1
0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-21 16:18:28 +01:00

Add context to logs for decryption failures (#11684)

* Add logging to decryption routines

* Fix case of uknown encryption type

* Add decryption context to log where failures occur

* Update log message

* Fix linting

* Add more context logs

* Add more fine grained logging

* Update log message

* Fix tests
This commit is contained in:
Bernd Schoolmann 2024-10-25 15:22:30 +02:00 committed by GitHub
parent adabc59c03
commit 122c3c7809
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 61 additions and 17 deletions

View File

@ -48,8 +48,12 @@ describe("LocalBackedSessionStorage", () => {
localStorage.internalStore["session_test"] = encrypted.encryptedString;
encryptService.decryptToUtf8.mockResolvedValue(JSON.stringify("decrypted"));
const result = await sut.get("test");
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encrypted, sessionKey);
expect(result).toEqual("decrypted");
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
encrypted,
sessionKey,
"browser-session-key",
),
expect(result).toEqual("decrypted");
});
it("caches the decrypted value when one is stored in local storage", async () => {
@ -65,8 +69,12 @@ describe("LocalBackedSessionStorage", () => {
localStorage.internalStore["session_test"] = encrypted.encryptedString;
encryptService.decryptToUtf8.mockResolvedValue(JSON.stringify("decrypted"));
const result = await sut.get("test");
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encrypted, sessionKey);
expect(result).toEqual("decrypted");
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
encrypted,
sessionKey,
"browser-session-key",
),
expect(result).toEqual("decrypted");
});
it("caches the decrypted value when one is stored in local storage", async () => {

View File

@ -117,7 +117,11 @@ export class LocalBackedSessionStorageService
return null;
}
const valueJson = await this.encryptService.decryptToUtf8(new EncString(local), encKey);
const valueJson = await this.encryptService.decryptToUtf8(
new EncString(local),
encKey,
"browser-session-key",
);
if (valueJson == null) {
// error with decryption, value is lost, delete state and start over
await this.localStorage.remove(this.sessionStorageKey(key));

View File

@ -455,6 +455,7 @@ export class GetCommand extends DownloadCommand {
decCollection.name = await this.encryptService.decryptToUtf8(
new EncString(response.name),
orgKey,
`orgkey-${options.organizationId}`,
);
const groups =
response.groups == null

View File

@ -8,7 +8,11 @@ import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
export abstract class EncryptService {
abstract encrypt(plainValue: string | Uint8Array, key: SymmetricCryptoKey): Promise<EncString>;
abstract encryptToBytes(plainValue: Uint8Array, key: SymmetricCryptoKey): Promise<EncArrayBuffer>;
abstract decryptToUtf8(encString: EncString, key: SymmetricCryptoKey): Promise<string>;
abstract decryptToUtf8(
encString: EncString,
key: SymmetricCryptoKey,
decryptContext?: string,
): Promise<string>;
abstract decryptToBytes(encThing: Encrypted, key: SymmetricCryptoKey): Promise<Uint8Array>;
abstract rsaEncrypt(data: Uint8Array, publicKey: Uint8Array): Promise<EncString>;
abstract rsaDecrypt(data: EncString, privateKey: Uint8Array): Promise<Uint8Array>;

View File

@ -149,7 +149,7 @@ describe("EncString", () => {
const key = new SymmetricCryptoKey(makeStaticByteArray(32));
await encString.decryptWithKey(key, encryptService);
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key, "domain-withkey");
});
it("fails to decrypt when key is null", async () => {
@ -351,7 +351,7 @@ describe("EncString", () => {
await encString.decrypt(null, key);
expect(keyService.getUserKeyWithLegacySupport).not.toHaveBeenCalled();
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key, "provided-key");
});
it("gets an organization key if required", async () => {
@ -362,7 +362,11 @@ describe("EncString", () => {
await encString.decrypt("orgId", null);
expect(keyService.getOrgKey).toHaveBeenCalledWith("orgId");
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, orgKey);
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
encString,
orgKey,
"domain-orgkey-orgId",
);
});
it("gets the user's decryption key if required", async () => {
@ -373,7 +377,11 @@ describe("EncString", () => {
await encString.decrypt(null, null);
expect(keyService.getUserKeyWithLegacySupport).toHaveBeenCalledWith();
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, userKey);
expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
encString,
userKey,
"domain-withlegacysupport-masterkey",
);
});
});

View File

@ -159,16 +159,27 @@ export class EncString implements Encrypted {
return this.decryptedValue;
}
let keyContext = "provided-key";
try {
if (key == null) {
key = await this.getKeyForDecryption(orgId);
keyContext = orgId == null ? `domain-orgkey-${orgId}` : "domain-userkey|masterkey";
if (orgId != null) {
keyContext = `domain-orgkey-${orgId}`;
} else {
const cryptoService = Utils.getContainerService().getKeyService();
keyContext =
(await cryptoService.getUserKey()) == null
? "domain-withlegacysupport-masterkey"
: "domain-withlegacysupport-userkey";
}
}
if (key == null) {
throw new Error("No key to decrypt EncString with orgId " + orgId);
}
const encryptService = Utils.getContainerService().getEncryptService();
this.decryptedValue = await encryptService.decryptToUtf8(this, key);
this.decryptedValue = await encryptService.decryptToUtf8(this, key, keyContext);
} catch (e) {
this.decryptedValue = DECRYPT_ERROR;
}
@ -181,7 +192,7 @@ export class EncString implements Encrypted {
throw new Error("No key to decrypt EncString");
}
this.decryptedValue = await encryptService.decryptToUtf8(this, key);
this.decryptedValue = await encryptService.decryptToUtf8(this, key, "domain-withkey");
} catch (e) {
this.decryptedValue = DECRYPT_ERROR;
}

View File

@ -63,7 +63,11 @@ export class EncryptServiceImplementation implements EncryptService {
return new EncArrayBuffer(encBytes);
}
async decryptToUtf8(encString: EncString, key: SymmetricCryptoKey): Promise<string> {
async decryptToUtf8(
encString: EncString,
key: SymmetricCryptoKey,
decryptContext: string = "no context",
): Promise<string> {
if (key == null) {
throw new Error("No key provided for decryption.");
}
@ -75,8 +79,9 @@ export class EncryptServiceImplementation implements EncryptService {
this.logService.error(
"[Encrypt service] Key has mac key but payload is missing mac bytes. Key type " +
encryptionTypeName(key.encType) +
" Payload type " +
"Payload type " +
encryptionTypeName(encString.encryptionType),
"Decrypt context: " + decryptContext,
);
return null;
}
@ -85,8 +90,9 @@ export class EncryptServiceImplementation implements EncryptService {
this.logService.error(
"[Encrypt service] Key encryption type does not match payload encryption type. Key type " +
encryptionTypeName(key.encType) +
" Payload type " +
"Payload type " +
encryptionTypeName(encString.encryptionType),
"Decrypt context: " + decryptContext,
);
return null;
}
@ -108,8 +114,10 @@ export class EncryptServiceImplementation implements EncryptService {
this.logMacFailed(
"[Encrypt service] MAC comparison failed. Key or payload has changed. Key type " +
encryptionTypeName(key.encType) +
" Payload type " +
encryptionTypeName(encString.encryptionType),
"Payload type " +
encryptionTypeName(encString.encryptionType) +
" Decrypt context: " +
decryptContext,
);
return null;
}