add enc key rotation option during master password change

2018-11-13 11:06:16 -05:00 · 2018-11-13 11:06:16 -05:00 · 2d0acc7663
parent 4231ed74ba
commit 2d0acc7663
3 changed files with 89 additions and 2 deletions
--- a/src/app/settings/change-password.component.html
+++ b/src/app/settings/change-password.component.html
@ -26,6 +26,15 @@
            </div>
        </div>
    </div>
+    <div class="form-group">
+        <div class="form-check">
+            <input class="form-check-input" type="checkbox" id="rotateEncKey" name="RotateEncKey" [(ngModel)]="rotateEncKey"
+                (change)="showEncKeyWarning()">
+            <label class="form-check-label" for="rotateEncKey">
+                {{'rotateAccountEncKey' | i18n}}
+            </label>
+        </div>
+    </div>
    <button type="submit" class="btn btn-primary btn-submit" [disabled]="form.loading">
        <i class="fa fa-spinner fa-spin" title="{{'loading' | i18n}}"></i>
        <span>{{'changeMasterPassword' | i18n}}</span>
--- a/src/app/settings/change-password.component.ts
+++ b/src/app/settings/change-password.component.ts
@ -7,14 +7,23 @@ import { ToasterService } from 'angular2-toaster';
 import { Angulartics2 } from 'angulartics2';

 import { ApiService } from 'jslib/abstractions/api.service';
+import { CipherService } from 'jslib/abstractions/cipher.service';
 import { CryptoService } from 'jslib/abstractions/crypto.service';
+import { FolderService } from 'jslib/abstractions/folder.service';
 import { I18nService } from 'jslib/abstractions/i18n.service';
 import { MessagingService } from 'jslib/abstractions/messaging.service';
 import { PasswordGenerationService } from 'jslib/abstractions/passwordGeneration.service';
 import { PlatformUtilsService } from 'jslib/abstractions/platformUtils.service';
+import { SyncService } from 'jslib/abstractions/sync.service';
 import { UserService } from 'jslib/abstractions/user.service';

+import { CipherString } from 'jslib/models/domain/cipherString';
+import { SymmetricCryptoKey } from 'jslib/models/domain/symmetricCryptoKey';
+
+import { CipherWithIdRequest } from 'jslib/models/request/cipherWithIdRequest';
+import { FolderWithIdRequest } from 'jslib/models/request/folderWithIdRequest';
 import { PasswordRequest } from 'jslib/models/request/passwordRequest';
+import { UpdateKeyRequest } from 'jslib/models/request/updateKeyRequest';

@Component({
    selector: 'app-change-password',
@ -26,6 +35,7 @@ export class ChangePasswordComponent implements OnInit {
    confirmNewMasterPassword: string;
    formPromise: Promise<any>;
    masterPasswordScore: number;
+    rotateEncKey = false;

    private masterPasswordStrengthTimeout: any;
    private email: string;
@ -34,7 +44,8 @@ export class ChangePasswordComponent implements OnInit {
        private analytics: Angulartics2, private toasterService: ToasterService,
        private cryptoService: CryptoService, private messagingService: MessagingService,
        private userService: UserService, private passwordGenerationService: PasswordGenerationService,
-        private platformUtilsService: PlatformUtilsService) { }
+        private platformUtilsService: PlatformUtilsService, private folderService: FolderService,
+        private cipherService: CipherService, private syncService: SyncService) { }

    async ngOnInit() {
        this.email = await this.userService.getEmail();
@ -75,6 +86,10 @@ export class ChangePasswordComponent implements OnInit {
            }
        }

+        if (this.rotateEncKey) {
+            await this.syncService.fullSync(true);
+        }
+
        const request = new PasswordRequest();
        request.masterPasswordHash = await this.cryptoService.hashPassword(this.currentMasterPassword, null);
        const email = await this.userService.getEmail();
@ -85,7 +100,15 @@ export class ChangePasswordComponent implements OnInit {
        const newEncKey = await this.cryptoService.remakeEncKey(newKey);
        request.key = newEncKey[1].encryptedString;
        try {
-            this.formPromise = this.apiService.postPassword(request);
+            if (this.rotateEncKey) {
+                this.formPromise = this.apiService.postPassword(request).then(() => {
+                    return this.makeRequest(newKey, request.newMasterPasswordHash);
+                }).then((updateKeyRequest) => {
+                    return this.apiService.postAccountKey(updateKeyRequest);
+                });
+            } else {
+                this.formPromise = this.apiService.postPassword(request);
+            }
            await this.formPromise;
            this.analytics.eventTrack.next({ action: 'Changed Password' });
            this.toasterService.popAsync('success', this.i18nService.t('masterPasswordChanged'),
@ -105,6 +128,18 @@ export class ChangePasswordComponent implements OnInit {
        }, 300);
    }

+    async showEncKeyWarning() {
+        if (this.rotateEncKey) {
+            const result = await this.platformUtilsService.showDialog(
+                this.i18nService.t('updateEncryptionKeyWarning') + ' ' +
+                this.i18nService.t('rotateEncKeyConfirmation'), this.i18nService.t('rotateEncKeyTitle'),
+                this.i18nService.t('yes'), this.i18nService.t('no'), 'warning');
+            if (!result) {
+                this.rotateEncKey = false;
+            }
+        }
+    }
+
    private getPasswordStrengthUserInput() {
        let userInput: string[] = [];
        const atPosition = this.email.indexOf('@');
@ -113,4 +148,38 @@ export class ChangePasswordComponent implements OnInit {
        }
        return userInput;
    }
+
+    private async makeRequest(key: SymmetricCryptoKey, masterPasswordHash: string): Promise<UpdateKeyRequest> {
+        const encKey = await this.cryptoService.makeEncKey(key);
+        const privateKey = await this.cryptoService.getPrivateKey();
+        let encPrivateKey: CipherString = null;
+        if (privateKey != null) {
+            encPrivateKey = await this.cryptoService.encrypt(privateKey, encKey[0]);
+        }
+        const request = new UpdateKeyRequest();
+        request.privateKey = encPrivateKey != null ? encPrivateKey.encryptedString : null;
+        request.key = encKey[1].encryptedString;
+        request.masterPasswordHash = masterPasswordHash;
+
+        const folders = await this.folderService.getAllDecrypted();
+        for (let i = 0; i < folders.length; i++) {
+            if (folders[i].id == null) {
+                continue;
+            }
+            const folder = await this.folderService.encrypt(folders[i], encKey[0]);
+            request.folders.push(new FolderWithIdRequest(folder));
+        }
+
+        const ciphers = await this.cipherService.getAllDecrypted();
+        for (let i = 0; i < ciphers.length; i++) {
+            if (ciphers[i].organizationId != null) {
+                continue;
+            }
+
+            const cipher = await this.cipherService.encrypt(ciphers[i], encKey[0]);
+            request.ciphers.push(new CipherWithIdRequest(cipher));
+        }
+
+        return request;
+    }
 }
--- a/src/locales/en/messages.json
+++ b/src/locales/en/messages.json
@ -2530,5 +2530,14 @@
  },
  "weakMasterPasswordDesc": {
    "message": "The master password you have chosen is weak. You should use a strong master password (or a passphrase) to properly protect your Bitwarden account. Are you sure you want to use this master password?"
+  },
+  "rotateAccountEncKey": {
+    "message": "Also rotate my account's encryption key"
+  },
+  "rotateEncKeyTitle": {
+    "message": "Rotate Encryption Key"
+  },
+  "rotateEncKeyConfirmation": {
+    "message": "Are you sure you want to rotate your account's encryption key?"
  }
 }