bitwarden-browser/src/services/nativeMessaging.service.ts

import { Injectable } from "@angular/core";
import { ipcRenderer } from "electron";
import Swal from "sweetalert2";

import { CryptoService } from "jslib-common/abstractions/crypto.service";
import { CryptoFunctionService } from "jslib-common/abstractions/cryptoFunction.service";
import { I18nService } from "jslib-common/abstractions/i18n.service";
import { LogService } from "jslib-common/abstractions/log.service";
import { MessagingService } from "jslib-common/abstractions/messaging.service";
import { PlatformUtilsService } from "jslib-common/abstractions/platformUtils.service";
import { StateService } from "jslib-common/abstractions/state.service";
import { VaultTimeoutService } from "jslib-common/abstractions/vaultTimeout.service";

import { Utils } from "jslib-common/misc/utils";

import { SymmetricCryptoKey } from "jslib-common/models/domain/symmetricCryptoKey";

import { KeySuffixOptions } from "jslib-common/enums/keySuffixOptions";

const MessageValidTimeout = 10 * 1000;
const EncryptionAlgorithm = "sha1";

@Injectable()
export class NativeMessagingService {
  private sharedSecrets = new Map<string, SymmetricCryptoKey>();

  constructor(
    private cryptoFunctionService: CryptoFunctionService,
    private cryptoService: CryptoService,
    private platformUtilService: PlatformUtilsService,
    private logService: LogService,
    private i18nService: I18nService,
    private messagingService: MessagingService,
    private vaultTimeoutService: VaultTimeoutService,
    private stateService: StateService
  ) {
    ipcRenderer.on("nativeMessaging", async (_event: any, message: any) => {
      this.messageHandler(message);
    });
  }

  private async messageHandler(msg: any) {
    const appId = msg.appId;
    const rawMessage = msg.message;

    // Request to setup secure encryption
    if (rawMessage.command === "setupEncryption") {
      const remotePublicKey = Utils.fromB64ToArray(rawMessage.publicKey).buffer;

      // Valudate the UserId to ensure we are logged into the same account.
      if (rawMessage.userId !== (await this.stateService.getUserId())) {
        ipcRenderer.send("nativeMessagingReply", { command: "wrongUserId", appId: appId });
        return;
      }

      if (await this.stateService.getEnableBrowserIntegrationFingerprint()) {
        ipcRenderer.send("nativeMessagingReply", { command: "verifyFingerprint", appId: appId });

        const fingerprint = (
          await this.cryptoService.getFingerprint(
            await this.stateService.getUserId(),
            remotePublicKey
          )
        ).join(" ");

        this.messagingService.send("setFocus");

        // Await confirmation that fingerprint is correct
        const submitted = await Swal.fire({
          titleText: this.i18nService.t("verifyBrowserTitle"),
          html: `${this.i18nService.t("verifyBrowserDesc")}<br><br><strong>${fingerprint}</strong>`,
          showCancelButton: true,
          cancelButtonText: this.i18nService.t("cancel"),
          showConfirmButton: true,
          confirmButtonText: this.i18nService.t("approve"),
          allowOutsideClick: false,
        });

        if (submitted.value !== true) {
          return;
        }
      }

      this.secureCommunication(remotePublicKey, appId);
      return;
    }

    const message = JSON.parse(
      await this.cryptoService.decryptToUtf8(rawMessage, this.sharedSecrets.get(appId))
    );

    // Shared secret is invalidated, force re-authentication
    if (message == null) {
      ipcRenderer.send("nativeMessagingReply", { command: "invalidateEncryption", appId: appId });
      return;
    }

    if (Math.abs(message.timestamp - Date.now()) > MessageValidTimeout) {
      this.logService.error("NativeMessage is to old, ignoring.");
      return;
    }

    switch (message.command) {
      case "biometricUnlock":
        if (!this.platformUtilService.supportsBiometric()) {
          return this.send({ command: "biometricUnlock", response: "not supported" }, appId);
        }

        if (!(await this.vaultTimeoutService.isBiometricLockSet())) {
          this.send({ command: "biometricUnlock", response: "not enabled" }, appId);

          return await Swal.fire({
            title: this.i18nService.t("biometricsNotEnabledTitle"),
            text: this.i18nService.t("biometricsNotEnabledDesc"),
            showCancelButton: true,
            cancelButtonText: this.i18nService.t("cancel"),
            showConfirmButton: false,
          });
        }

        const keyB64 = (await this.cryptoService.getKeyFromStorage(KeySuffixOptions.Biometric))
          .keyB64;

        if (keyB64 != null) {
          this.send({ command: "biometricUnlock", response: "unlocked", keyB64: keyB64 }, appId);
        } else {
          this.send({ command: "biometricUnlock", response: "canceled" }, appId);
        }

        break;
      default:
        this.logService.error("NativeMessage, got unknown command.");
    }
  }

  private async send(message: any, appId: string) {
    message.timestamp = Date.now();

    const encrypted = await this.cryptoService.encrypt(
      JSON.stringify(message),
      this.sharedSecrets.get(appId)
    );

    ipcRenderer.send("nativeMessagingReply", { appId: appId, message: encrypted });
  }

  private async secureCommunication(remotePublicKey: ArrayBuffer, appId: string) {
    const secret = await this.cryptoFunctionService.randomBytes(64);
    this.sharedSecrets.set(appId, new SymmetricCryptoKey(secret));

    const encryptedSecret = await this.cryptoFunctionService.rsaEncrypt(
      secret,
      remotePublicKey,
      EncryptionAlgorithm
    );
    ipcRenderer.send("nativeMessagingReply", {
      appId: appId,
      command: "setupEncryption",
      sharedSecret: Utils.fromBufferToB64(encryptedSecret),
    });
  }
}
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`import { Injectable } from "@angular/core";`
			`import { ipcRenderer } from "electron";`
			`import Swal from "sweetalert2";`
Replace cosole logs with logService 2020-10-05 20:05:48 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`import { CryptoService } from "jslib-common/abstractions/crypto.service";`
			`import { CryptoFunctionService } from "jslib-common/abstractions/cryptoFunction.service";`
			`import { I18nService } from "jslib-common/abstractions/i18n.service";`
			`import { LogService } from "jslib-common/abstractions/log.service";`
			`import { MessagingService } from "jslib-common/abstractions/messaging.service";`
			`import { PlatformUtilsService } from "jslib-common/abstractions/platformUtils.service";`
			`import { StateService } from "jslib-common/abstractions/state.service";`
			`import { VaultTimeoutService } from "jslib-common/abstractions/vaultTimeout.service";`
Restore focus when displaying sync confirm 2020-11-30 14:58:52 +01:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`import { Utils } from "jslib-common/misc/utils";`
[Account Switching] [Feature] Add the ability to maintain state for up to 5 accounts at once (#1079) * [refactor] Remove references to deprecated services * [feature] Implement account switching * [bug] Fix state handling for authentication dependent system menu items * [bug] Enable the account switcher to fucntion properly when switching to a locked accounts * [feature] Enable locking any account from the menu * [bug] Ensure the avatar instance used in the account switcher updates on account change * [style] Fix lint complaints * [bug] Ensure the logout command callback can handle any user in state * [style] Fix lint complaints * rollup * [style] Fix lint complaints * [bug] Don't clean up state until everything else is done on logout * [bug] Navigate to vault on a succesful account switch * [bug] Init the state service on start * [feature] Limit account switching to 5 account maximum * [bug] Resolve app lock state with 5 logged out accounts * [chore] Update account refrences to match recent jslib restructuring * [bug] Add missing awaits * [bug] Update app menu on logout * [bug] Hide the switcher if there are no authed accounts * [bug] Move authenticationStatus display information out of jslib * [bug] Remove unused active style from scss * [refactor] Rewrite the menu bar * [style] Fix lint complaints * [bug] Clean state of loggout out user after redirect * [bug] Redirect on logout if not explicity provided a userId that isn't active * [bug] Relocated several settings items to persistant storage * [bug] Correct account switcher styles on all themes * [chore] Include state migration service in services * [bug] Swap to next account on logout * [bug] Correct DI service * [bug] fix loginGuard deps in services.module * [chore] update jslib * [bug] Remove badly merged scss * [chore] update jslib * [review] Code review cleanup * [review] Code review cleanup Co-authored-by: Hinton <oscar@oscarhinton.com> 2021-12-15 23:32:00 +01:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`import { SymmetricCryptoKey } from "jslib-common/models/domain/symmetricCryptoKey";`
[Account Switching] [Feature] Add the ability to maintain state for up to 5 accounts at once (#1079) * [refactor] Remove references to deprecated services * [feature] Implement account switching * [bug] Fix state handling for authentication dependent system menu items * [bug] Enable the account switcher to fucntion properly when switching to a locked accounts * [feature] Enable locking any account from the menu * [bug] Ensure the avatar instance used in the account switcher updates on account change * [style] Fix lint complaints * [bug] Ensure the logout command callback can handle any user in state * [style] Fix lint complaints * rollup * [style] Fix lint complaints * [bug] Don't clean up state until everything else is done on logout * [bug] Navigate to vault on a succesful account switch * [bug] Init the state service on start * [feature] Limit account switching to 5 account maximum * [bug] Resolve app lock state with 5 logged out accounts * [chore] Update account refrences to match recent jslib restructuring * [bug] Add missing awaits * [bug] Update app menu on logout * [bug] Hide the switcher if there are no authed accounts * [bug] Move authenticationStatus display information out of jslib * [bug] Remove unused active style from scss * [refactor] Rewrite the menu bar * [style] Fix lint complaints * [bug] Clean state of loggout out user after redirect * [bug] Redirect on logout if not explicity provided a userId that isn't active * [bug] Relocated several settings items to persistant storage * [bug] Correct account switcher styles on all themes * [chore] Include state migration service in services * [bug] Swap to next account on logout * [bug] Correct DI service * [bug] fix loginGuard deps in services.module * [chore] update jslib * [bug] Remove badly merged scss * [chore] update jslib * [review] Code review cleanup * [review] Code review cleanup Co-authored-by: Hinton <oscar@oscarhinton.com> 2021-12-15 23:32:00 +01:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`import { KeySuffixOptions } from "jslib-common/enums/keySuffixOptions";`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00
			`const MessageValidTimeout = 10 * 1000;`
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`const EncryptionAlgorithm = "sha1";`
Use proper logging, fix linting errors. 2020-10-12 21:34:41 +02:00
BEEEP: Refactor services DI (#1175) 2021-12-06 12:03:02 +01:00			`@Injectable()`
Initial PoC for browser <-> desktop communication 2020-10-05 15:11:37 +02:00			`export class NativeMessagingService {`
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`private sharedSecrets = new Map<string, SymmetricCryptoKey>();`

			`constructor(`
			`private cryptoFunctionService: CryptoFunctionService,`
			`private cryptoService: CryptoService,`
			`private platformUtilService: PlatformUtilsService,`
			`private logService: LogService,`
			`private i18nService: I18nService,`
			`private messagingService: MessagingService,`
			`private vaultTimeoutService: VaultTimeoutService,`
			`private stateService: StateService`
			`) {`
			`ipcRenderer.on("nativeMessaging", async (_event: any, message: any) => {`
			`this.messageHandler(message);`
			`});`
			`}`

			`private async messageHandler(msg: any) {`
			`const appId = msg.appId;`
			`const rawMessage = msg.message;`

			`// Request to setup secure encryption`
			`if (rawMessage.command === "setupEncryption") {`
			`const remotePublicKey = Utils.fromB64ToArray(rawMessage.publicKey).buffer;`

			`// Valudate the UserId to ensure we are logged into the same account.`
			`if (rawMessage.userId !== (await this.stateService.getUserId())) {`
			`ipcRenderer.send("nativeMessagingReply", { command: "wrongUserId", appId: appId });`
			`return;`
			`}`

			`if (await this.stateService.getEnableBrowserIntegrationFingerprint()) {`
			`ipcRenderer.send("nativeMessagingReply", { command: "verifyFingerprint", appId: appId });`

			`const fingerprint = (`
			`await this.cryptoService.getFingerprint(`
			`await this.stateService.getUserId(),`
			`remotePublicKey`
			`)`
			`).join(" ");`

			`this.messagingService.send("setFocus");`

			`// Await confirmation that fingerprint is correct`
			`const submitted = await Swal.fire({`
			`titleText: this.i18nService.t("verifyBrowserTitle"),`
			html: `${this.i18nService.t("verifyBrowserDesc")}<br><br><strong>${fingerprint}</strong>`,
			`showCancelButton: true,`
			`cancelButtonText: this.i18nService.t("cancel"),`
			`showConfirmButton: true,`
			`confirmButtonText: this.i18nService.t("approve"),`
			`allowOutsideClick: false,`
Initial PoC for browser <-> desktop communication 2020-10-05 15:11:37 +02:00			`});`
Generate app manifests and add install scripts for windows 2020-10-05 19:48:51 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`if (submitted.value !== true) {`
			`return;`
wip 2020-10-16 17:09:17 +02:00			`}`
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`}`
Replace cosole logs with logService 2020-10-05 20:05:48 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`this.secureCommunication(remotePublicKey, appId);`
			`return;`
			`}`
Setup new encryption flow 2020-10-19 12:21:07 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`const message = JSON.parse(`
			`await this.cryptoService.decryptToUtf8(rawMessage, this.sharedSecrets.get(appId))`
			`);`
Send error when failing to decrypt message 2020-10-23 14:40:31 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`// Shared secret is invalidated, force re-authentication`
			`if (message == null) {`
			`ipcRenderer.send("nativeMessagingReply", { command: "invalidateEncryption", appId: appId });`
			`return;`
			`}`
Generate app manifests and add install scripts for windows 2020-10-05 19:48:51 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`if (Math.abs(message.timestamp - Date.now()) > MessageValidTimeout) {`
			`this.logService.error("NativeMessage is to old, ignoring.");`
			`return;`
Wire up desktop -> browser communication. Add initial biometry support for browser integration 2020-10-11 20:41:10 +02:00			`}`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`switch (message.command) {`
			`case "biometricUnlock":`
			`if (!this.platformUtilService.supportsBiometric()) {`
			`return this.send({ command: "biometricUnlock", response: "not supported" }, appId);`
			`}`
Setup new encryption flow 2020-10-19 12:21:07 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`if (!(await this.vaultTimeoutService.isBiometricLockSet())) {`
			`this.send({ command: "biometricUnlock", response: "not enabled" }, appId);`
Split native messaging into renderer and background service. Encrypt messages and verify timestamp 2020-10-12 21:18:28 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`return await Swal.fire({`
			`title: this.i18nService.t("biometricsNotEnabledTitle"),`
			`text: this.i18nService.t("biometricsNotEnabledDesc"),`
			`showCancelButton: true,`
			`cancelButtonText: this.i18nService.t("cancel"),`
			`showConfirmButton: false,`
			`});`
			`}`
wip 2020-10-16 17:09:17 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`const keyB64 = (await this.cryptoService.getKeyFromStorage(KeySuffixOptions.Biometric))`
			`.keyB64;`

			`if (keyB64 != null) {`
			`this.send({ command: "biometricUnlock", response: "unlocked", keyB64: keyB64 }, appId);`
			`} else {`
			`this.send({ command: "biometricUnlock", response: "canceled" }, appId);`
			`}`
wip 2020-10-16 17:09:17 +02:00
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`break;`
			`default:`
			`this.logService.error("NativeMessage, got unknown command.");`
wip 2020-10-16 17:09:17 +02:00			`}`
Apply Prettier (#1202) 2021-12-20 15:47:17 +01:00			`}`

			`private async send(message: any, appId: string) {`
			`message.timestamp = Date.now();`

			`const encrypted = await this.cryptoService.encrypt(`
			`JSON.stringify(message),`
			`this.sharedSecrets.get(appId)`
			`);`

			`ipcRenderer.send("nativeMessagingReply", { appId: appId, message: encrypted });`
			`}`

			`private async secureCommunication(remotePublicKey: ArrayBuffer, appId: string) {`
			`const secret = await this.cryptoFunctionService.randomBytes(64);`
			`this.sharedSecrets.set(appId, new SymmetricCryptoKey(secret));`

			`const encryptedSecret = await this.cryptoFunctionService.rsaEncrypt(`
			`secret,`
			`remotePublicKey,`
			`EncryptionAlgorithm`
			`);`
			`ipcRenderer.send("nativeMessagingReply", {`
			`appId: appId,`
			`command: "setupEncryption",`
			`sharedSecret: Utils.fromBufferToB64(encryptedSecret),`
			`});`
			`}`
Initial PoC for browser <-> desktop communication 2020-10-05 15:11:37 +02:00			`}`