admin/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2026-01-31 14:13:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

[PM-25473] Non-encryption passkeys prevent key rotation (#6359)

Browse Source 
* use webauthn credentials that have encrypted user key for user key rotation

* where condition simplification
This commit is contained in:
Maciej Zieniuk
2025-09-30 17:30:00 +02:00
committed by GitHub
parent 12303b3acf
commit 721fda0aaa
3 changed files with 74 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
View File

@@ -1,4 +1,5 @@
using Bit.Api.Auth.Models.Request.WebAuthn; using Bit.Api.Auth.Models.Request.WebAuthn;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data; using Bit.Core.Auth.Models.Data;
using Bit.Core.Auth.Repositories; using Bit.Core.Auth.Repositories;
using Bit.Core.Entities; using Bit.Core.Entities;
@@ -6,7 +7,13 @@ using Bit.Core.Exceptions;
namespace Bit.Api.KeyManagement.Validators; namespace Bit.Api.KeyManagement.Validators;
public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> /// <summary>
/// Validates WebAuthn credentials during key rotation. Only processes credentials that have PRF enabled
/// and have encrypted user, public, and private keys. Ensures all such credentials are included
/// in the rotation request with the required encrypted keys.
/// </summary>
public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>,
IEnumerable<WebAuthnLoginRotateKeyData>>
{ {
private readonly IWebAuthnCredentialRepository _webAuthnCredentialRepository; private readonly IWebAuthnCredentialRepository _webAuthnCredentialRepository;
@@ -15,24 +22,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
_webAuthnCredentialRepository = webAuthnCredentialRepository; _webAuthnCredentialRepository = webAuthnCredentialRepository;
} }
public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate) public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user,
IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
{ {
var result = new List<WebAuthnLoginRotateKeyData>(); var result = new List<WebAuthnLoginRotateKeyData>();
var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id); var validCredentials = (await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id))
if (existing == null) .Where(credential => credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled).ToList();
if (validCredentials.Count == 0)
{ {
return result; return result;
} }
var validCredentials = existing.Where(credential => credential.SupportsPrf); foreach (var webAuthnCredential in validCredentials)
if (!validCredentials.Any())
{ {
return result; var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == webAuthnCredential.Id);
}
foreach (var ea in validCredentials)
{
var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
if (keyToRotate == null) if (keyToRotate == null)
{ {
throw new BadRequestException("All existing webauthn prf keys must be included in the rotation."); throw new BadRequestException("All existing webauthn prf keys must be included in the rotation.");
@@ -42,6 +45,7 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
{ {
throw new BadRequestException("WebAuthn prf keys must have user-key during rotation."); throw new BadRequestException("WebAuthn prf keys must have user-key during rotation.");
} }
if (keyToRotate.EncryptedPublicKey == null) if (keyToRotate.EncryptedPublicKey == null)
{ {
throw new BadRequestException("WebAuthn prf keys must have public-key during rotation."); throw new BadRequestException("WebAuthn prf keys must have public-key during rotation.");

17
src/Core/Auth/Entities/WebAuthnCredential.cs
View File

@@ -22,13 +22,30 @@ public class WebAuthnCredential : ITableObject<Guid>
[MaxLength(20)] [MaxLength(20)]
public string Type { get; set; } public string Type { get; set; }
public Guid AaGuid { get; set; } public Guid AaGuid { get; set; }
/// <summary>
/// User key encrypted with this WebAuthn credential's public key (EncryptedPublicKey field).
/// </summary>
[MaxLength(2000)] [MaxLength(2000)]
public string EncryptedUserKey { get; set; } public string EncryptedUserKey { get; set; }
/// <summary>
/// Private key encrypted with an external key for secure storage.
/// </summary>
[MaxLength(2000)] [MaxLength(2000)]
public string EncryptedPrivateKey { get; set; } public string EncryptedPrivateKey { get; set; }
/// <summary>
/// Public key encrypted with the user key for key rotation.
/// </summary>
[MaxLength(2000)] [MaxLength(2000)]
public string EncryptedPublicKey { get; set; } public string EncryptedPublicKey { get; set; }
/// <summary>
/// Indicates whether this credential supports PRF (Pseudo-Random Function) extension.
/// </summary>
public bool SupportsPrf { get; set; } public bool SupportsPrf { get; set; }
public DateTime CreationDate { get; internal set; } = DateTime.UtcNow; public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow; public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;

62
test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
View File

@@ -33,8 +33,9 @@ public class WebAuthnLoginKeyRotationValidatorTests
{ {
Id = guid, Id = guid,
SupportsPrf = true, SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestPublicKey",
EncryptedUserKey = "Test" EncryptedUserKey = "TestUserKey",
EncryptedPrivateKey = "TestPrivateKey"
}; };
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id) sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data }); .Returns(new List<WebAuthnCredential> { data });
@@ -45,8 +46,12 @@ public class WebAuthnLoginKeyRotationValidatorTests
} }
[Theory] [Theory]
[BitAutoData] [BitAutoData(false, null, null, null)]
public async Task ValidateAsync_DoesNotSupportPRF_Ignores( [BitAutoData(true, null, "TestPublicKey", "TestPrivateKey")]
[BitAutoData(true, "TestUserKey", null, "TestPrivateKey")]
[BitAutoData(true, "TestUserKey", "TestPublicKey", null)]
public async Task ValidateAsync_NotEncryptedOrPrfNotSupported_Ignores(
bool supportsPrf, string encryptedUserKey, string encryptedPublicKey, string encryptedPrivateKey,
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user, SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData) IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
{ {
@@ -58,7 +63,14 @@ public class WebAuthnLoginKeyRotationValidatorTests
EncryptedPublicKey = e.EncryptedPublicKey, EncryptedPublicKey = e.EncryptedPublicKey,
}).ToList(); }).ToList();
var data = new WebAuthnCredential { Id = guid, EncryptedUserKey = "Test", EncryptedPublicKey = "TestKey" }; var data = new WebAuthnCredential
{
Id = guid,
SupportsPrf = supportsPrf,
EncryptedUserKey = encryptedUserKey,
EncryptedPublicKey = encryptedPublicKey,
EncryptedPrivateKey = encryptedPrivateKey
};
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id) sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data }); .Returns(new List<WebAuthnCredential> { data });
@@ -69,7 +81,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task ValidateAsync_WrongWebAuthnKeys_Throws( public async Task ValidateAsync_WebAuthnKeysNotMatchingExisting_Throws(
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user, SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData) IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
{ {
@@ -84,10 +96,12 @@ public class WebAuthnLoginKeyRotationValidatorTests
{ {
Id = Guid.Parse("00000000-0000-0000-0000-000000000002"), Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
SupportsPrf = true, SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestPublicKey",
EncryptedUserKey = "Test" EncryptedUserKey = "TestUserKey",
EncryptedPrivateKey = "TestPrivateKey"
}; };
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data }); sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data });
await Assert.ThrowsAsync<BadRequestException>(async () => await Assert.ThrowsAsync<BadRequestException>(async () =>
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate)); await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
@@ -100,20 +114,24 @@ public class WebAuthnLoginKeyRotationValidatorTests
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData) IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
{ {
var guid = Guid.NewGuid(); var guid = Guid.NewGuid();
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e =>
{ new WebAuthnLoginRotateKeyRequestModel
Id = guid, {
EncryptedPublicKey = e.EncryptedPublicKey, Id = guid,
}).ToList(); EncryptedPublicKey = e.EncryptedPublicKey,
EncryptedUserKey = null
}).ToList();
var data = new WebAuthnCredential var data = new WebAuthnCredential
{ {
Id = guid, Id = guid,
SupportsPrf = true, SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestPublicKey",
EncryptedUserKey = "Test" EncryptedUserKey = "TestUserKey",
EncryptedPrivateKey = "TestPrivateKey"
}; };
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data }); sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data });
await Assert.ThrowsAsync<BadRequestException>(async () => await Assert.ThrowsAsync<BadRequestException>(async () =>
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate)); await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
@@ -131,19 +149,21 @@ public class WebAuthnLoginKeyRotationValidatorTests
{ {
Id = guid, Id = guid,
EncryptedUserKey = e.EncryptedUserKey, EncryptedUserKey = e.EncryptedUserKey,
EncryptedPublicKey = null,
}).ToList(); }).ToList();
var data = new WebAuthnCredential var data = new WebAuthnCredential
{ {
Id = guid, Id = guid,
SupportsPrf = true, SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestPublicKey",
EncryptedUserKey = "Test" EncryptedUserKey = "TestUserKey",
EncryptedPrivateKey = "TestPrivateKey"
}; };
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data }); sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data });
await Assert.ThrowsAsync<BadRequestException>(async () => await Assert.ThrowsAsync<BadRequestException>(async () =>
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate)); await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
} }
} }