use org key or user key for encrypting attachments

2025-01-06 18:57:56 +01:00 · 2023-06-26 23:08:25 -04:00 · 2023-06-26 23:08:25 -04:00 · f1761c6afc
commit f1761c6afc
parent 31a1491c81
3 changed files with 27 additions and 14 deletions
--- a/libs/common/src/platform/abstractions/crypto.service.ts
+++ b/libs/common/src/platform/abstractions/crypto.service.ts
@ -204,7 +204,7 @@ export abstract class CryptoService {
   * Uses the org key to derive a new symmetric key for encrypting data
   * @param orgKey The organization's symmetric key
   */
-  makeOrgDataEncKey: (orgKey: OrgKey) => Promise<[SymmetricCryptoKey, EncString]>;
+  makeDataEncKey: <T extends UserKey | OrgKey>(key: T) => Promise<[SymmetricCryptoKey, EncString]>;
  /**
   * Clears the user's stored organization keys
   * @param memoryOnly Clear only the in-memory keys
--- a/libs/common/src/platform/services/crypto.service.ts
+++ b/libs/common/src/platform/services/crypto.service.ts
@ -336,13 +336,15 @@ export class CryptoService implements CryptoServiceAbstraction {
    return result;
  }

-  async makeOrgDataEncKey(orgKey: OrgKey): Promise<[SymmetricCryptoKey, EncString]> {
-    if (orgKey == null) {
-      throw new Error("No Org Key provided");
+  async makeDataEncKey<T extends OrgKey | UserKey>(
+    key: T
+  ): Promise<[SymmetricCryptoKey, EncString]> {
+    if (key == null) {
+      throw new Error("No key provided");
    }

    const newSymKey = await this.cryptoFunctionService.randomBytes(64);
-    return this.buildProtectedSymmetricKey(orgKey, newSymKey);
+    return this.buildProtectedSymmetricKey(key, newSymKey);
  }

  async clearOrgKeys(memoryOnly?: boolean, userId?: string): Promise<void> {
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@ -13,7 +13,11 @@ import { Utils } from "../../platform/misc/utils";
 import Domain from "../../platform/models/domain/domain-base";
 import { EncArrayBuffer } from "../../platform/models/domain/enc-array-buffer";
 import { EncString } from "../../platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import {
+  OrgKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
 import { CipherService as CipherServiceAbstraction } from "../abstractions/cipher.service";
 import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file-upload.service";
 import { CipherType } from "../enums/cipher-type";
@ -633,11 +637,14 @@ export class CipherService implements CipherServiceAbstraction {
    data: ArrayBuffer,
    admin = false
  ): Promise<Cipher> {
-    const orgKey = await this.cryptoService.getOrgKey(cipher.organizationId);
-    const encFileName = await this.cryptoService.encrypt(filename, orgKey);
+    let encKey: UserKey | OrgKey;
+    encKey = await this.cryptoService.getOrgKey(cipher.organizationId);
+    encKey ||= (await this.cryptoService.getKeyForUserEncryption()) as UserKey;

-    const dataEncKey = await this.cryptoService.makeOrgDataEncKey(orgKey);
-    const encData = await this.cryptoService.encryptToBytes(data, dataEncKey[0]);
+    const dataEncKey = await this.cryptoService.makeDataEncKey(encKey);
+
+    const encFileName = await this.encryptService.encrypt(filename, encKey);
+    const encData = await this.encryptService.encryptToBytes(data, dataEncKey[0]);

    const response = await this.cipherFileUploadService.upload(
      cipher,
@ -946,11 +953,15 @@ export class CipherService implements CipherServiceAbstraction {

    const encBuf = await EncArrayBuffer.fromResponse(attachmentResponse);
    const decBuf = await this.cryptoService.decryptFromBytes(encBuf, null);
-    const orgKey = await this.cryptoService.getOrgKey(organizationId);
-    const encFileName = await this.cryptoService.encrypt(attachmentView.fileName, orgKey);

-    const dataEncKey = await this.cryptoService.makeOrgDataEncKey(orgKey);
-    const encData = await this.cryptoService.encryptToBytes(decBuf, dataEncKey[0]);
+    let encKey: UserKey | OrgKey;
+    encKey = await this.cryptoService.getOrgKey(organizationId);
+    encKey ||= (await this.cryptoService.getKeyForUserEncryption()) as UserKey;
+
+    const dataEncKey = await this.cryptoService.makeDataEncKey(encKey);
+
+    const encFileName = await this.encryptService.encrypt(attachmentView.fileName, encKey);
+    const encData = await this.encryptService.encryptToBytes(decBuf, dataEncKey[0]);

    const fd = new FormData();
    try {