[PM-24683] Add updateKdf function

crates/bitwarden-core/src/auth/api/response/identity_success_response.rs

@@ -4,6 +4,8 @@ use bitwarden_api_identity::models::KdfType;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 
+use crate::auth::api::response::identity_user_decryption_options_response::IdentityUserDecryptionOptionsResponseModel;
+
 #[derive(Serialize, Deserialize, Debug, PartialEq)]
 pub struct IdentityTokenSuccessResponse {
     pub access_token: String,
@@ -35,6 +37,9 @@ pub struct IdentityTokenSuccessResponse {
     #[serde(rename = "keyConnectorUrl", alias = "KeyConnectorUrl")]
     key_connector_url: Option<String>,
 
+    #[serde(rename = "userDecryptionOptions", alias = "UserDecryptionOptions")]
+    pub user_decryption_options: Option<IdentityUserDecryptionOptionsResponseModel>,
+
     /// Stores unknown api response fields
     extra: Option<HashMap<String, Value>>,
 }
@@ -61,6 +66,7 @@ mod test {
                 force_password_reset: Default::default(),
                 api_use_key_connector: Default::default(),
                 key_connector_url: Default::default(),
+                user_decryption_options: Default::default(),
                 extra: Default::default(),
             }
         }

crates/bitwarden-core/src/auth/api/response/identity_user_decryption_options_response.rs

@@ -0,0 +1,11 @@
+use bitwarden_api_api::models::MasterPasswordUnlockResponseModel;
+use serde::{Deserialize, Serialize};
+
+#[derive(Serialize, Deserialize, Debug, PartialEq)]
+pub struct IdentityUserDecryptionOptionsResponseModel {
+    #[serde(
+        rename = "masterPasswordUnlock",
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub master_password_unlock: Option<MasterPasswordUnlockResponseModel>,
+}

crates/bitwarden-core/src/auth/api/response/mod.rs

@@ -4,6 +4,7 @@ mod identity_success_response;
 mod identity_token_fail_response;
 mod identity_token_response;
 mod identity_two_factor_response;
+pub(crate) mod identity_user_decryption_options_response;
 pub(crate) mod two_factor_provider_data;
 mod two_factor_providers;
 

crates/bitwarden-core/src/auth/login/password.rs

@@ -31,7 +31,7 @@ pub(crate) async fn login_password(
 
     let master_key = MasterKey::derive(&input.password, &input.email, &input.kdf)?;
     let password_hash = master_key
-        .derive_master_key_hash(input.password.as_bytes(), HashPurpose::ServerAuthorization)?;
+        .derive_master_key_hash(input.password.as_bytes(), HashPurpose::ServerAuthorization);
 
     let response = request_identity_tokens(client, input, &password_hash).await?;
 

crates/bitwarden-core/src/auth/password/mod.rs

@@ -15,7 +15,7 @@ pub(crate) fn determine_password_hash(
     purpose: HashPurpose,
 ) -> Result<String, CryptoError> {
     let master_key = MasterKey::derive(password, email, kdf)?;
-    master_key.derive_master_key_hash(password.as_bytes(), purpose)
+    Ok(master_key.derive_master_key_hash(password.as_bytes(), purpose))
 }
 
 #[cfg(test)]

crates/bitwarden-core/src/auth/password/validate.rs

@@ -70,7 +70,7 @@ pub(crate) fn validate_password_user_key(
                 }
 
                 Ok(master_key
-                    .derive_master_key_hash(password.as_bytes(), HashPurpose::LocalAuthorization)?)
+                    .derive_master_key_hash(password.as_bytes(), HashPurpose::LocalAuthorization))
             }
         }
     } else {

crates/bitwarden-core/src/auth/register.rs

@@ -30,7 +30,7 @@ pub(super) fn make_register_keys(
 ) -> Result<RegisterKeyResponse, CryptoError> {
     let master_key = MasterKey::derive(&password, &email, &kdf)?;
     let master_password_hash =
-        master_key.derive_master_key_hash(password.as_bytes(), HashPurpose::ServerAuthorization)?;
+        master_key.derive_master_key_hash(password.as_bytes(), HashPurpose::ServerAuthorization);
     let (user_key, encrypted_user_key) = master_key.make_user_key()?;
     let keys = user_key.make_key_pair()?;
 

crates/bitwarden-core/src/key_management/crypto.rs

@@ -23,6 +23,7 @@ use crate::{
     client::{encryption_settings::EncryptionSettingsError, LoginMethod, UserLoginMethod},
     error::StatefulCryptoError,
     key_management::{
+        master_password::{MasterPasswordAuthenticationData, MasterPasswordUnlockData},
         AsymmetricKeyId, SecurityState, SignedSecurityState, SigningKeyId, SymmetricKeyId,
     },
     Client, NotAuthenticatedError, VaultLockedError, WrongPasswordError,
@@ -39,6 +40,8 @@ pub enum CryptoClientError {
     VaultLocked(#[from] VaultLockedError),
     #[error(transparent)]
     Crypto(#[from] bitwarden_crypto::CryptoError),
+    #[error("Invalid KDF settings")]
+    InvalidKdfSettings,
 }
 
 /// State used for initializing the user cryptographic state.
@@ -265,6 +268,64 @@ pub(super) async fn get_user_encryption_key(client: &Client) -> Result<String, C
     Ok(user_key.to_base64())
 }
 
+/// Response from the `update_kdf` function
+#[derive(Serialize, Deserialize, Debug)]
+#[serde(rename_all = "camelCase", deny_unknown_fields)]
+#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
+#[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
+pub struct UpdateKdfResponse {
+    /// The authentication data for the new KDF setting
+    master_password_authentication_data: MasterPasswordAuthenticationData,
+    /// The unlock data for the new KDF setting
+    master_password_unlock_data: MasterPasswordUnlockData,
+    /// The authentication data for the KDF setting prior to the change
+    old_master_password_authentication_data: MasterPasswordAuthenticationData,
+}
+
+pub(super) fn make_update_kdf(
+    client: &Client,
+    password: &str,
+    new_kdf: &Kdf,
+) -> Result<UpdateKdfResponse, CryptoClientError> {
+    let key_store = client.internal.get_key_store();
+    let ctx = key_store.context();
+    // FIXME: [PM-18099] Once MasterKey deals with KeyIds, this should be updated
+    #[allow(deprecated)]
+    let user_key = ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)?;
+
+    let login_method = client
+        .internal
+        .get_login_method()
+        .ok_or(NotAuthenticatedError)?;
+    let email = match login_method.as_ref() {
+        LoginMethod::User(
+            UserLoginMethod::Username { email, .. } | UserLoginMethod::ApiKey { email, .. },
+        ) => email,
+        #[cfg(feature = "secrets")]
+        LoginMethod::ServiceAccount(_) => return Err(NotAuthenticatedError)?,
+    };
+
+    let authentication_data = MasterPasswordAuthenticationData::derive(password, new_kdf, email)
+        .map_err(|_| CryptoClientError::InvalidKdfSettings)?;
+    let unlock_data = MasterPasswordUnlockData::derive(password, new_kdf, email, user_key)
+        .map_err(|_| CryptoClientError::InvalidKdfSettings)?;
+    let old_authentication_data = MasterPasswordAuthenticationData::derive(
+        password,
+        &client
+            .internal
+            .get_kdf()
+            .map_err(|_| NotAuthenticatedError)?,
+        email,
+    )
+    .map_err(|_| CryptoClientError::InvalidKdfSettings)?;
+
+    Ok(UpdateKdfResponse {
+        master_password_authentication_data: authentication_data,
+        master_password_unlock_data: unlock_data,
+        old_master_password_authentication_data: old_authentication_data,
+    })
+}
+
 /// Response from the `update_password` function
 #[derive(Serialize, Deserialize, Debug)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
@@ -277,7 +338,7 @@ pub struct UpdatePasswordResponse {
     new_key: EncString,
 }
 
-pub(super) fn update_password(
+pub(super) fn make_update_password(
     client: &Client,
     new_password: String,
 ) -> Result<UpdatePasswordResponse, CryptoClientError> {
@@ -307,7 +368,7 @@ pub(super) fn update_password(
     let password_hash = new_master_key.derive_master_key_hash(
         new_password.as_bytes(),
         bitwarden_crypto::HashPurpose::ServerAuthorization,
-    )?;
+    );
 
     Ok(UpdatePasswordResponse {
         password_hash,
@@ -737,6 +798,100 @@ mod tests {
         "pgEBAlAmkP0QgfdMVbIujX55W/yNAycEgQIgBiFYIEM6JxBmjWQTruAm3s6BTaJy1q6BzQetMBacNeRJ0kxR";
     const TEST_VECTOR_SECURITY_STATE_V2: &str = "hFgepAEnAxg8BFAmkP0QgfdMVbIujX55W/yNOgABOH8CoFgkomhlbnRpdHlJZFBHOOw2BI9OQoNq+Vl1xZZKZ3ZlcnNpb24CWEAlchbJR0vmRfShG8On7Q2gknjkw4Dd6MYBLiH4u+/CmfQdmjNZdf6kozgW/6NXyKVNu8dAsKsin+xxXkDyVZoG";
 
+    #[tokio::test]
+    async fn test_update_kdf() {
+        let client = Client::new(None);
+
+        let priv_key: EncString = "2.kmLY8NJVuiKBFJtNd/ZFpA==|qOodlRXER+9ogCe3yOibRHmUcSNvjSKhdDuztLlucs10jLiNoVVVAc+9KfNErLSpx5wmUF1hBOJM8zwVPjgQTrmnNf/wuDpwiaCxNYb/0v4FygPy7ccAHK94xP1lfqq7U9+tv+/yiZSwgcT+xF0wFpoxQeNdNRFzPTuD9o4134n8bzacD9DV/WjcrXfRjbBCzzuUGj1e78+A7BWN7/5IWLz87KWk8G7O/W4+8PtEzlwkru6Wd1xO19GYU18oArCWCNoegSmcGn7w7NDEXlwD403oY8Oa7ylnbqGE28PVJx+HLPNIdSC6YKXeIOMnVs7Mctd/wXC93zGxAWD6ooTCzHSPVV50zKJmWIG2cVVUS7j35H3rGDtUHLI+ASXMEux9REZB8CdVOZMzp2wYeiOpggebJy6MKOZqPT1R3X0fqF2dHtRFPXrNsVr1Qt6bS9qTyO4ag1/BCvXF3P1uJEsI812BFAne3cYHy5bIOxuozPfipJrTb5WH35bxhElqwT3y/o/6JWOGg3HLDun31YmiZ2HScAsUAcEkA4hhoTNnqy4O2s3yVbCcR7jF7NLsbQc0MDTbnjxTdI4VnqUIn8s2c9hIJy/j80pmO9Bjxp+LQ9a2hUkfHgFhgHxZUVaeGVth8zG2kkgGdrp5VHhxMVFfvB26Ka6q6qE/UcS2lONSv+4T8niVRJz57qwctj8MNOkA3PTEfe/DP/LKMefke31YfT0xogHsLhDkx+mS8FCc01HReTjKLktk/Jh9mXwC5oKwueWWwlxI935ecn+3I2kAuOfMsgPLkoEBlwgiREC1pM7VVX1x8WmzIQVQTHd4iwnX96QewYckGRfNYWz/zwvWnjWlfcg8kRSe+68EHOGeRtC5r27fWLqRc0HNcjwpgHkI/b6czerCe8+07TWql4keJxJxhBYj3iOH7r9ZS8ck51XnOb8tGL1isimAJXodYGzakwktqHAD7MZhS+P02O+6jrg7d+yPC2ZCuS/3TOplYOCHQIhnZtR87PXTUwr83zfOwAwCyv6KP84JUQ45+DItrXLap7nOVZKQ5QxYIlbThAO6eima6Zu5XHfqGPMNWv0bLf5+vAjIa5np5DJrSwz9no/hj6CUh0iyI+SJq4RGI60lKtypMvF6MR3nHLEHOycRUQbZIyTHWl4QQLdHzuwN9lv10ouTEvNr6sFflAX2yb6w3hlCo7oBytH3rJekjb3IIOzBpeTPIejxzVlh0N9OT5MZdh4sNKYHUoWJ8mnfjdM+L4j5Q2Kgk/XiGDgEebkUxiEOQUdVpePF5uSCE+TPav/9FIRGXGiFn6NJMaU7aBsDTFBLloffFLYDpd8/bTwoSvifkj7buwLYM+h/qcnfdy5FWau1cKav+Blq/ZC0qBpo658RTC8ZtseAFDgXoQZuksM10hpP9bzD04Bx30xTGX81QbaSTNwSEEVrOtIhbDrj9OI43KH4O6zLzK+t30QxAv5zjk10RZ4+5SAdYndIlld9Y62opCfPDzRy3ubdve4ZEchpIKWTQvIxq3T5ogOhGaWBVYnkMtM2GVqvWV//46gET5SH/MdcwhACUcZ9kCpMnWH9CyyUwYvTT3UlNyV+DlS27LMPvaw7tx7qa+GfNCoCBd8S4esZpQYK/WReiS8=|pc7qpD42wxyXemdNPuwxbh8iIaryrBPu8f/DGwYdHTw=".parse().unwrap();
+
+        let kdf = Kdf::PBKDF2 {
+            iterations: 100_000.try_into().unwrap(),
+        };
+
+        initialize_user_crypto(
+            & client,
+            InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
+                kdf_params: kdf.clone(),
+                email: "[email protected]".into(),
+                private_key: priv_key.to_owned(),
+                signing_key: None,
+                security_state: None,
+                method: InitUserCryptoMethod::Password {
+                    password: "asdfasdfasdf".into(),
+                    user_key: "2.u2HDQ/nH2J7f5tYHctZx6Q==|NnUKODz8TPycWJA5svexe1wJIz2VexvLbZh2RDfhj5VI3wP8ZkR0Vicvdv7oJRyLI1GyaZDBCf9CTBunRTYUk39DbZl42Rb+Xmzds02EQhc=|rwuo5wgqvTJf3rgwOUfabUyzqhguMYb3sGBjOYqjevc=".parse().unwrap(),
+                },
+            },
+        )
+        .await
+        .unwrap();
+
+        let new_kdf = Kdf::PBKDF2 {
+            iterations: 600_000.try_into().unwrap(),
+        };
+        let new_kdf_response = make_update_kdf(&client, "123412341234", &new_kdf).unwrap();
+
+        let client2 = Client::new(None);
+
+        initialize_user_crypto(
+            &client2,
+            InitUserCryptoRequest {
+                user_id: Some(uuid::Uuid::new_v4()),
+                kdf_params: new_kdf.clone(),
+                email: "[email protected]".into(),
+                private_key: priv_key.to_owned(),
+                signing_key: None,
+                security_state: None,
+                method: InitUserCryptoMethod::Password {
+                    password: "123412341234".into(),
+                    user_key: new_kdf_response
+                        .master_password_unlock_data
+                        .master_key_wrapped_user_key,
+                },
+            },
+        )
+        .await
+        .unwrap();
+
+        let new_hash = client2
+            .kdf()
+            .hash_password(
+                "[email protected]".into(),
+                "123412341234".into(),
+                new_kdf.clone(),
+                bitwarden_crypto::HashPurpose::ServerAuthorization,
+            )
+            .await
+            .unwrap();
+
+        assert_eq!(
+            new_hash,
+            new_kdf_response
+                .master_password_authentication_data
+                .master_password_authentication_hash
+        );
+
+        let client_key = {
+            let key_store = client.internal.get_key_store();
+            let ctx = key_store.context();
+            #[allow(deprecated)]
+            ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)
+                .unwrap()
+                .to_base64()
+        };
+
+        let client2_key = {
+            let key_store = client2.internal.get_key_store();
+            let ctx = key_store.context();
+            #[allow(deprecated)]
+            ctx.dangerous_get_symmetric_key(SymmetricKeyId::User)
+                .unwrap()
+                .to_base64()
+        };
+
+        assert_eq!(client_key, client2_key);
+    }
+
     #[tokio::test]
     async fn test_update_password() {
         let client = Client::new(None);
@@ -765,7 +920,7 @@ mod tests {
         .await
         .unwrap();
 
-        let new_password_response = update_password(&client, "123412341234".into()).unwrap();
+        let new_password_response = make_update_password(&client, "123412341234".into()).unwrap();
 
         let client2 = Client::new(None);
 

crates/bitwarden-core/src/key_management/crypto_client.rs

@@ -1,4 +1,4 @@
-use bitwarden_crypto::CryptoError;
+use bitwarden_crypto::{CryptoError, Kdf};
 #[cfg(feature = "internal")]
 use bitwarden_crypto::{EncString, UnsignedSharedKey};
 #[cfg(feature = "wasm")]
@@ -12,15 +12,15 @@ use super::crypto::{
 #[cfg(feature = "internal")]
 use crate::key_management::crypto::{
     derive_pin_key, derive_pin_user_key, enroll_admin_password_reset, get_user_encryption_key,
-    initialize_org_crypto, initialize_user_crypto, update_password, DerivePinKeyResponse,
+    initialize_org_crypto, initialize_user_crypto, make_update_password, DerivePinKeyResponse,
     InitOrgCryptoRequest, InitUserCryptoRequest, UpdatePasswordResponse,
 };
 use crate::{
     client::encryption_settings::EncryptionSettingsError,
     error::StatefulCryptoError,
     key_management::crypto::{
-        get_v2_rotated_account_keys, make_v2_keys_for_v1_user, CryptoClientError,
-        UserCryptoV2KeysResponse,
+        get_v2_rotated_account_keys, make_update_kdf, make_v2_keys_for_v1_user, CryptoClientError,
+        UpdateKdfResponse, UserCryptoV2KeysResponse,
     },
     Client,
 };
@@ -80,6 +80,17 @@ impl CryptoClient {
     ) -> Result<UserCryptoV2KeysResponse, StatefulCryptoError> {
         get_v2_rotated_account_keys(&self.client)
     }
+
+    /// Create the data necessary to update the user's kdf settings. The user's encryption key is
+    /// re-encrypted for the password under the new kdf settings. This returns the new encrypted
+    /// user key and the new password hash but does not update sdk state.
+    pub fn make_update_kdf(
+        &self,
+        password: String,
+        kdf: Kdf,
+    ) -> Result<UpdateKdfResponse, CryptoClientError> {
+        make_update_kdf(&self.client, &password, &kdf)
+    }
 }
 
 impl CryptoClient {
@@ -89,13 +100,26 @@ impl CryptoClient {
         get_user_encryption_key(&self.client).await
     }
 
-    /// Update the user's password, which will re-encrypt the user's encryption key with the new
-    /// password. This returns the new encrypted user key and the new password hash.
+    /// Create the data necessary to update the user's password. The user's encryption key is
+    /// re-encrypted with the new password. This returns the new encrypted user key and the new
+    /// password hash but does not update sdk state.
+    ///
+    /// Note: This is deprecated and `make_update_password` should be used instead
     pub fn update_password(
         &self,
         new_password: String,
     ) -> Result<UpdatePasswordResponse, CryptoClientError> {
-        update_password(&self.client, new_password)
+        self.make_update_password(new_password)
+    }
+
+    /// Create the data necessary to update the user's password. The user's encryption key is
+    /// re-encrypted with the new password. This returns the new encrypted user key and the new
+    /// password hash but does not update sdk state.
+    pub fn make_update_password(
+        &self,
+        new_password: String,
+    ) -> Result<UpdatePasswordResponse, CryptoClientError> {
+        make_update_password(&self.client, new_password)
     }
 
     /// Generates a PIN protected user key from the provided PIN. The result can be stored and later