bitwarden · iinuwa · Oct 6, 2025 · Oct 6, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -38,6 +38,8 @@ pub struct CipherFido2CredentialModel {
     pub counter: Option<String>,
     #[serde(rename = "discoverable", skip_serializing_if = "Option::is_none")]
     pub discoverable: Option<String>,
+    #[serde(rename = "hmac_secret", skip_serializing_if = "Option::is_none")]
+    pub hmac_secret: Option<String>,
     #[serde(rename = "creationDate")]
     pub creation_date: String,
 }
@@ -57,6 +59,7 @@ impl CipherFido2CredentialModel {
             user_display_name: None,
             counter: None,
             discoverable: None,
+            hmac_secret: None,
             creation_date,
         }
     }

@@ -8,9 +8,10 @@ use std::collections::HashMap;
 
 use bitwarden_crypto::{
     AsymmetricCryptoKey, CoseSerializable, CryptoError, EncString, Kdf, KeyDecryptable,
-    KeyEncryptable, MasterKey, Pkcs8PrivateKeyBytes, PrimitiveEncryptable, SignatureAlgorithm,
-    SignedPublicKey, SigningKey, SpkiPublicKeyBytes, SymmetricCryptoKey, UnsignedSharedKey,
-    UserKey, dangerous_get_v2_rotated_account_keys, safe::PasswordProtectedKeyEnvelopeError,
+    KeyEncryptable, MasterKey, Pkcs8PrivateKeyBytes, PrimitiveEncryptable, RotateableKeySet,
+    SignatureAlgorithm, SignedPublicKey, SigningKey, SpkiPublicKeyBytes, SymmetricCryptoKey,
+    UnsignedSharedKey, UserKey, dangerous_get_v2_rotated_account_keys,
+    derive_symmetric_key_from_prf, safe::PasswordProtectedKeyEnvelopeError,
 };
 use bitwarden_encoding::B64;
 use bitwarden_error::bitwarden_error;
@@ -498,6 +499,16 @@ fn derive_pin_protected_user_key(
     Ok(derived_key.encrypt_user_key(user_key)?)
 }
 
+pub(super) fn make_prf_user_key_set(
+    client: &Client,
+    prf: B64,
+) -> Result<RotateableKeySet, CryptoClientError> {
+    let prf_key = derive_symmetric_key_from_prf(prf.as_bytes())?;
+    let ctx = client.internal.get_key_store().context();
+    let key_set = RotateableKeySet::new(&ctx, &prf_key, SymmetricKeyId::User)?;
+    Ok(key_set)
+}
+
 #[allow(missing_docs)]
 #[bitwarden_error(flat)]
 #[derive(Debug, thiserror::Error)]

@@ -1,4 +1,4 @@
-use bitwarden_crypto::{CryptoError, Decryptable, Kdf};
+use bitwarden_crypto::{CryptoError, Decryptable, Kdf, RotateableKeySet};
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, UnsignedSharedKey};
 use bitwarden_encoding::B64;
@@ -18,7 +18,7 @@ use crate::key_management::{
     crypto::{
         DerivePinKeyResponse, InitOrgCryptoRequest, InitUserCryptoRequest, UpdatePasswordResponse,
         derive_pin_key, derive_pin_user_key, enroll_admin_password_reset, get_user_encryption_key,
-        initialize_org_crypto, initialize_user_crypto,
+        initialize_org_crypto, initialize_user_crypto, make_prf_user_key_set,
     },
 };
 use crate::{
@@ -172,6 +172,12 @@ impl CryptoClient {
         derive_pin_user_key(&self.client, encrypted_pin)
     }
 
+    /// Creates a new rotateable key set for the current user key protected
+    /// by a key derived from the given PRF.
+    pub fn make_prf_user_key_set(&self, prf: B64) -> Result<RotateableKeySet, CryptoClientError> {
+        make_prf_user_key_set(&self.client, prf)
+    }
+
     /// Prepares the account for being enrolled in the admin password reset feature. This encrypts
     /// the users [UserKey][bitwarden_crypto::UserKey] with the organization's public key.
     pub fn enroll_admin_password_reset(

@@ -33,4 +33,6 @@ pub use kdf::{
     default_pbkdf2_iterations,
 };
 pub(crate) use key_id::{KEY_ID_SIZE, KeyId};
+mod prf;
 pub(crate) mod utils;
+pub use prf::derive_symmetric_key_from_prf;
@@ -0,0 +1,56 @@
+use crate::{CryptoError, SymmetricCryptoKey, utils::stretch_key};
+
+/// Takes the output of a PRF and derives a symmetric key.
+///
+/// The PRF output must be at least 32 bytes long.
+pub fn derive_symmetric_key_from_prf(prf: &[u8]) -> Result<SymmetricCryptoKey, CryptoError> {
+    let (secret, _) = prf.split_at_checked(32).ok_or(CryptoError::InvalidKeyLen)?;
+    let secret: [u8; 32] = secret.try_into().expect("length to be 32 bytes");
+    // Don't allow uninitialized PRFs
+    if secret.iter().all(|b| *b == b'\0') {
+        return Err(CryptoError::ZeroNumber);
+    }
+    Ok(SymmetricCryptoKey::Aes256CbcHmacKey(stretch_key(
+        &Box::pin(secret.into()),
+    )?))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_prf_succeeds() {
+        let prf = pseudorandom_bytes(32);
+        let key = derive_symmetric_key_from_prf(&prf).unwrap();
+        assert!(matches!(key, SymmetricCryptoKey::Aes256CbcHmacKey(_)));
+    }
+
+    #[test]
+    fn test_zero_key_fails() {
+        let prf: Vec<u8> = (0..32).map(|_| 0).collect();
+        let err = derive_symmetric_key_from_prf(&prf).unwrap_err();
+        assert!(matches!(err, CryptoError::ZeroNumber));
+    }
+
+    #[test]
+    fn test_short_prf_fails() {
+        let prf = pseudorandom_bytes(9);
+        let err = derive_symmetric_key_from_prf(&prf).unwrap_err();
+        assert!(matches!(err, CryptoError::InvalidKeyLen));
+    }
+
+    #[test]
+    fn test_long_prf_truncated_to_proper_length() {
+        let long_prf = pseudorandom_bytes(33);
+        let prf = pseudorandom_bytes(32);
+        let key1 = derive_symmetric_key_from_prf(&long_prf).unwrap();
+        let key2 = derive_symmetric_key_from_prf(&prf).unwrap();
+        assert_eq!(key1, key2);
+    }
+
+    /// This returns the same bytes deterministically for a given length.
+    fn pseudorandom_bytes(len: usize) -> Vec<u8> {
+        (0..len).map(|x| (x % 255) as u8).collect()
+    }
+}
@@ -32,7 +32,8 @@ mod wordlist;
 pub use wordlist::EFF_LONG_WORD_LIST;
 mod store;
 pub use store::{
-    KeyStore, KeyStoreContext, RotatedUserKeys, dangerous_get_v2_rotated_account_keys,
+    KeyStore, KeyStoreContext, RotateableKeySet, RotatedUserKeys,
+    dangerous_get_v2_rotated_account_keys,
 };
 mod cose;
 pub use cose::CoseSerializable;