bitwarden · Hinton · Jun 26, 2024 · May 24, 2024 · May 24, 2024 · May 27, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,6 +27,7 @@ bitwarden-exporters = { path = "crates/bitwarden-exporters", version = "=0.5.0"
 bitwarden-fido = { path = "crates/bitwarden-fido", version = "=0.5.0" }
 bitwarden-generators = { path = "crates/bitwarden-generators", version = "=0.5.0" }
 bitwarden-send = { path = "crates/bitwarden-send", version = "=0.5.0" }
+bitwarden-sm = { path = "crates/bitwarden-sm", version = "=0.5.0" }
 bitwarden-vault = { path = "crates/bitwarden-vault", version = "=0.5.0" }
 
 [workspace.lints.clippy]

diff --git a/crates/bitwarden/CHANGELOG.md → crates/bitwarden-core/CHANGELOG.md b/crates/bitwarden/CHANGELOG.md → crates/bitwarden-core/CHANGELOG.md
diff --git a/crates/bitwarden-core/Cargo.toml b/crates/bitwarden-core/Cargo.toml
@@ -3,6 +3,7 @@ name = "bitwarden-core"
 description = """
 Internal crate for the bitwarden crate. Do not use.
 """
+keywords = ["bitwarden"]
 
 version.workspace = true
 authors.workspace = true
@@ -11,16 +12,85 @@ rust-version.workspace = true
 homepage.workspace = true
 repository.workspace = true
 license-file.workspace = true
-keywords.workspace = true
 
 [features]
-uniffi = ["dep:uniffi"]
+internal = [] # Internal testing methods
+no-memory-hardening = [
+    "bitwarden-crypto/no-memory-hardening",
+] # Disable memory hardening features
+uniffi = [
+    "bitwarden-crypto/uniffi",
+    "dep:uniffi",
+    "dep:passkey",
+    "dep:coset",
+    "dep:p256",
+] # Uniffi bindings
+secrets = [] # Secrets manager API
 
 [dependencies]
-chrono = { version = ">=0.4.26, <0.5", default-features = false }
-uniffi = { version = "=0.27.2", optional = true }
-uuid = { version = ">=1.3.3, <2.0", features = ["serde"] }
+async-trait = ">=0.1.80, <0.2"
+base64 = ">=0.22.1, <0.23"
+bitwarden-api-api = { workspace = true }
+bitwarden-api-identity = { workspace = true }
+bitwarden-crypto = { workspace = true }
+chrono = { version = ">=0.4.26, <0.5", features = [
+    "clock",
+    "serde",
+    "std",
+], default-features = false }
+coset = { version = "0.3.7", optional = true }
+# We don't use this directly (it's used by rand), but we need it here to enable WASM support
+getrandom = { version = ">=0.2.9, <0.3", features = ["js"] }
+hmac = ">=0.12.1, <0.13"
+log = ">=0.4.18, <0.5"
+p256 = { version = ">=0.13.2, <0.14", optional = true }
+passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "c48c2ddfd6b884b2d754432576c66cb2b1985a3a", optional = true }
+rand = ">=0.8.5, <0.9"
+reqwest = { version = ">=0.12.5, <0.13", features = [
+    "http2",
+    "json",
+], default-features = false }
+schemars = { version = ">=0.8.9, <0.9", features = ["uuid1", "chrono"] }
+serde = { version = ">=1.0, <2.0", features = ["derive"] }
+serde_json = ">=1.0.96, <2.0"
+serde_qs = ">=0.12.0, <0.14"
+serde_repr = ">=0.1.12, <0.2"
+sha1 = ">=0.10.5, <0.11"
+sha2 = ">=0.10.6, <0.11"
 thiserror = ">=1.0.40, <2.0"
+uniffi = { version = "=0.27.2", optional = true, features = ["tokio"] }
+uuid = { version = ">=1.3.3, <2.0", features = ["serde"] }
+zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] }
+zxcvbn = ">= 2.2.2, <3.0"
+
+[target.'cfg(all(not(target_os = "android"), not(target_arch="wasm32")))'.dependencies]
+# By default, we use rustls as the TLS stack and rust-platform-verifier to support user-installed root certificates
+# There are a few exceptions to this:
+# - WASM doesn't require a TLS stack, as it just uses the browsers/node fetch
+# - Android uses webpki-roots for the moment
+reqwest = { version = ">=0.12.5, <0.13", features = [
+    "rustls-tls-manual-roots",
+], default-features = false }
+rustls-platform-verifier = "0.3.1"
+
+[target.'cfg(target_os = "android")'.dependencies]
+# On android, the use of rustls-platform-verifier is more complicated and going through some changes at the moment, so we fall back to using webpki-roots
+# This means that for the moment android won't support self-signed certificates, even if they are included in the OS trust store
+reqwest = { version = ">=0.12.5, <0.13", features = [
+    "rustls-tls-webpki-roots",
+], default-features = false }
+
+# This is a workaround to fix a bug with version 2.11.0 that added some symbols that are not available on iOS
+# The bug is fixed already but the fix is not released yet. https://github.com/kornelski/rust-security-framework/pull/204
+[target.'cfg(target_os = "ios")'.dependencies]
+security-framework = { version = "=2.10" }
+
+[dev-dependencies]
+bitwarden-crypto = { workspace = true }
+rand_chacha = "0.3.1"
+tokio = { version = "1.36.0", features = ["rt", "macros"] }
+wiremock = "0.6.0"
+zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] }
 
 [lints]
 workspace = true
diff --git a/crates/bitwarden-core/README.md b/crates/bitwarden-core/README.md
@@ -1,4 +1,4 @@
-# Bitwarden Crypto
+# Bitwarden Core
 
 This is an internal crate for the Bitwarden SDK do not depend on this directly and use the
 [`bitwarden`](https://crates.io/crates/bitwarden) crate instead.

diff --git a/crates/bitwarden/src/.gitignore → crates/bitwarden-core/src/.gitignore b/crates/bitwarden/src/.gitignore → crates/bitwarden-core/src/.gitignore
diff --git a/crates/bitwarden/src/admin_console/mod.rs → ...s/bitwarden-core/src/admin_console/mod.rs b/crates/bitwarden/src/admin_console/mod.rs → ...s/bitwarden-core/src/admin_console/mod.rs
diff --git a/crates/bitwarden/src/admin_console/policy.rs → ...itwarden-core/src/admin_console/policy.rs b/crates/bitwarden/src/admin_console/policy.rs → ...itwarden-core/src/admin_console/policy.rs
@@ -1,13 +1,15 @@
 use std::collections::HashMap;
 
 use bitwarden_api_api::models::PolicyResponseModel;
-use bitwarden_core::require;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_repr::{Deserialize_repr, Serialize_repr};
 use uuid::Uuid;
 
-use crate::error::{Error, Result};
+use crate::{
+    error::{Error, Result},
+    require,
+};
 
 #[derive(Serialize, Deserialize, Debug, JsonSchema)]
 pub struct Policy {

diff --git a/crates/bitwarden/src/auth/access_token.rs → ...s/bitwarden-core/src/auth/access_token.rs b/crates/bitwarden/src/auth/access_token.rs → ...s/bitwarden-core/src/auth/access_token.rs
diff --git a/crates/bitwarden/src/auth/api/mod.rs → crates/bitwarden-core/src/auth/api/mod.rs b/crates/bitwarden/src/auth/api/mod.rs → crates/bitwarden-core/src/auth/api/mod.rs
diff --git a/.../auth/api/request/access_token_request.rs → .../auth/api/request/access_token_request.rs b/.../auth/api/request/access_token_request.rs → .../auth/api/request/access_token_request.rs
diff --git a/...src/auth/api/request/api_token_request.rs → ...src/auth/api/request/api_token_request.rs b/...src/auth/api/request/api_token_request.rs → ...src/auth/api/request/api_token_request.rs
diff --git a/...api/request/auth_request_token_request.rs → ...api/request/auth_request_token_request.rs b/...api/request/auth_request_token_request.rs → ...api/request/auth_request_token_request.rs
@@ -26,6 +26,7 @@ pub struct AuthRequestTokenRequest {
     access_code: String,
 }
 
+#[allow(dead_code)]
 impl AuthRequestTokenRequest {
     pub fn new(
         email: &str,

diff --git a/crates/bitwarden/src/auth/api/request/mod.rs → ...itwarden-core/src/auth/api/request/mod.rs b/crates/bitwarden/src/auth/api/request/mod.rs → ...itwarden-core/src/auth/api/request/mod.rs
@@ -1,21 +1,20 @@
+#[cfg(feature = "secrets")]
 mod access_token_request;
-#[cfg(feature = "internal")]
+#[cfg(feature = "secrets")]
+pub(crate) use access_token_request::*;
+
 mod api_token_request;
+pub(crate) use api_token_request::*;
+
 #[cfg(feature = "internal")]
 mod password_token_request;
 #[cfg(feature = "internal")]
-mod renew_token_request;
+pub(crate) use password_token_request::*;
 
-pub(crate) use access_token_request::*;
-#[cfg(feature = "internal")]
-pub(crate) use api_token_request::*;
+mod renew_token_request;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
-#[cfg(feature = "internal")]
-pub(crate) use password_token_request::*;
-#[cfg(feature = "internal")]
 pub(crate) use renew_token_request::*;
 
-#[cfg(feature = "internal")]
 mod auth_request_token_request;
 #[cfg(feature = "internal")]
 pub(crate) use auth_request_token_request::*;

diff --git a/...uth/api/request/password_token_request.rs → ...uth/api/request/password_token_request.rs b/...uth/api/request/password_token_request.rs → ...uth/api/request/password_token_request.rs
diff --git a/...c/auth/api/request/renew_token_request.rs → ...c/auth/api/request/renew_token_request.rs b/...c/auth/api/request/renew_token_request.rs → ...c/auth/api/request/renew_token_request.rs
diff --git a/...api/response/identity_captcha_response.rs → ...api/response/identity_captcha_response.rs b/...api/response/identity_captcha_response.rs → ...api/response/identity_captcha_response.rs
diff --git a/...api/response/identity_payload_response.rs → ...api/response/identity_payload_response.rs b/...api/response/identity_payload_response.rs → ...api/response/identity_payload_response.rs
diff --git a/...api/response/identity_refresh_response.rs → ...api/response/identity_refresh_response.rs b/...api/response/identity_refresh_response.rs → ...api/response/identity_refresh_response.rs
diff --git a/...api/response/identity_success_response.rs → ...api/response/identity_success_response.rs b/...api/response/identity_success_response.rs → ...api/response/identity_success_response.rs
diff --git a/.../response/identity_token_fail_response.rs → .../response/identity_token_fail_response.rs b/.../response/identity_token_fail_response.rs → .../response/identity_token_fail_response.rs
diff --git a/...h/api/response/identity_token_response.rs → ...h/api/response/identity_token_response.rs b/...h/api/response/identity_token_response.rs → ...h/api/response/identity_token_response.rs
diff --git a/.../response/identity_two_factor_response.rs → .../response/identity_two_factor_response.rs b/.../response/identity_two_factor_response.rs → .../response/identity_two_factor_response.rs
diff --git a/...es/bitwarden/src/auth/api/response/mod.rs → ...twarden-core/src/auth/api/response/mod.rs b/...es/bitwarden/src/auth/api/response/mod.rs → ...twarden-core/src/auth/api/response/mod.rs
diff --git a/...two_factor_provider_data/authenticator.rs → ...two_factor_provider_data/authenticator.rs b/...two_factor_provider_data/authenticator.rs → ...two_factor_provider_data/authenticator.rs
diff --git a/.../response/two_factor_provider_data/duo.rs → .../response/two_factor_provider_data/duo.rs b/.../response/two_factor_provider_data/duo.rs → .../response/two_factor_provider_data/duo.rs
diff --git a/...esponse/two_factor_provider_data/email.rs → ...esponse/two_factor_provider_data/email.rs b/...esponse/two_factor_provider_data/email.rs → ...esponse/two_factor_provider_data/email.rs
diff --git a/.../response/two_factor_provider_data/mod.rs → .../response/two_factor_provider_data/mod.rs b/.../response/two_factor_provider_data/mod.rs → .../response/two_factor_provider_data/mod.rs
diff --git a/..._factor_provider_data/organization_duo.rs → ..._factor_provider_data/organization_duo.rs b/..._factor_provider_data/organization_duo.rs → ..._factor_provider_data/organization_duo.rs
diff --git a/...onse/two_factor_provider_data/remember.rs → ...onse/two_factor_provider_data/remember.rs b/...onse/two_factor_provider_data/remember.rs → ...onse/two_factor_provider_data/remember.rs
diff --git a/...nse/two_factor_provider_data/web_authn.rs → ...nse/two_factor_provider_data/web_authn.rs b/...nse/two_factor_provider_data/web_authn.rs → ...nse/two_factor_provider_data/web_authn.rs
diff --git a/...onse/two_factor_provider_data/yubi_key.rs → ...onse/two_factor_provider_data/yubi_key.rs b/...onse/two_factor_provider_data/yubi_key.rs → ...onse/two_factor_provider_data/yubi_key.rs
diff --git a/...auth/api/response/two_factor_providers.rs → ...auth/api/response/two_factor_providers.rs b/...auth/api/response/two_factor_providers.rs → ...auth/api/response/two_factor_providers.rs
diff --git a/crates/bitwarden/src/auth/auth_request.rs → ...s/bitwarden-core/src/auth/auth_request.rs b/crates/bitwarden/src/auth/auth_request.rs → ...s/bitwarden-core/src/auth/auth_request.rs
@@ -1,13 +1,12 @@
 use base64::{engine::general_purpose::STANDARD, Engine};
-use bitwarden_core::VaultLocked;
 use bitwarden_crypto::{
     fingerprint, generate_random_alphanumeric, AsymmetricCryptoKey, AsymmetricEncString,
     AsymmetricPublicCryptoKey,
 };
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, KeyDecryptable, SymmetricCryptoKey};
 
-use crate::{error::Error, Client};
+use crate::{error::Error, Client, VaultLocked};
 
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 pub struct AuthRequestResponse {
@@ -82,7 +81,7 @@ pub(crate) fn approve_auth_request(
 ) -> Result<AsymmetricEncString, Error> {
     let public_key = AsymmetricPublicCryptoKey::from_der(&STANDARD.decode(public_key)?)?;
 
-    let enc = client.get_encryption_settings()?;
+    let enc = client.internal.get_encryption_settings()?;
     let key = enc.get_key(&None).ok_or(VaultLocked)?;
 
     Ok(AsymmetricEncString::encrypt_rsa2048_oaep_sha1(
@@ -137,6 +136,7 @@ mod tests {
         let user_key = "2.Q/2PhzcC7GdeiMHhWguYAQ==|GpqzVdr0go0ug5cZh1n+uixeBC3oC90CIe0hd/HWA/pTRDZ8ane4fmsEIcuc8eMKUt55Y2q/fbNzsYu41YTZzzsJUSeqVjT8/iTQtgnNdpo=|dwI+uyvZ1h/iZ03VQ+/wrGEFYVewBUUl/syYgjsNMbE=".parse().unwrap();
         let private_key ="2.yN7l00BOlUE0Sb0M//Q53w==|EwKG/BduQRQ33Izqc/ogoBROIoI5dmgrxSo82sgzgAMIBt3A2FZ9vPRMY+GWT85JiqytDitGR3TqwnFUBhKUpRRAq4x7rA6A1arHrFp5Tp1p21O3SfjtvB3quiOKbqWk6ZaU1Np9HwqwAecddFcB0YyBEiRX3VwF2pgpAdiPbSMuvo2qIgyob0CUoC/h4Bz1be7Qa7B0Xw9/fMKkB1LpOm925lzqosyMQM62YpMGkjMsbZz0uPopu32fxzDWSPr+kekNNyLt9InGhTpxLmq1go/pXR2uw5dfpXc5yuta7DB0EGBwnQ8Vl5HPdDooqOTD9I1jE0mRyuBpWTTI3FRnu3JUh3rIyGBJhUmHqGZvw2CKdqHCIrQeQkkEYqOeJRJVdBjhv5KGJifqT3BFRwX/YFJIChAQpebNQKXe/0kPivWokHWwXlDB7S7mBZzhaAPidZvnuIhalE2qmTypDwHy22FyqV58T8MGGMchcASDi/QXI6kcdpJzPXSeU9o+NC68QDlOIrMVxKFeE7w7PvVmAaxEo0YwmuAzzKy9QpdlK0aab/xEi8V4iXj4hGepqAvHkXIQd+r3FNeiLfllkb61p6WTjr5urcmDQMR94/wYoilpG5OlybHdbhsYHvIzYoLrC7fzl630gcO6t4nM24vdB6Ymg9BVpEgKRAxSbE62Tqacxqnz9AcmgItb48NiR/He3n3ydGjPYuKk/ihZMgEwAEZvSlNxYONSbYrIGDtOY+8Nbt6KiH3l06wjZW8tcmFeVlWv+tWotnTY9IqlAfvNVTjtsobqtQnvsiDjdEVtNy/s2ci5TH+NdZluca2OVEr91Wayxh70kpM6ib4UGbfdmGgCo74gtKvKSJU0rTHakQ5L9JlaSDD5FamBRyI0qfL43Ad9qOUZ8DaffDCyuaVyuqk7cz9HwmEmvWU3VQ+5t06n/5kRDXttcw8w+3qClEEdGo1KeENcnXCB32dQe3tDTFpuAIMLqwXs6FhpawfZ5kPYvLPczGWaqftIs/RXJ/EltGc0ugw2dmTLpoQhCqrcKEBDoYVk0LDZKsnzitOGdi9mOWse7Se8798ib1UsHFUjGzISEt6upestxOeupSTOh0v4+AjXbDzRUyogHww3V+Bqg71bkcMxtB+WM+pn1XNbVTyl9NR040nhP7KEf6e9ruXAtmrBC2ah5cFEpLIot77VFZ9ilLuitSz+7T8n1yAh1IEG6xxXxninAZIzi2qGbH69O5RSpOJuJTv17zTLJQIIc781JwQ2TTwTGnx5wZLbffhCasowJKd2EVcyMJyhz6ru0PvXWJ4hUdkARJs3Xu8dus9a86N8Xk6aAPzBDqzYb1vyFIfBxP0oO8xFHgd30Cgmz8UrSE3qeWRrF8ftrI6xQnFjHBGWD/JWSvd6YMcQED0aVuQkuNW9ST/DzQThPzRfPUoiL10yAmV7Ytu4fR3x2sF0Yfi87YhHFuCMpV/DsqxmUizyiJuD938eRcH8hzR/VO53Qo3UIsqOLcyXtTv6THjSlTopQ+JOLOnHm1w8dzYbLN44OG44rRsbihMUQp+wUZ6bsI8rrOnm9WErzkbQFbrfAINdoCiNa6cimYIjvvnMTaFWNymqY1vZxGztQiMiHiHYwTfwHTXrb9j0uPM=|09J28iXv9oWzYtzK2LBT6Yht4IT4MijEkk0fwFdrVQ4=".parse().unwrap();
         client
+            .internal
             .initialize_user_crypto_master_key(master_key, user_key, private_key)
             .unwrap();
 
@@ -205,6 +205,7 @@ mod tests {
                 .unwrap();
 
         existing_device
+            .internal
             .initialize_user_crypto_master_key(master_key, user_key, private_key.parse().unwrap())
             .unwrap();
 
@@ -236,12 +237,14 @@ mod tests {
         // same
         assert_eq!(
             existing_device
+                .internal
                 .get_encryption_settings()
                 .unwrap()
                 .get_key(&None)
                 .unwrap()
                 .to_base64(),
             new_device
+                .internal
                 .get_encryption_settings()
                 .unwrap()
                 .get_key(&None)