dependencies]
+memsec = { version = "0.7.0", features = [
+    "alloc_ext",
+], git = "https://github.com/dani-garcia/memsec", rev = "3d2e272d284442637bac0a7d94f76883960db7e2" }
+
 [dev-dependencies]
 criterion = "0.5.1"
 rand_chacha = "0.3.1"

crates/bitwarden-crypto/src/error.rs

@@ -23,6 +23,10 @@ pub enum CryptoError {
     MissingKey(Uuid),
     #[error("The item was missing a required field: {0}")]
     MissingField(&'static str),
+    #[error("Missing Key for Ref. {0}")]
+    MissingKey2(String),
+    #[error("Crypto store is read-only")]
+    ReadOnlyCryptoStore,
 
     #[error("Insufficient KDF parameters")]
     InsufficientKdfParameters,

crates/bitwarden-crypto/src/keys/encryptable.rs

@@ -0,0 +1,238 @@
+use super::key_ref::{AsymmetricKeyRef, KeyRef, SymmetricKeyRef};
+use crate::{service::CryptoServiceContext, AsymmetricEncString, CryptoError, EncString};
+
+/// This trait should be implemented by any struct capable of knowing which key it needs
+/// to encrypt or decrypt itself.
+pub trait UsesKey<Key: KeyRef> {
+    fn uses_key(&self) -> Key;
+}
+
+pub trait Encryptable<
+    SymmKeyRef: SymmetricKeyRef,
+    AsymmKeyRef: AsymmetricKeyRef,
+    Key: KeyRef,
+    Output,
+>
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: Key,
+    ) -> Result<Output, crate::CryptoError>;
+}
+
+pub trait Decryptable<
+    SymmKeyRef: SymmetricKeyRef,
+    AsymmKeyRef: AsymmetricKeyRef,
+    Key: KeyRef,
+    Output,
+>
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: Key,
+    ) -> Result<Output, crate::CryptoError>;
+}
+
+// Basic Encryptable/Decryptable implementations to and from bytes
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Decryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, Vec<u8>> for EncString
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: SymmKeyRef,
+    ) -> Result<Vec<u8>, crate::CryptoError> {
+        ctx.decrypt_data_with_symmetric_key(key, self)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Decryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, Vec<u8>> for AsymmetricEncString
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: AsymmKeyRef,
+    ) -> Result<Vec<u8>, crate::CryptoError> {
+        ctx.decrypt_data_with_asymmetric_key(key, self)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Encryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, EncString> for &[u8]
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: SymmKeyRef,
+    ) -> Result<EncString, crate::CryptoError> {
+        ctx.encrypt_data_with_symmetric_key(key, self)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Encryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, AsymmetricEncString> for &[u8]
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: AsymmKeyRef,
+    ) -> Result<AsymmetricEncString, crate::CryptoError> {
+        ctx.encrypt_data_with_asymmetric_key(key, self)
+    }
+}
+
+// Encryptable/Decryptable implementations to and from strings
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Decryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, String> for EncString
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: SymmKeyRef,
+    ) -> Result<String, crate::CryptoError> {
+        let bytes: Vec<u8> = self.decrypt(ctx, key)?;
+        String::from_utf8(bytes).map_err(|_| CryptoError::InvalidUtf8String)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Decryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, String> for AsymmetricEncString
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: AsymmKeyRef,
+    ) -> Result<String, crate::CryptoError> {
+        let bytes: Vec<u8> = self.decrypt(ctx, key)?;
+        String::from_utf8(bytes).map_err(|_| CryptoError::InvalidUtf8String)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Encryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, EncString> for &str
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: SymmKeyRef,
+    ) -> Result<EncString, crate::CryptoError> {
+        self.as_bytes().encrypt(ctx, key)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Encryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, AsymmetricEncString> for &str
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: AsymmKeyRef,
+    ) -> Result<AsymmetricEncString, crate::CryptoError> {
+        self.as_bytes().encrypt(ctx, key)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Encryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, EncString> for String
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: SymmKeyRef,
+    ) -> Result<EncString, crate::CryptoError> {
+        self.as_bytes().encrypt(ctx, key)
+    }
+}
+
+impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
+    Encryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, AsymmetricEncString> for String
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: AsymmKeyRef,
+    ) -> Result<AsymmetricEncString, crate::CryptoError> {
+        self.as_bytes().encrypt(ctx, key)
+    }
+}
+
+// Generic implementations for Optional values
+
+impl<
+        SymmKeyRef: SymmetricKeyRef,
+        AsymmKeyRef: AsymmetricKeyRef,
+        Key: KeyRef,
+        T: Encryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
+        Output,
+    > Encryptable<SymmKeyRef, AsymmKeyRef, Key, Option<Output>> for Option<T>
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: Key,
+    ) -> Result<Option<Output>, crate::CryptoError> {
+        self.as_ref()
+            .map(|value| value.encrypt(ctx, key))
+            .transpose()
+    }
+}
+
+impl<
+        SymmKeyRef: SymmetricKeyRef,
+        AsymmKeyRef: AsymmetricKeyRef,
+        Key: KeyRef,
+        T: Decryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
+        Output,
+    > Decryptable<SymmKeyRef, AsymmKeyRef, Key, Option<Output>> for Option<T>
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: Key,
+    ) -> Result<Option<Output>, crate::CryptoError> {
+        self.as_ref()
+            .map(|value| value.decrypt(ctx, key))
+            .transpose()
+    }
+}
+
+// Generic implementations for Vec values
+
+impl<
+        SymmKeyRef: SymmetricKeyRef,
+        AsymmKeyRef: AsymmetricKeyRef,
+        Key: KeyRef,
+        T: Encryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
+        Output,
+    > Encryptable<SymmKeyRef, AsymmKeyRef, Key, Vec<Output>> for Vec<T>
+{
+    fn encrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: Key,
+    ) -> Result<Vec<Output>, crate::CryptoError> {
+        self.iter().map(|value| value.encrypt(ctx, key)).collect()
+    }
+}
+
+impl<
+        SymmKeyRef: SymmetricKeyRef,
+        AsymmKeyRef: AsymmetricKeyRef,
+        Key: KeyRef,
+        T: Decryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
+        Output,
+    > Decryptable<SymmKeyRef, AsymmKeyRef, Key, Vec<Output>> for Vec<T>
+{
+    fn decrypt(
+        &self,
+        ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
+        key: Key,
+    ) -> Result<Vec<Output>, crate::CryptoError> {
+        self.iter().map(|value| value.decrypt(ctx, key)).collect()
+    }
+}

crates/bitwarden-crypto/src/keys/key_ref.rs

@@ -0,0 +1,89 @@
+use crate::{AsymmetricCryptoKey, SymmetricCryptoKey};
+
+// Hide the `KeyRef` trait from the public API, to avoid confusion
+// the trait itself needs to be public to reference it in the macro, so wrap it in a hidden module
+#[doc(hidden)]
+pub mod __internal {
+    use std::{fmt::Debug, hash::Hash};
+
+    use zeroize::ZeroizeOnDrop;
+
+    use crate::CryptoKey;
+
+    /// This trait represents a key reference that can be used to identify cryptographic keys in the
+    /// key store. It is used to abstract over the different types of keys that can be used in
+    /// the system, an end user would not implement this trait directly, and would instead use
+    /// the `SymmetricKeyRef` and `AsymmetricKeyRef` traits.
+    pub trait KeyRef:
+        Debug + Clone + Copy + Hash + Eq + PartialEq + Ord + PartialOrd + Send + Sync + 'static
+    {
+        type KeyValue: CryptoKey + Send + Sync + ZeroizeOnDrop;
+
+        /// Returns whether the key is local to the current context or shared globally by the
+        /// service.
+        fn is_local(&self) -> bool;
+    }
+}
+pub(crate) use __internal::KeyRef;
+
+// These traits below are just basic aliases of the `KeyRef` trait, but they allow us to have two
+// separate trait bounds
+
+pub trait SymmetricKeyRef: KeyRef<KeyValue = SymmetricCryptoKey> {}
+pub trait AsymmetricKeyRef: KeyRef<KeyValue = AsymmetricCryptoKey> {}
+
+// Just a small derive_like macro that can be used to generate the key reference enums.
+// Example usage:
+// ```rust
+// key_refs! {
+//     #[symmetric]
+//     pub enum KeyRef {
+//         User,
+//         Org(Uuid),
+//         #[local]
+//         Local(String),
+//     }
+// }
+#[macro_export]
+macro_rules! key_refs {
+    ( $(
+        #[$meta_type:tt]
+        $(pub)? enum $name:ident {
+            $(
+                $( #[$variant_tag:tt] )?
+                $variant:ident $( ( $inner:ty ) )?
+            ,)+
+        }
+    )+ ) => {  $(
+        #[derive(std::fmt::Debug, Clone, Copy, std::hash::Hash, Eq, PartialEq, Ord, PartialOrd)]
+        pub enum $name { $(
+                $variant  $( ($inner) )?
+        ,)+ }
+
+        impl $crate::key_ref::__internal::KeyRef for $name {
+            type KeyValue = key_refs!(@key_type $meta_type);
+
+            fn is_local(&self) -> bool {
+                use $name::*;
+                match self { $(
+                    key_refs!(@variant_match $variant $( ( $inner ) )?) =>
+                        key_refs!(@variant_tag $( $variant_tag )? ),
+                )+ }
+            }
+        }
+
+        key_refs!(@key_trait $meta_type $name);
+    )+ };
+
+    ( @key_type symmetric ) => { $crate::SymmetricCryptoKey };
+    ( @key_type asymmetric ) => { $crate::AsymmetricCryptoKey };
+
+    ( @key_trait symmetric $name:ident ) => { impl $crate::key_ref::SymmetricKeyRef for $name {} };
+    ( @key_trait asymmetric $name:ident ) => { impl $crate::key_ref::AsymmetricKeyRef for $name {} };
+
+    ( @variant_match $variant:ident ( $inner:ty ) ) => { $variant (_) };
+    ( @variant_match $variant:ident ) => { $variant };
+
+    ( @variant_tag local ) => { true };
+    ( @variant_tag ) => { false };
+}

crates/bitwarden-crypto/src/keys/mod.rs

@@ -1,5 +1,10 @@
 mod key_encryptable;
 pub use key_encryptable::{CryptoKey, KeyContainer, KeyDecryptable, KeyEncryptable, LocateKey};
+mod encryptable;
+pub use encryptable::{Decryptable, Encryptable, UsesKey};
+pub mod key_ref;
+pub(crate) use key_ref::KeyRef;
+pub use key_ref::{AsymmetricKeyRef, SymmetricKeyRef};
 mod master_key;
 pub use master_key::{
     default_argon2_iterations, default_argon2_memory, default_argon2_parallelism,

crates/bitwarden-crypto/src/lib.rs

@@ -82,6 +82,7 @@ mod wordlist;
 pub use wordlist::EFF_LONG_WORD_LIST;
 mod allocator;
 pub use allocator::ZeroizingAllocator;
+pub mod service;
 
 #[cfg(feature = "uniffi")]
 uniffi::setup_scaffolding!();