From f1761c6afc5ee640eb9037b4bf1d2c21ecef20b2 Mon Sep 17 00:00:00 2001
From: Jacob Fink <jfink@bitwarden.com>
Date: Mon, 26 Jun 2023 23:08:25 -0400
Subject: [PATCH] use org key or user key for encrypting attachments

---
 .../platform/abstractions/crypto.service.ts   |  2 +-
 .../src/platform/services/crypto.service.ts   | 10 ++++---
 .../src/vault/services/cipher.service.ts      | 29 +++++++++++++------
 3 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/libs/common/src/platform/abstractions/crypto.service.ts b/libs/common/src/platform/abstractions/crypto.service.ts
index 39fa802da0..89abbf006d 100644
--- a/libs/common/src/platform/abstractions/crypto.service.ts
+++ b/libs/common/src/platform/abstractions/crypto.service.ts
@@ -204,7 +204,7 @@ export abstract class CryptoService {
    * Uses the org key to derive a new symmetric key for encrypting data
    * @param orgKey The organization's symmetric key
    */
-  makeOrgDataEncKey: (orgKey: OrgKey) => Promise<[SymmetricCryptoKey, EncString]>;
+  makeDataEncKey: <T extends UserKey | OrgKey>(key: T) => Promise<[SymmetricCryptoKey, EncString]>;
   /**
    * Clears the user's stored organization keys
    * @param memoryOnly Clear only the in-memory keys
diff --git a/libs/common/src/platform/services/crypto.service.ts b/libs/common/src/platform/services/crypto.service.ts
index 87b5369b5b..1283b7dd36 100644
--- a/libs/common/src/platform/services/crypto.service.ts
+++ b/libs/common/src/platform/services/crypto.service.ts
@@ -336,13 +336,15 @@ export class CryptoService implements CryptoServiceAbstraction {
     return result;
   }
 
-  async makeOrgDataEncKey(orgKey: OrgKey): Promise<[SymmetricCryptoKey, EncString]> {
-    if (orgKey == null) {
-      throw new Error("No Org Key provided");
+  async makeDataEncKey<T extends OrgKey | UserKey>(
+    key: T
+  ): Promise<[SymmetricCryptoKey, EncString]> {
+    if (key == null) {
+      throw new Error("No key provided");
     }
 
     const newSymKey = await this.cryptoFunctionService.randomBytes(64);
-    return this.buildProtectedSymmetricKey(orgKey, newSymKey);
+    return this.buildProtectedSymmetricKey(key, newSymKey);
   }
 
   async clearOrgKeys(memoryOnly?: boolean, userId?: string): Promise<void> {
diff --git a/libs/common/src/vault/services/cipher.service.ts b/libs/common/src/vault/services/cipher.service.ts
index 4ef864ff0e..9e9b195982 100644
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -13,7 +13,11 @@ import { Utils } from "../../platform/misc/utils";
 import Domain from "../../platform/models/domain/domain-base";
 import { EncArrayBuffer } from "../../platform/models/domain/enc-array-buffer";
 import { EncString } from "../../platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import {
+  OrgKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
 import { CipherService as CipherServiceAbstraction } from "../abstractions/cipher.service";
 import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file-upload.service";
 import { CipherType } from "../enums/cipher-type";
@@ -633,11 +637,14 @@ export class CipherService implements CipherServiceAbstraction {
     data: ArrayBuffer,
     admin = false
   ): Promise<Cipher> {
-    const orgKey = await this.cryptoService.getOrgKey(cipher.organizationId);
-    const encFileName = await this.cryptoService.encrypt(filename, orgKey);
+    let encKey: UserKey | OrgKey;
+    encKey = await this.cryptoService.getOrgKey(cipher.organizationId);
+    encKey ||= (await this.cryptoService.getKeyForUserEncryption()) as UserKey;
 
-    const dataEncKey = await this.cryptoService.makeOrgDataEncKey(orgKey);
-    const encData = await this.cryptoService.encryptToBytes(data, dataEncKey[0]);
+    const dataEncKey = await this.cryptoService.makeDataEncKey(encKey);
+
+    const encFileName = await this.encryptService.encrypt(filename, encKey);
+    const encData = await this.encryptService.encryptToBytes(data, dataEncKey[0]);
 
     const response = await this.cipherFileUploadService.upload(
       cipher,
@@ -946,11 +953,15 @@ export class CipherService implements CipherServiceAbstraction {
 
     const encBuf = await EncArrayBuffer.fromResponse(attachmentResponse);
     const decBuf = await this.cryptoService.decryptFromBytes(encBuf, null);
-    const orgKey = await this.cryptoService.getOrgKey(organizationId);
-    const encFileName = await this.cryptoService.encrypt(attachmentView.fileName, orgKey);
 
-    const dataEncKey = await this.cryptoService.makeOrgDataEncKey(orgKey);
-    const encData = await this.cryptoService.encryptToBytes(decBuf, dataEncKey[0]);
+    let encKey: UserKey | OrgKey;
+    encKey = await this.cryptoService.getOrgKey(organizationId);
+    encKey ||= (await this.cryptoService.getKeyForUserEncryption()) as UserKey;
+
+    const dataEncKey = await this.cryptoService.makeDataEncKey(encKey);
+
+    const encFileName = await this.encryptService.encrypt(attachmentView.fileName, encKey);
+    const encData = await this.encryptService.encryptToBytes(decBuf, dataEncKey[0]);
 
     const fd = new FormData();
     try {