bitwarden · quexten · Feb 28, 2025
@@ -60,7 +60,7 @@ fn encrypt(secret: &str, key_material: &KeyMaterial, iv_b64: &str) -> Result<Str
 
 #[allow(unused)]
 fn decrypt(secret: &CipherString, key_material: &KeyMaterial) -> Result<String> {
-    if let CipherString::AesCbc256_B64 { iv, data } = secret {
+    if let CipherString::Aes256Cbc_B64 { iv, data } = secret {
         let decrypted = crypto::decrypt_aes256(iv, data, key_material.derive_key()?)?;
 
         Ok(String::from_utf8(decrypted)?)

@@ -234,7 +234,7 @@ mod tests {
             .unwrap();
 
         match secret {
-            CipherString::AesCbc256_B64 { iv, data: _ } => {
+            CipherString::Aes256Cbc_B64 { iv, data: _ } => {
                 assert_eq!(iv_b64, base64_engine.encode(iv));
             }
             _ => panic!("Invalid cipher string"),

@@ -7,18 +7,18 @@ use crate::error::{CSParseError, Error};
 #[allow(unused, non_camel_case_types)]
 pub enum CipherString {
     // 0
-    AesCbc256_B64 {
+    Aes256Cbc_B64 {
         iv: [u8; 16],
         data: Vec<u8>,
     },
     // 1
-    AesCbc128_HmacSha256_B64 {
+    Aes128Cbc_HmacSha256_B64 {
         iv: [u8; 16],
         mac: [u8; 32],
         data: Vec<u8>,
     },
     // 2
-    AesCbc256_HmacSha256_B64 {
+    Aes256Cbc_HmacSha256_B64 {
         iv: [u8; 16],
         mac: [u8; 32],
         data: Vec<u8>,
@@ -81,7 +81,7 @@ impl FromStr for CipherString {
                     .decode(data_str)
                     .map_err(CSParseError::InvalidBase64)?;
 
-                Ok(CipherString::AesCbc256_B64 { iv, data })
+                Ok(CipherString::Aes256Cbc_B64 { iv, data })
             }
 
             ("1" | "2", 3) => {
@@ -106,9 +106,9 @@ impl FromStr for CipherString {
                     .map_err(CSParseError::InvalidBase64)?;
 
                 if enc_type == "1" {
-                    Ok(CipherString::AesCbc128_HmacSha256_B64 { iv, mac, data })
+                    Ok(CipherString::Aes128Cbc_HmacSha256_B64 { iv, mac, data })
                 } else {
-                    Ok(CipherString::AesCbc256_HmacSha256_B64 { iv, mac, data })
+                    Ok(CipherString::Aes256Cbc_HmacSha256_B64 { iv, mac, data })
                 }
             }
 
@@ -142,16 +142,16 @@ impl Display for CipherString {
         let mut parts = Vec::<&[u8]>::new();
 
         match self {
-            CipherString::AesCbc256_B64 { iv, data } => {
+            CipherString::Aes256Cbc_B64 { iv, data } => {
                 parts.push(iv);
                 parts.push(data);
             }
-            CipherString::AesCbc128_HmacSha256_B64 { iv, mac, data } => {
+            CipherString::Aes128Cbc_HmacSha256_B64 { iv, mac, data } => {
                 parts.push(iv);
                 parts.push(data);
                 parts.push(mac);
             }
-            CipherString::AesCbc256_HmacSha256_B64 { iv, mac, data } => {
+            CipherString::Aes256Cbc_HmacSha256_B64 { iv, mac, data } => {
                 parts.push(iv);
                 parts.push(data);
                 parts.push(mac);
@@ -187,9 +187,9 @@ impl Display for CipherString {
 impl CipherString {
     fn enc_type(&self) -> u8 {
         match self {
-            CipherString::AesCbc256_B64 { .. } => 0,
-            CipherString::AesCbc128_HmacSha256_B64 { .. } => 1,
-            CipherString::AesCbc256_HmacSha256_B64 { .. } => 2,
+            CipherString::Aes256Cbc_B64 { .. } => 0,
+            CipherString::Aes128Cbc_HmacSha256_B64 { .. } => 1,
+            CipherString::Aes256Cbc_HmacSha256_B64 { .. } => 2,
             CipherString::Rsa2048_OaepSha256_B64 { .. } => 3,
             CipherString::Rsa2048_OaepSha1_B64 { .. } => 4,
             CipherString::Rsa2048_OaepSha256_HmacSha256_B64 { .. } => 5,
@@ -199,9 +199,9 @@ impl CipherString {
 
     fn enc_type_name(&self) -> &str {
         match self.enc_type() {
-            0 => "AesCbc256_B64",
-            1 => "AesCbc128_HmacSha256_B64",
-            2 => "AesCbc256_HmacSha256_B64",
+            0 => "Aes256Cbc_B64",
+            1 => "Aes128Cbc_HmacSha256_B64",
+            2 => "Aes256Cbc_HmacSha256_B64",
             3 => "Rsa2048_OaepSha256_B64",
             4 => "Rsa2048_OaepSha1_B64",
             5 => "Rsa2048_OaepSha256_HmacSha256_B64",

@@ -31,7 +31,7 @@ pub fn encrypt_aes256(
     let data = cbc::Encryptor::<aes::Aes256>::new(&key, &iv.into())
         .encrypt_padded_vec_mut::<Pkcs7>(data_dec);
 
-    Ok(CipherString::AesCbc256_B64 { iv, data })
+    Ok(CipherString::Aes256Cbc_B64 { iv, data })
 }
 
 pub fn argon2(

@@ -300,7 +300,7 @@ describe("MainBiometricsService", function () {
 
       expect(userKey).not.toBeNull();
       expect(userKey!.keyB64).toBe(biometricKey);
-      expect(userKey!.encType).toBe(EncryptionType.AesCbc256_HmacSha256_B64);
+      expect(userKey!.encType).toBe(EncryptionType.Aes256Cbc_HmacSha256_B64);
       expect(osBiometricsService.getBiometricKey).toHaveBeenCalledWith(
         "Bitwarden_biometric",
         `${userId}_user_biometric`,

@@ -222,7 +222,7 @@ export default class OsBiometricsServiceWindows implements OsBiometricService {
   ): biometrics.KeyMaterial {
     let key = null;
     const innerKey = symmetricKey.inner();
-    if (innerKey.type === EncryptionType.AesCbc256_B64) {
+    if (innerKey.type === EncryptionType.Aes256Cbc_B64) {
       key = Utils.fromBufferToB64(innerKey.encryptionKey);
     } else {
       key = Utils.fromBufferToB64(innerKey.authenticationKey);

@@ -139,7 +139,7 @@ describe("OrganizationUserResetPasswordService", () => {
       const mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
       keyService.encryptUserKeyWithMasterKey.mockResolvedValue([
         mockUserKey,
-        new EncString(EncryptionType.AesCbc256_HmacSha256_B64, "test-encrypted-user-key"),
+        new EncString(EncryptionType.Aes256Cbc_HmacSha256_B64, "test-encrypted-user-key"),
       ]);
     });
 

@@ -120,7 +120,7 @@ describe("EmergencyAccessService", () => {
         const publicKey = new Uint8Array(64);
 
         const mockUserPublicKeyEncryptedUserKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
+          EncryptionType.Aes256Cbc_HmacSha256_B64,
           "mockUserPublicKeyEncryptedUserKey",
         );
 
@@ -168,7 +168,7 @@ describe("EmergencyAccessService", () => {
       // must mock [UserKey, EncString] return from keyService.encryptUserKeyWithMasterKey
       // where UserKey is the decrypted grantor user key
       const mockMasterKeyEncryptedUserKey = new EncString(
-        EncryptionType.AesCbc256_HmacSha256_B64,
+        EncryptionType.Aes256Cbc_HmacSha256_B64,
         "mockMasterKeyEncryptedUserKey",
       );
 

@@ -49,7 +49,7 @@ describe("PinService", () => {
   const mockPin = "1234";
   const mockUserKeyEncryptedPin = new EncString("userKeyEncryptedPin");
 
-  // Note: both pinKeyEncryptedUserKeys use encryptionType: 2 (AesCbc256_HmacSha256_B64)
+  // Note: both pinKeyEncryptedUserKeys use encryptionType: 2 (Aes256Cbc_HmacSha256_B64)
   const pinKeyEncryptedUserKeyEphemeral = new EncString(
     "2.gbauOANURUHqvhLTDnva1A==|nSW+fPumiuTaDB/s12+JO88uemV6rhwRSR+YR1ZzGr5j6Ei3/h+XEli2Unpz652NlZ9NTuRpHxeOqkYYJtp7J+lPMoclgteXuAzUu9kqlRc=|DeUFkhIwgkGdZA08bDnDqMMNmZk21D+H5g8IostPKAY=",
   );

@@ -37,7 +37,7 @@ export function mockEnc(s: string): MockProxy<EncString> {
 
 export function makeEncString(data?: string) {
   data ??= Utils.newGuid();
-  return new EncString(EncryptionType.AesCbc256_HmacSha256_B64, data, "test", "test");
+  return new EncString(EncryptionType.Aes256Cbc_HmacSha256_B64, data, "test", "test");
 }
 
 export function makeStaticByteArray(length: number, start = 0) {

@@ -36,7 +36,7 @@ export abstract class MasterPasswordServiceAbstraction {
    *    * @param userId The desired user
    * @param userKey The user's encrypted symmetric key
    * @throws If either the MasterKey or UserKey are not resolved, or if the UserKey encryption type
-   *         is neither AesCbc256_B64 nor AesCbc256_HmacSha256_B64
+   *         is neither Aes256Cbc_B64 nor Aes256Cbc_HmacSha256_B64
    * @returns The user key
    */
   abstract decryptUserKeyWithMasterKey: (

@@ -392,12 +392,12 @@ describe("deviceTrustService", () => {
         );
 
         mockUserKeyEncryptedDevicePublicKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
+          EncryptionType.Aes256Cbc_HmacSha256_B64,
           "mockUserKeyEncryptedDevicePublicKey",
         );
 
         mockDeviceKeyEncryptedDevicePrivateKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
+          EncryptionType.Aes256Cbc_HmacSha256_B64,
           "mockDeviceKeyEncryptedDevicePrivateKey",
         );
 
@@ -555,12 +555,12 @@ describe("deviceTrustService", () => {
         mockUserKey = new SymmetricCryptoKey(mockUserKeyRandomBytes) as UserKey;
 
         mockEncryptedDevicePrivateKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
+          EncryptionType.Aes256Cbc_HmacSha256_B64,
           "mockEncryptedDevicePrivateKey",
         );
 
         mockEncryptedUserKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
+          EncryptionType.Aes256Cbc_HmacSha256_B64,
           "mockEncryptedUserKey",
         );
 
@@ -731,7 +731,7 @@ describe("deviceTrustService", () => {
 
           // Mock the decryption of the public key with the old user key
           encryptService.decryptToBytes.mockImplementationOnce((_encValue, privateKeyValue) => {
-            expect(privateKeyValue.inner().type).toBe(EncryptionType.AesCbc256_HmacSha256_B64);
+            expect(privateKeyValue.inner().type).toBe(EncryptionType.Aes256Cbc_HmacSha256_B64);
             expect(new Uint8Array(privateKeyValue.toEncoded())[0]).toBe(FakeOldUserKeyMarker);
             const data = new Uint8Array(250);
             data.fill(FakeDecryptedPublicKeyMarker, 0, 1);

@@ -181,13 +181,13 @@ export class MasterPasswordService implements InternalMasterPasswordServiceAbstr
 
     let decUserKey: Uint8Array;
 
-    if (userKey.encryptionType === EncryptionType.AesCbc256_B64) {
+    if (userKey.encryptionType === EncryptionType.Aes256Cbc_B64) {
       decUserKey = await this.encryptService.decryptToBytes(
         userKey,
         masterKey,
         "Content: User Key; Encrypting Key: Master Key",
       );
-    } else if (userKey.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
+    } else if (userKey.encryptionType === EncryptionType.Aes256Cbc_HmacSha256_B64) {
       const newKey = await this.keyGenerationService.stretchKey(masterKey.inner() as Aes256CbcKey);
       decUserKey = await this.encryptService.decryptToBytes(
         userKey,

@@ -23,7 +23,7 @@ describe("WebAuthnLoginPrfKeyService", () => {
 
       const result = await service.createSymmetricKeyFromPrf(randomBytes(32));
 
-      expect(result.inner().type).toBe(EncryptionType.AesCbc256_HmacSha256_B64);
+      expect(result.inner().type).toBe(EncryptionType.Aes256Cbc_HmacSha256_B64);
     });
   });
 });

@@ -45,7 +45,7 @@ export class EncryptServiceImplementation implements EncryptService {
     }
 
     const innerKey = key.inner();
-    if (innerKey.type === EncryptionType.AesCbc256_HmacSha256_B64) {
+    if (innerKey.type === EncryptionType.Aes256Cbc_HmacSha256_B64) {
       const encObj = await this.aesEncrypt(plainBuf, innerKey);
       const iv = Utils.fromBufferToB64(encObj.iv);
       const data = Utils.fromBufferToB64(encObj.data);
@@ -62,7 +62,7 @@ export class EncryptServiceImplementation implements EncryptService {
     }
 
     const innerKey = key.inner();
-    if (innerKey.type === EncryptionType.AesCbc256_HmacSha256_B64) {
+    if (innerKey.type === EncryptionType.Aes256Cbc_HmacSha256_B64) {
       const encValue = await this.aesEncrypt(plainValue, innerKey);
       const macLen = encValue.mac.length;
       const encBytes = new Uint8Array(
@@ -73,7 +73,7 @@ export class EncryptServiceImplementation implements EncryptService {
       encBytes.set(new Uint8Array(encValue.mac), 1 + encValue.iv.byteLength);
       encBytes.set(new Uint8Array(encValue.data), 1 + encValue.iv.byteLength + macLen);
       return new EncArrayBuffer(encBytes);
-    } else if (innerKey.type === EncryptionType.AesCbc256_B64) {
+    } else if (innerKey.type === EncryptionType.Aes256Cbc_B64) {
       const encValue = await this.aesEncryptLegacy(plainValue, innerKey);
       const encBytes = new Uint8Array(1 + encValue.iv.byteLength + encValue.data.byteLength);
       encBytes.set([innerKey.type]);
@@ -93,8 +93,8 @@ export class EncryptServiceImplementation implements EncryptService {
     }
 
     const innerKey = key.inner();
-    if (innerKey.type === EncryptionType.AesCbc256_HmacSha256_B64) {
-      if (encString.encryptionType !== EncryptionType.AesCbc256_HmacSha256_B64) {
+    if (innerKey.type === EncryptionType.Aes256Cbc_HmacSha256_B64) {
+      if (encString.encryptionType !== EncryptionType.Aes256Cbc_HmacSha256_B64) {
         this.logDecryptError(
           "Key encryption type does not match payload encryption type",
           key.inner().type,
@@ -130,8 +130,8 @@ export class EncryptServiceImplementation implements EncryptService {
         mode: "cbc",
         parameters: fastParams,
       });
-    } else if (innerKey.type === EncryptionType.AesCbc256_B64) {
-      if (encString.encryptionType !== EncryptionType.AesCbc256_B64) {
+    } else if (innerKey.type === EncryptionType.Aes256Cbc_B64) {
+      if (encString.encryptionType !== EncryptionType.Aes256Cbc_B64) {
         this.logDecryptError(
           "Key encryption type does not match payload encryption type",
           key.inner().type,
@@ -170,9 +170,9 @@ export class EncryptServiceImplementation implements EncryptService {
     }
 
     const inner = key.inner();
-    if (inner.type === EncryptionType.AesCbc256_HmacSha256_B64) {
+    if (inner.type === EncryptionType.Aes256Cbc_HmacSha256_B64) {
       if (
-        encThing.encryptionType !== EncryptionType.AesCbc256_HmacSha256_B64 ||
+        encThing.encryptionType !== EncryptionType.Aes256Cbc_HmacSha256_B64 ||
         encThing.macBytes === null
       ) {
         this.logDecryptError(
@@ -209,8 +209,8 @@ export class EncryptServiceImplementation implements EncryptService {
         inner.encryptionKey,
         "cbc",
       );
-    } else if (inner.type === EncryptionType.AesCbc256_B64) {
-      if (encThing.encryptionType !== EncryptionType.AesCbc256_B64) {
+    } else if (inner.type === EncryptionType.Aes256Cbc_B64) {
+      if (encThing.encryptionType !== EncryptionType.Aes256Cbc_B64) {
         this.logDecryptError(
           "Encryption key type mismatch",
           inner.type,
@@ -305,7 +305,7 @@ export class EncryptServiceImplementation implements EncryptService {
   }
 
   /**
-   * @deprecated Removed once AesCbc256_B64 support is removed
+   * @deprecated Removed once Aes256Cbc_B64 support is removed
    */
   private async aesEncryptLegacy(data: Uint8Array, key: Aes256CbcKey): Promise<EncryptedObject> {
     const obj = new EncryptedObject();
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,7 +23,7 @@ describe("WebAuthnLoginPrfKeyService", () => { @@
           const result = await service.createSymmetricKeyFromPrf(randomBytes(32));
-          expect(result.inner().type).toBe(EncryptionType.AesCbc256_HmacSha256_B64);
+          expect(result.inner().type).toBe(EncryptionType.Aes256Cbc_HmacSha256_B64);
         });
       });
     });
@@ Expand Down @@