bitwarden-browser/src/services/nativeMessaging.service.ts

import { ipcRenderer } from 'electron';
import Swal from 'sweetalert2';

import { CryptoService } from 'jslib/abstractions/crypto.service';
import { CryptoFunctionService } from 'jslib/abstractions/cryptoFunction.service';
import { I18nService } from 'jslib/abstractions/i18n.service';
import { LogService } from 'jslib/abstractions/log.service';
import { MessagingService } from 'jslib/abstractions/messaging.service';
import { PlatformUtilsService } from 'jslib/abstractions/platformUtils.service';
import { UserService } from 'jslib/abstractions/user.service';
import { VaultTimeoutService } from 'jslib/abstractions/vaultTimeout.service';

import { StorageService } from 'jslib/abstractions';
import { ElectronConstants } from 'jslib/electron/electronConstants';
import { Utils } from 'jslib/misc/utils';
import { SymmetricCryptoKey } from 'jslib/models/domain/symmetricCryptoKey';

const MessageValidTimeout = 10 * 1000;
const EncryptionAlgorithm = 'sha1';

export class NativeMessagingService {
    private sharedSecrets = new Map<string, SymmetricCryptoKey>();

    constructor(private cryptoFunctionService: CryptoFunctionService, private cryptoService: CryptoService,
        private platformUtilService: PlatformUtilsService, private logService: LogService,
        private i18nService: I18nService, private userService: UserService, private messagingService: MessagingService,
        private vaultTimeoutService: VaultTimeoutService, private storageService: StorageService) {
        ipcRenderer.on('nativeMessaging', async (event: any, message: any) => {
            this.messageHandler(message);
        });
    }

    private async messageHandler(msg: any) {
        const appId = msg.appId;
        const rawMessage = msg.message;

        // Request to setup secure encryption
        if (rawMessage.command === 'setupEncryption') {
            const remotePublicKey = Utils.fromB64ToArray(rawMessage.publicKey).buffer;

            // Valudate the UserId to ensure we are logged into the same account.
            if (rawMessage.userId !== await this.userService.getUserId()) {
                ipcRenderer.send('nativeMessagingReply', {command: 'wrongUserId', appId: appId});
                return;
            }

            if (await this.storageService.get<boolean>(ElectronConstants.enableBrowserIntegrationFingerprint)) {
                ipcRenderer.send('nativeMessagingReply', {command: 'verifyFingerprint', appId: appId});

                const fingerprint = (await this.cryptoService.getFingerprint(await this.userService.getUserId(), remotePublicKey)).join(' ');

                this.messagingService.send('setFocus');

                // Await confirmation that fingerprint is correct
                const submitted = await Swal.fire({
                    titleText: this.i18nService.t('verifyBrowserTitle'),
                    html: `${this.i18nService.t('verifyBrowserDesc')}<br><br><strong>${fingerprint}</strong>`,
                    showCancelButton: true,
                    cancelButtonText: this.i18nService.t('cancel'),
                    showConfirmButton: true,
                    confirmButtonText: this.i18nService.t('approve'),
                    allowOutsideClick: false,
                });

                if (submitted.value !== true) {
                    return;
                }
            }

            this.secureCommunication(remotePublicKey, appId);
            return;
        }

        const message = JSON.parse(await this.cryptoService.decryptToUtf8(rawMessage, this.sharedSecrets.get(appId)));

        // Shared secret is invalidated, force re-authentication
        if (message == null) {
            ipcRenderer.send('nativeMessagingReply', {command: 'invalidateEncryption', appId: appId});
            return;
        }

        if (Math.abs(message.timestamp - Date.now()) > MessageValidTimeout) {
            this.logService.error('NativeMessage is to old, ignoring.');
            return;
        }

        switch (message.command) {
            case 'biometricUnlock':
                if (! this.platformUtilService.supportsBiometric()) {
                    return this.send({command: 'biometricUnlock', response: 'not supported'}, appId);
                }

                if (! await this.vaultTimeoutService.isBiometricLockSet()) {
                    this.send({command: 'biometricUnlock', response: 'not enabled'}, appId);

                    return await Swal.fire({
                        title: this.i18nService.t('biometricsNotEnabledTitle'),
                        text: this.i18nService.t('biometricsNotEnabledDesc'),
                        showCancelButton: true,
                        cancelButtonText: this.i18nService.t('cancel'),
                        showConfirmButton: false,
                    });
                }

                const response = await this.platformUtilService.authenticateBiometric();
                if (response) {
                    this.send({command: 'biometricUnlock', response: 'unlocked', keyB64: (await this.cryptoService.getKey()).keyB64}, appId);
                } else {
                    this.send({command: 'biometricUnlock', response: 'canceled'}, appId);
                }

                break;
            default:
                this.logService.error('NativeMessage, got unknown command.');
        }
    }

    private async send(message: any, appId: string) {
        message.timestamp = Date.now();

        const encrypted = await this.cryptoService.encrypt(JSON.stringify(message), this.sharedSecrets.get(appId));

        ipcRenderer.send('nativeMessagingReply', {appId: appId, message: encrypted});
    }

    private async secureCommunication(remotePublicKey: ArrayBuffer, appId: string) {
        const secret = await this.cryptoFunctionService.randomBytes(64);
        this.sharedSecrets.set(appId, new SymmetricCryptoKey(secret));

        const encryptedSecret = await this.cryptoFunctionService.rsaEncrypt(secret, remotePublicKey, EncryptionAlgorithm);
        ipcRenderer.send('nativeMessagingReply', {appId: appId, command: 'setupEncryption', sharedSecret: Utils.fromBufferToB64(encryptedSecret)});
    }
}
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00			`import { ipcRenderer } from 'electron';`
Show fingerprint message 2020-10-19 16:50:33 +02:00			`import Swal from 'sweetalert2';`
Replace cosole logs with logService 2020-10-05 20:05:48 +02:00
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00			`import { CryptoService } from 'jslib/abstractions/crypto.service';`
wip 2020-10-16 17:09:17 +02:00			`import { CryptoFunctionService } from 'jslib/abstractions/cryptoFunction.service';`
Restore focus when displaying sync confirm 2020-11-30 14:58:52 +01:00			`import { I18nService } from 'jslib/abstractions/i18n.service';`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00			`import { LogService } from 'jslib/abstractions/log.service';`
Restore focus when displaying sync confirm 2020-11-30 14:58:52 +01:00			`import { MessagingService } from 'jslib/abstractions/messaging.service';`
			`import { PlatformUtilsService } from 'jslib/abstractions/platformUtils.service';`
			`import { UserService } from 'jslib/abstractions/user.service';`
Display error message when biometric is disabled in the desktop 2020-12-16 17:25:30 +01:00			`import { VaultTimeoutService } from 'jslib/abstractions/vaultTimeout.service';`
Restore focus when displaying sync confirm 2020-11-30 14:58:52 +01:00
Make fingerprint validation optional, update readme with debug info for native messaging 2020-12-18 15:47:48 +01:00			`import { StorageService } from 'jslib/abstractions';`
			`import { ElectronConstants } from 'jslib/electron/electronConstants';`
Match linter rules 2021-02-03 19:21:22 +01:00			`import { Utils } from 'jslib/misc/utils';`
			`import { SymmetricCryptoKey } from 'jslib/models/domain/symmetricCryptoKey';`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00
			`const MessageValidTimeout = 10 * 1000;`
Setup new encryption flow 2020-10-19 12:21:07 +02:00			`const EncryptionAlgorithm = 'sha1';`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00
Initial PoC for browser <-> desktop communication 2020-10-05 15:11:37 +02:00			`export class NativeMessagingService {`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`private sharedSecrets = new Map<string, SymmetricCryptoKey>();`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00
wip 2020-10-16 17:09:17 +02:00			`constructor(private cryptoFunctionService: CryptoFunctionService, private cryptoService: CryptoService,`
Ensure we only setup a communication when userId matches 2021-01-15 10:57:09 +01:00			`private platformUtilService: PlatformUtilsService, private logService: LogService,`
			`private i18nService: I18nService, private userService: UserService, private messagingService: MessagingService,`
			`private vaultTimeoutService: VaultTimeoutService, private storageService: StorageService) {`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00			`ipcRenderer.on('nativeMessaging', async (event: any, message: any) => {`
			`this.messageHandler(message);`
Initial PoC for browser <-> desktop communication 2020-10-05 15:11:37 +02:00			`});`
Generate app manifests and add install scripts for windows 2020-10-05 19:48:51 +02:00			`}`

Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`private async messageHandler(msg: any) {`
			`const appId = msg.appId;`
			`const rawMessage = msg.message;`
Cleanup code 2020-10-21 16:48:40 +02:00
			`// Request to setup secure encryption`
Fix linting errors 2020-11-30 15:10:57 +01:00			`if (rawMessage.command === 'setupEncryption') {`
Show fingerprint message 2020-10-19 16:50:33 +02:00			`const remotePublicKey = Utils.fromB64ToArray(rawMessage.publicKey).buffer;`
Fix linting errors 2020-11-30 15:10:57 +01:00
Ensure we only setup a communication when userId matches 2021-01-15 10:57:09 +01:00			`// Valudate the UserId to ensure we are logged into the same account.`
			`if (rawMessage.userId !== await this.userService.getUserId()) {`
			`ipcRenderer.send('nativeMessagingReply', {command: 'wrongUserId', appId: appId});`
			`return;`
			`}`

Make fingerprint validation optional, update readme with debug info for native messaging 2020-12-18 15:47:48 +01:00			`if (await this.storageService.get<boolean>(ElectronConstants.enableBrowserIntegrationFingerprint)) {`
			`ipcRenderer.send('nativeMessagingReply', {command: 'verifyFingerprint', appId: appId});`

			`const fingerprint = (await this.cryptoService.getFingerprint(await this.userService.getUserId(), remotePublicKey)).join(' ');`

			`this.messagingService.send('setFocus');`

			`// Await confirmation that fingerprint is correct`
			`const submitted = await Swal.fire({`
use swal titletext to avoid XSS (#884) 2021-05-13 21:22:52 +02:00			`titleText: this.i18nService.t('verifyBrowserTitle'),`
Make fingerprint validation optional, update readme with debug info for native messaging 2020-12-18 15:47:48 +01:00			html: `${this.i18nService.t('verifyBrowserDesc')}<br><br><strong>${fingerprint}</strong>`,
			`showCancelButton: true,`
			`cancelButtonText: this.i18nService.t('cancel'),`
			`showConfirmButton: true,`
			`confirmButtonText: this.i18nService.t('approve'),`
			`allowOutsideClick: false,`
			`});`

			`if (submitted.value !== true) {`
			`return;`
			`}`
			`}`
Fix linting errors 2020-12-22 17:16:12 +01:00
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`this.secureCommunication(remotePublicKey, appId);`
wip 2020-10-16 17:09:17 +02:00			`return;`
			`}`
Replace cosole logs with logService 2020-10-05 20:05:48 +02:00
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`const message = JSON.parse(await this.cryptoService.decryptToUtf8(rawMessage, this.sharedSecrets.get(appId)));`
Setup new encryption flow 2020-10-19 12:21:07 +02:00
Send error when failing to decrypt message 2020-10-23 14:40:31 +02:00			`// Shared secret is invalidated, force re-authentication`
			`if (message == null) {`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`ipcRenderer.send('nativeMessagingReply', {command: 'invalidateEncryption', appId: appId});`
Send error when failing to decrypt message 2020-10-23 14:40:31 +02:00			`return;`
			`}`

Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00			`if (Math.abs(message.timestamp - Date.now()) > MessageValidTimeout) {`
			`this.logService.error('NativeMessage is to old, ignoring.');`
Add settings toggle to enable/disable browser integration 2020-10-07 15:11:01 +02:00			`return;`
			`}`
Generate app manifests and add install scripts for windows 2020-10-05 19:48:51 +02:00
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`switch (message.command) {`
			`case 'biometricUnlock':`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00			`if (! this.platformUtilService.supportsBiometric()) {`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`return this.send({command: 'biometricUnlock', response: 'not supported'}, appId);`
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`}`

Display error message when biometric is disabled in the desktop 2020-12-16 17:25:30 +01:00			`if (! await this.vaultTimeoutService.isBiometricLockSet()) {`
			`this.send({command: 'biometricUnlock', response: 'not enabled'}, appId);`

			`return await Swal.fire({`
			`title: this.i18nService.t('biometricsNotEnabledTitle'),`
			`text: this.i18nService.t('biometricsNotEnabledDesc'),`
			`showCancelButton: true,`
			`cancelButtonText: this.i18nService.t('cancel'),`
			`showConfirmButton: false,`
			`});`
			`}`

Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00			`const response = await this.platformUtilService.authenticateBiometric();`
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`if (response) {`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`this.send({command: 'biometricUnlock', response: 'unlocked', keyB64: (await this.cryptoService.getKey()).keyB64}, appId);`
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`} else {`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`this.send({command: 'biometricUnlock', response: 'canceled'}, appId);`
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`}`
Minor cleanup 2020-10-12 18:03:16 +02:00
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`break;`
			`default:`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00			`this.logService.error('NativeMessage, got unknown command.');`
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`}`
			`}`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`private async send(message: any, appId: string) {`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00			`message.timestamp = Date.now();`
Setup new encryption flow 2020-10-19 12:21:07 +02:00
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`const encrypted = await this.cryptoService.encrypt(JSON.stringify(message), this.sharedSecrets.get(appId));`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`ipcRenderer.send('nativeMessagingReply', {appId: appId, message: encrypted});`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00			`}`
wip 2020-10-16 17:09:17 +02:00
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`private async secureCommunication(remotePublicKey: ArrayBuffer, appId: string) {`
Setup new encryption flow 2020-10-19 12:21:07 +02:00			`const secret = await this.cryptoFunctionService.randomBytes(64);`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`this.sharedSecrets.set(appId, new SymmetricCryptoKey(secret));`
wip 2020-10-16 17:09:17 +02:00
Show fingerprint message 2020-10-19 16:50:33 +02:00			`const encryptedSecret = await this.cryptoFunctionService.rsaEncrypt(secret, remotePublicKey, EncryptionAlgorithm);`
Add support for communicating with multiple extensions at the same time 2020-12-16 15:42:46 +01:00			`ipcRenderer.send('nativeMessagingReply', {appId: appId, command: 'setupEncryption', sharedSecret: Utils.fromBufferToB64(encryptedSecret)});`
wip 2020-10-16 17:09:17 +02:00			`}`
Initial PoC for browser <-> desktop communication 2020-10-05 15:11:37 +02:00			`}`