[PM-28845] Add PureCrypto functions to replace webcrypto RSA entirely (#592)

## 🎟️ Tracking

<!-- Paste the link to the Jira or GitHub issue or otherwise describe /
point to where this change is coming from. -->
bitwarden/clients#17742
https://bitwarden.atlassian.net/browse/PM-28845

## 📔 Objective

<!-- Describe what the purpose of this PR is, for example what bug
you're fixing or new feature you're adding. -->

Preparing to nuke webcrypto's RSA implementation out of orbit. It is
unreliable and we have reproduced around 50% of all private keys keys
are generated by rustcrypto that are not parseable on webcrypto on
Safari (but parseable on chrome / firefox). It is unclear why, most
likely safari has some stricter condition for the keys (RSA ASN1 has
many conditions that may apply here), or has a bug. We also suspect keys
generated on old Xamarin PCLCrypto to be parseable by rust, or at least
deliver good error messages on rust, but be unparseable on all of
webcrypto. This changes the functions to be exactly the same as
webcrypto so that they can be dropped in without refactoring anything
else.

Note: Usually, implementing crypto directly in the wasm crate would not
be a good idea, *however* is is justifiable here because we DO NOT WANT
these to be public functions consumeable by any other crate, so they do
not belong in the crypto crate. They are also only used by the wasm
clients.

## 🚨 Breaking Changes

<!-- Does this PR introduce any breaking changes? If so, please describe
the impact and migration path for clients.

If you're unsure, the automated TypeScript compatibility check will run
when you open/update this PR and provide feedback.

For breaking changes:
1. Describe what changed in the client interface
2. Explain why the change was necessary
3. Provide migration steps for client developers
4. Link to any paired client PRs if needed

Otherwise, you can remove this section. -->

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes

Author: quexten

Cargo.lock

@@ -33,7 +33,10 @@ bitwarden-state = { workspace = true, features = ["wasm"] }
 bitwarden-threading = { workspace = true }
 bitwarden-vault = { workspace = true, features = ["wasm"] }
 console_error_panic_hook = "0.1.7"
+rand = ">=0.8.5, <0.9"
+rsa = ">=0.9.2, <0.10"
 serde = { workspace = true }
+sha1 = ">=0.10.5, <0.11"
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 tracing-web = { version = "0.1.3" }

crates/bitwarden-wasm-internal/Cargo.toml

@@ -7,9 +7,14 @@ use bitwarden_crypto::{
     AsymmetricCryptoKey, AsymmetricPublicCryptoKey, BitwardenLegacyKeyBytes, CoseKeyBytes,
     CoseSerializable, CoseSign1Bytes, CryptoError, Decryptable, EncString, Kdf, KeyDecryptable,
     KeyEncryptable, KeyStore, MasterKey, OctetStreamBytes, Pkcs8PrivateKeyBytes,
-    PrimitiveEncryptable, SignatureAlgorithm, SignedPublicKey, SigningKey, SpkiPublicKeyBytes,
-    SymmetricCryptoKey, UnsignedSharedKey, VerifyingKey,
+    PrimitiveEncryptable, PublicKeyEncryptionAlgorithm, SignatureAlgorithm, SignedPublicKey,
+    SigningKey, SpkiPublicKeyBytes, SymmetricCryptoKey, UnsignedSharedKey, VerifyingKey,
 };
+use rsa::{
+    Oaep, RsaPrivateKey, RsaPublicKey,
+    pkcs8::{DecodePrivateKey, DecodePublicKey},
+};
+use sha1::Sha1;
 use wasm_bindgen::prelude::*;
 
 /// This module represents a stopgap solution to provide access to primitive crypto functions for JS
@@ -319,23 +324,61 @@ impl PureCrypto {
         Ok(result.to_encoded().to_vec())
     }
 
-    /// Given an encrypted private RSA key and the symmetric key it is wrapped with, this returns
-    /// the corresponding public RSA key in DER format.
-    pub fn rsa_extract_public_key(
-        encrypted_private_key: EncString,
-        wrapping_key: Vec<u8>,
-    ) -> Result<Vec<u8>, CryptoError> {
-        let wrapping_key =
-            SymmetricCryptoKey::try_from(&BitwardenLegacyKeyBytes::from(wrapping_key))?;
-        let decrypted_private_key: Vec<u8> =
-            encrypted_private_key.decrypt_with_key(&wrapping_key)?;
-        let private_key =
-            AsymmetricCryptoKey::from_der(&Pkcs8PrivateKeyBytes::from(decrypted_private_key))?;
+    /// Given a decrypted private RSA key PKCS8 DER this
+    /// returns the corresponding public RSA key in DER format.
+    pub fn rsa_extract_public_key(private_key: Vec<u8>) -> Result<Vec<u8>, RsaError> {
+        let private_key = AsymmetricCryptoKey::from_der(&Pkcs8PrivateKeyBytes::from(private_key))
+            .map_err(|_| RsaError::KeyParse)?;
         let public_key = private_key.to_public_key();
-        Ok(public_key.to_der()?.to_vec())
+        Ok(public_key
+            .to_der()
+            .map_err(|_| RsaError::KeySerialize)?
+            .to_vec())
+    }
+
+    /// Generates a new RSA key pair and returns the private key
+    pub fn rsa_generate_keypair() -> Result<Vec<u8>, RsaError> {
+        let private_key = AsymmetricCryptoKey::make(PublicKeyEncryptionAlgorithm::RsaOaepSha1);
+        Ok(private_key
+            .to_der()
+            .map_err(|_| RsaError::KeySerialize)?
+            .to_vec())
+    }
+
+    /// Decrypts data using RSAES-OAEP with SHA-1
+    pub fn rsa_decrypt_data(
+        encrypted_data: Vec<u8>,
+        private_key: Vec<u8>,
+    ) -> Result<Vec<u8>, RsaError> {
+        let private_key = RsaPrivateKey::from_pkcs8_der(private_key.as_slice())
+            .map_err(|_| RsaError::KeyParse)?;
+        let padding = Oaep::new::<Sha1>();
+        private_key
+            .decrypt(padding, &encrypted_data)
+            .map_err(|_| RsaError::Decryption)
+    }
+
+    /// Encrypts data using RSAES-OAEP with SHA-1
+    pub fn rsa_encrypt_data(plain_data: Vec<u8>, public_key: Vec<u8>) -> Result<Vec<u8>, RsaError> {
+        let public_key = RsaPublicKey::from_public_key_der(public_key.as_slice())
+            .map_err(|_| RsaError::KeyParse)?;
+        let padding = Oaep::new::<Sha1>();
+        let mut rng = rand::thread_rng();
+        public_key
+            .encrypt(&mut rng, padding, &plain_data)
+            .map_err(|_| RsaError::Encryption)
     }
 }
 
+#[wasm_bindgen]
+#[derive(Debug)]
+pub enum RsaError {
+    Decryption,
+    Encryption,
+    KeyParse,
+    KeySerialize,
+}
+
 #[cfg(test)]
 mod tests {
     use std::{num::NonZero, str::FromStr};
@@ -697,4 +740,14 @@ DnqOsltgPomWZ7xVfMkm9niL2OA=
         .unwrap();
         assert_eq!(user_key.0.to_encoded().to_vec(), decrypted_user_key);
     }
+
+    #[test]
+    fn test_rsa_round_trip() {
+        let private_key = PureCrypto::rsa_generate_keypair().unwrap();
+        let public_key = PureCrypto::rsa_extract_public_key(private_key.clone()).unwrap();
+        let plain_data = b"Test RSA encryption data".to_vec();
+        let encrypted_data = PureCrypto::rsa_encrypt_data(plain_data.clone(), public_key).unwrap();
+        let decrypted_data = PureCrypto::rsa_decrypt_data(encrypted_data, private_key).unwrap();
+        assert_eq!(plain_data, decrypted_data);
+    }
 }