npm - @metamask-previews/keyring-controller - Versions diffs - 22.0.2-preview-a272c5e1 → 22.0.2-preview-cf465cec - Mend

@metamask-previews/keyring-controller 22.0.2-preview-a272c5e1 → 22.0.2-preview-cf465cec

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +0 -8
package/dist/KeyringController.cjs +117 -201
package/dist/KeyringController.cjs.map +1 -1
package/dist/KeyringController.d.cts +26 -27
package/dist/KeyringController.d.cts.map +1 -1
package/dist/KeyringController.d.mts +26 -27
package/dist/KeyringController.d.mts.map +1 -1
package/dist/KeyringController.mjs +117 -201
package/dist/KeyringController.mjs.map +1 -1
package/dist/constants.cjs +3 -4
package/dist/constants.cjs.map +1 -1
package/dist/constants.d.cts +3 -4
package/dist/constants.d.cts.map +1 -1
package/dist/constants.d.mts +3 -4
package/dist/constants.d.mts.map +1 -1
package/dist/constants.mjs +3 -4
package/dist/constants.mjs.map +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -7,14 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
-### Added
-- Add support for envelope encryption ([#5940](https://github.com/MetaMask/core/pull/5940))
-### Changed
-- Upgrade mock encryptor to support multiple ciphertexts ([#5943](https://github.com/MetaMask/core/pull/5943))
 ## [22.0.2]
 ### Fixed

package/dist/KeyringController.cjs CHANGED Viewed

@@ -36,7 +36,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
-var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_cacheEncryptionKey, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_password, _KeyringController_encryptionKey, _KeyringController_qrKeyringStateListener, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_addQRKeyring, _KeyringController_subscribeToQRKeyringEvents, _KeyringController_unsubscribeFromQRKeyringsEvents, _KeyringController_createNewVaultWithKeyring, _KeyringController_updateCachedEncryptionKey, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_isEnvelopeEncryptionEnabled, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
+var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_encryptionKey, _KeyringController_qrKeyringStateListener, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_addQRKeyring, _KeyringController_subscribeToQRKeyringEvents, _KeyringController_unsubscribeFromQRKeyringsEvents, _KeyringController_createNewVaultWithKeyring, _KeyringController_deriveEncryptionKey, _KeyringController_useEncryptionKey, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.KeyringController = exports.getDefaultKeyringState = exports.keyringBuilderFactory = exports.SignTypedDataVersion = exports.AccountImportStrategy = exports.isCustodyKeyring = exports.KeyringTypes = void 0;
 const util_1 = require("@ethereumjs/util");
@@ -168,17 +168,6 @@ function assertIsValidPassword(password) {
         throw new Error(constants_1.KeyringControllerError.InvalidEmptyPassword);
     }
 }
-/**
- * Assert that the provided cacheEncryptionKey is true.
- *
- * @param cacheEncryptionKey - The cacheEncryptionKey to check.
- * @throws If the cacheEncryptionKey is not true.
- */
-function assertIsCacheEncryptionKeyTrue(cacheEncryptionKey) {
-    if (!cacheEncryptionKey) {
-        throw new Error(constants_1.KeyringControllerError.CacheEncryptionKeyDisabled);
-    }
-}
 /**
  * Checks if the provided value is a serialized keyrings array.
  *
@@ -269,7 +258,6 @@ class KeyringController extends base_controller_1.BaseController {
                 keyrings: { persist: false, anonymous: false },
                 encryptionKey: { persist: false, anonymous: false },
                 encryptionSalt: { persist: false, anonymous: false },
-                encryptedEncryptionKey: { persist: true, anonymous: false },
             },
             messenger,
             state: {
@@ -282,24 +270,17 @@ class KeyringController extends base_controller_1.BaseController {
         _KeyringController_vaultOperationMutex.set(this, new async_mutex_1.Mutex());
         _KeyringController_keyringBuilders.set(this, void 0);
         _KeyringController_encryptor.set(this, void 0);
-        _KeyringController_cacheEncryptionKey.set(this, void 0);
         _KeyringController_keyrings.set(this, void 0);
         _KeyringController_unsupportedKeyrings.set(this, void 0);
-        _KeyringController_password.set(this, void 0);
         _KeyringController_encryptionKey.set(this, void 0);
         _KeyringController_qrKeyringStateListener.set(this, void 0);
         __classPrivateFieldSet(this, _KeyringController_keyringBuilders, keyringBuilders
             ? keyringBuilders.concat(defaultKeyringBuilders)
             : defaultKeyringBuilders, "f");
+        assertIsExportableKeyEncryptor(encryptor);
         __classPrivateFieldSet(this, _KeyringController_encryptor, encryptor, "f");
         __classPrivateFieldSet(this, _KeyringController_keyrings, [], "f");
         __classPrivateFieldSet(this, _KeyringController_unsupportedKeyrings, [], "f");
-        // This option allows the controller to cache an exported key
-        // for use in decrypting and encrypting data without password
-        __classPrivateFieldSet(this, _KeyringController_cacheEncryptionKey, Boolean(options.cacheEncryptionKey), "f");
-        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-            assertIsExportableKeyEncryptor(encryptor);
-        }
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_registerMessageHandlers).call(this);
     }
     /**
@@ -386,22 +367,19 @@ class KeyringController extends base_controller_1.BaseController {
     /**
      * Create a new vault and primary keyring.
      *
-     * This only works if keyrings are empty. If there is a pre-existing unlocked
-     * vault, calling this will have no effect. If there is a pre-existing locked
-     * vault, it will be replaced.
+     * This only works if keyrings are empty. If there is a pre-existing unlocked vault, calling this will have no effect.
+     * If there is a pre-existing locked vault, it will be replaced.
      *
      * @param password - Password to unlock the new vault.
-     * @param encryptionKey - Optional encryption key to encrypt the new vault. If
-     * set, envelope encryption will be used.
      * @returns Promise resolving when the operation ends successfully.
      */
-    async createNewVaultAndKeychain(password, encryptionKey) {
+    async createNewVaultAndKeychain(password) {
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_persistOrRollback).call(this, async () => {
             const accounts = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getAccountsFromKeyrings).call(this);
             if (!accounts.length) {
                 await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_createNewVaultWithKeyring).call(this, password, {
                     type: KeyringTypes.hd,
-                }, encryptionKey);
+                });
             }
         });
     }
@@ -430,16 +408,7 @@ class KeyringController extends base_controller_1.BaseController {
         if (!this.state.vault) {
             throw new Error(constants_1.KeyringControllerError.VaultError);
         }
-        if (this.state.encryptedEncryptionKey) {
-            // Envelope encryption mode.
-            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
-            const key = (await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, this.state.encryptedEncryptionKey));
-            const importedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(key);
-            await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(importedKey, this.state.vault);
-        }
-        else {
-            await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, this.state.vault);
-        }
+        await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, this.state.vault);
     }
     /**
      * Returns the status of the vault.
@@ -628,7 +597,7 @@ class KeyringController extends base_controller_1.BaseController {
                     try {
                         wallet = ethereumjs_wallet_1.thirdparty.fromEtherWallet(input, password);
                     }
-                    catch {
+                    catch (e) {
                         wallet = wallet || (await ethereumjs_wallet_1.default.fromV3(input, password, true));
                     }
                     privateKey = (0, utils_1.bytesToHex)(wallet.getPrivateKey());
@@ -686,7 +655,6 @@ class KeyringController extends base_controller_1.BaseController {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unsubscribeFromQRKeyringsEvents).call(this);
-            __classPrivateFieldSet(this, _KeyringController_password, undefined, "f");
             __classPrivateFieldSet(this, _KeyringController_encryptionKey, undefined, "f");
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
             this.update((state) => {
@@ -868,33 +836,10 @@ class KeyringController extends base_controller_1.BaseController {
      * @returns Promise resolving when the operation completes.
      */
     changePassword(password) {
-        return this.changePasswordAndEncryptionKey(password);
-    }
-    /**
-     * Changes the password and encryption key used to encrypt the vault.
-     *
-     * @param password - The new password.
-     * @param encryptionKey - The new encryption key. If omitted, the encryption
-     * key will not be changed.
-     * @returns Promise resolving when the operation completes.
-     */
-    changePasswordAndEncryptionKey(password, encryptionKey) {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_persistOrRollback).call(this, async () => {
             assertIsValidPassword(password);
-            // Update password.
-            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-            // Update encryption key.
-            __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateCachedEncryptionKey).call(this, encryptionKey);
-            // We need to clear encryption key and salt from state
-            // to force the controller to re-encrypt the vault using
-            // the new password.
-            if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-                this.update((state) => {
-                    delete state.encryptionKey;
-                    delete state.encryptionSalt;
-                });
-            }
+            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password);
         });
     }
     /**
@@ -902,12 +847,13 @@ class KeyringController extends base_controller_1.BaseController {
      * using the given encryption key and salt.
      *
      * @param encryptionKey - Key to unlock the keychain.
-     * @param encryptionSalt - Salt to unlock the keychain.
      * @returns Promise resolving when the operation completes.
      */
-    async submitEncryptionKey(encryptionKey, encryptionSalt) {
+    async submitEncryptionKey(encryptionKey) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, undefined, encryptionKey, encryptionSalt);
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, {
+                exportedEncryptionKey: encryptionKey,
+            });
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -935,7 +881,7 @@ class KeyringController extends base_controller_1.BaseController {
      */
     async submitPassword(password) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, password);
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, { password });
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -945,6 +891,12 @@ class KeyringController extends base_controller_1.BaseController {
             // can attempt to upgrade the vault.
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
                 if (newMetadata || __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_isNewEncryptionAvailable).call(this)) {
+                    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password, {
+                        // If the vault is being upgraded, we want to ignore the metadata
+                        // that is already in the vault, so we can effectively
+                        // re-encrypt the vault with the new encryption config.
+                        ignoreVautKeyMetadata: true,
+                    });
                     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateVault).call(this);
                 }
             });
@@ -1199,7 +1151,7 @@ class KeyringController extends base_controller_1.BaseController {
     }
 }
 exports.KeyringController = KeyringController;
-_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_cacheEncryptionKey = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_password = new WeakMap(), _KeyringController_encryptionKey = new WeakMap(), _KeyringController_qrKeyringStateListener = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
+_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_encryptionKey = new WeakMap(), _KeyringController_qrKeyringStateListener = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
     this.messagingSystem.registerActionHandler(`${name}:signMessage`, this.signMessage.bind(this));
     this.messagingSystem.registerActionHandler(`${name}:signEip7702Authorization`, this.signEip7702Authorization.bind(this));
     this.messagingSystem.registerActionHandler(`${name}:signPersonalMessage`, this.signPersonalMessage.bind(this));
@@ -1268,10 +1220,9 @@ async function _KeyringController_addQRKeyring() {
  * @param keyring - A object containing the params to instantiate a new keyring.
  * @param keyring.type - The keyring type.
  * @param keyring.opts - Optional parameters required to instantiate the keyring.
- * @param encryptionKey - Optional encryption key to encrypt the vault.
  * @returns A promise that resolves to the state.
  */
-async function _KeyringController_createNewVaultWithKeyring(password, keyring, encryptionKey) {
+async function _KeyringController_createNewVaultWithKeyring(password, keyring) {
     __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
     if (typeof password !== 'string') {
         throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
@@ -1280,18 +1231,64 @@ async function _KeyringController_createNewVaultWithKeyring(password, keyring, e
         delete state.encryptionKey;
         delete state.encryptionSalt;
     });
-    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateCachedEncryptionKey).call(this, encryptionKey);
+    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password);
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_createKeyringWithFirstAccount).call(this, keyring.type, keyring.opts);
     __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
-}, _KeyringController_updateCachedEncryptionKey = function _KeyringController_updateCachedEncryptionKey(encryptionKey) {
-    if (!encryptionKey && this.state.encryptedEncryptionKey) {
-        __classPrivateFieldSet(this, _KeyringController_encryptionKey, this.state.encryptionKey, "f");
+}, _KeyringController_deriveEncryptionKey =
+/**
+ * Derive the vault encryption key from the provided password, and
+ * assign it to the class variable for later use with cryptographic
+ * functions.
+ *
+ * When the controller has a vault in its state, the key is derived
+ * using the salt from the vault. If the vault is empty, a new salt
+ * is generated and used to derive the key.
+ *
+ * @param password - The password to use for decryption or derivation.
+ */
+async function _KeyringController_deriveEncryptionKey(password, options = {
+    ignoreVautKeyMetadata: false,
+}) {
+    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
+    const { vault } = this.state;
+    if (typeof password !== 'string') {
+        throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
+    }
+    let salt, keyMetadata;
+    if (vault && !options.ignoreVautKeyMetadata) {
+        const parsedVault = JSON.parse(vault);
+        salt = parsedVault.salt;
+        keyMetadata = parsedVault.keyMetadata;
     }
     else {
-        __classPrivateFieldSet(this, _KeyringController_encryptionKey, encryptionKey, "f");
+        salt = __classPrivateFieldGet(this, _KeyringController_encryptor, "f").generateSalt();
     }
+    const exportedEncryptionKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").exportKey(await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").keyFromPassword(password, salt, true, keyMetadata));
+    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
+        salt,
+        exported: exportedEncryptionKey,
+    }, "f");
+}, _KeyringController_useEncryptionKey =
+/**
+ * Use the provided encryption key and salt to set the
+ * encryptionKey class variable. This method is used
+ * when the user provides an encryption key and salt
+ * to unlock the keychain, instead of using a password.
+ *
+ * @param encryptionKey - The encryption key to use.
+ * @param encryptionSalt - The salt to use for the encryption key.
+ */
+async function _KeyringController_useEncryptionKey(encryptionKey, encryptionSalt) {
+    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
+    if (typeof encryptionKey !== 'string' ||
+        typeof encryptionSalt !== 'string') {
+        throw new TypeError(constants_1.KeyringControllerError.WrongEncryptionKeyType);
+    }
+    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
+        salt: encryptionSalt,
+        exported: encryptionKey,
+    }, "f");
 }, _KeyringController_verifySeedPhrase =
 /**
  * Internal non-exclusive method to verify the seed phrase.
@@ -1380,7 +1377,6 @@ async function _KeyringController_getSerializedKeyrings({ includeUnsupported } =
 async function _KeyringController_getSessionState() {
     return {
         keyrings: await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this),
-        password: __classPrivateFieldGet(this, _KeyringController_password, "f"),
         encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"),
     };
 }, _KeyringController_restoreSerializedKeyrings =
@@ -1410,63 +1406,28 @@ async function _KeyringController_restoreSerializedKeyrings(serializedKeyrings)
  * Unlock Keyrings, decrypting the vault and deserializing all
  * keyrings contained in it, using a password or an encryption key with salt.
  *
- * @param password - The keyring controller password.
- * @param encryptionKey - An exported key string to unlock keyrings with.
- * @param encryptionSalt - The salt used to encrypt the vault.
+ * @param credentials - The credentials to unlock the keyrings.
  * @returns A promise resolving to the deserialized keyrings array.
  */
-async function _KeyringController_unlockKeyrings(password, encryptionKey, encryptionSalt) {
+async function _KeyringController_unlockKeyrings(credentials) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
-        const { vault: encryptedVault, encryptedEncryptionKey } = this.state;
-        if (!encryptedVault) {
+        if (!this.state.vault) {
             throw new Error(constants_1.KeyringControllerError.VaultError);
         }
-        let vault;
-        const updatedState = {};
-        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
-            if (password) {
-                if (encryptedEncryptionKey) {
-                    const key = (await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, encryptedEncryptionKey));
-                    const importedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(key);
-                    vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(importedKey, encryptedVault);
-                    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-                    updatedState.encryptionKey = key;
-                }
-                else {
-                    const result = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithDetail(password, encryptedVault);
-                    vault = result.vault;
-                    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-                    updatedState.encryptionKey = result.exportedKeyString;
-                    updatedState.encryptionSalt = result.salt;
-                }
-            }
-            else {
-                const parsedEncryptedVault = JSON.parse(encryptedVault);
-                if (encryptionSalt !== parsedEncryptedVault.salt) {
-                    throw new Error(constants_1.KeyringControllerError.ExpiredCredentials);
-                }
-                if (typeof encryptionKey !== 'string') {
-                    throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
-                }
-                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
-                vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
-                // This call is required on the first call because encryptionKey
-                // is not yet inside the memStore
-                updatedState.encryptionKey = encryptionKey;
-                // we can safely assume that encryptionSalt is defined here
-                // because we compare it with the salt from the vault
-                // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-                updatedState.encryptionSalt = encryptionSalt;
-            }
+        const parsedEncryptedVault = JSON.parse(this.state.vault);
+        if ('password' in credentials) {
+            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, credentials.password);
         }
         else {
-            if (typeof password !== 'string') {
-                throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
-            }
-            vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, encryptedVault);
-            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
+            const { exportedEncryptionKey } = credentials;
+            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_useEncryptionKey).call(this, exportedEncryptionKey, parsedEncryptedVault.salt);
+        }
+        const encryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.exported;
+        if (!encryptionKey) {
+            throw new Error(constants_1.KeyringControllerError.MissingCredentials);
         }
+        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
+        const vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
         if (!isSerializedKeyringsArray(vault)) {
             throw new Error(constants_1.KeyringControllerError.VaultDataError);
         }
@@ -1474,10 +1435,8 @@ async function _KeyringController_unlockKeyrings(password, encryptionKey, encryp
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.keyrings = updatedKeyrings;
-            if (updatedState.encryptionKey || updatedState.encryptionSalt) {
-                state.encryptionKey = updatedState.encryptionKey;
-                state.encryptionSalt = updatedState.encryptionSalt;
-            }
+            state.encryptionKey = encryptionKey;
+            state.encryptionSalt = parsedEncryptedVault.salt;
         });
         return { keyrings, newMetadata };
     });
@@ -1485,81 +1444,41 @@ async function _KeyringController_unlockKeyrings(password, encryptionKey, encryp
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
         // Ensure no duplicate accounts are persisted.
         await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertNoDuplicateAccounts).call(this);
-        const { encryptionKey, encryptionSalt, vault } = this.state;
-        // READ THIS CAREFULLY:
-        // We do check if the vault is still considered up-to-date, if not, we would not re-use the
-        // cached key and we will re-generate a new one (based on the password).
-        //
-        // This helps doing seamless updates of the vault. Useful in case we change some cryptographic
-        // parameters to the KDF.
-        const useCachedKey = encryptionKey && vault && __classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated?.(vault);
-        if (!__classPrivateFieldGet(this, _KeyringController_password, "f") && !encryptionKey) {
+        if (!__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")) {
             throw new Error(constants_1.KeyringControllerError.MissingCredentials);
         }
         const serializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
         if (!serializedKeyrings.some((keyring) => keyring.type === KeyringTypes.hd)) {
             throw new Error(constants_1.KeyringControllerError.NoHdKeyring);
         }
-        const updatedState = {};
-        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
-            if (useCachedKey) {
-                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
-                const vaultJSON = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
-                vaultJSON.salt = encryptionSalt;
-                updatedState.vault = JSON.stringify(vaultJSON);
-            }
-            else if (__classPrivateFieldGet(this, _KeyringController_password, "f")) {
-                if (__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")) {
-                    // Update cached key.
-                    updatedState.encryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f");
-                    // Encrypt key and update encrypted key.
-                    const encryptedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encrypt(__classPrivateFieldGet(this, _KeyringController_password, "f"), __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"));
-                    updatedState.encryptedEncryptionKey = encryptedKey;
-                    // Encrypt and update vault.
-                    const importedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"));
-                    const vaultJSON = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(importedKey, serializedKeyrings);
-                    updatedState.vault = JSON.stringify(vaultJSON);
-                }
-                else {
-                    const { vault: newVault, exportedKeyString } = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithDetail(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
-                    updatedState.vault = newVault;
-                    updatedState.encryptionKey = exportedKeyString;
-                }
-            }
-        }
-        else {
-            assertIsValidPassword(__classPrivateFieldGet(this, _KeyringController_password, "f"));
-            updatedState.vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encrypt(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
-        }
-        if (__classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_isEnvelopeEncryptionEnabled).call(this)) {
-            assertIsCacheEncryptionKeyTrue(__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f"));
-        }
-        if (!updatedState.vault) {
-            throw new Error(constants_1.KeyringControllerError.MissingVaultData);
+        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported);
+        const encryptedVault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
+        if (__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt) {
+            // We need to include the salt used to derive
+            // the encryption key, to be able to derive it
+            // from password again.
+            encryptedVault.salt = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt;
         }
+        const updatedState = {
+            vault: JSON.stringify(encryptedVault),
+            encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported,
+            encryptionSalt: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt,
+        };
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.vault = updatedState.vault;
             state.keyrings = updatedKeyrings;
-            if (updatedState.encryptionKey) {
-                state.encryptionKey = updatedState.encryptionKey;
-                state.encryptionSalt = JSON.parse(updatedState.vault).salt;
-            }
-            if (updatedState.encryptedEncryptionKey) {
-                state.encryptedEncryptionKey = updatedState.encryptedEncryptionKey;
-            }
+            state.encryptionKey = updatedState.encryptionKey;
+            state.encryptionSalt = updatedState.encryptionSalt;
         });
         return true;
     });
 }, _KeyringController_isNewEncryptionAvailable = function _KeyringController_isNewEncryptionAvailable() {
     const { vault } = this.state;
-    if (!vault || !__classPrivateFieldGet(this, _KeyringController_password, "f") || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
+    if (!vault || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
         return false;
     }
     return !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated(vault);
-}, _KeyringController_isEnvelopeEncryptionEnabled = function _KeyringController_isEnvelopeEncryptionEnabled() {
-    return this.state.encryptedEncryptionKey || __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f");
 }, _KeyringController_getAccountsFromKeyrings =
 /**
  * Retrieves all the accounts from keyrings instances
@@ -1644,8 +1563,7 @@ async function _KeyringController_createKeyring(type, data) {
     if (keyring.init) {
         await keyring.init();
     }
-    if (type === KeyringTypes.hd &&
-        (!(0, utils_1.isObject)(data) || !data.mnemonic)) {
+    if (type === KeyringTypes.hd && (!(0, utils_1.isObject)(data) || !data.mnemonic)) {
         if (!keyring.generateRandomMnemonic) {
             throw new Error(constants_1.KeyringControllerError.UnsupportedGenerateRandomMnemonic);
         }
@@ -1767,16 +1685,11 @@ async function _KeyringController_assertNoDuplicateAccounts(additionalKeyrings =
     }
 }, _KeyringController_persistOrRollback =
 /**
- * Execute the given function after acquiring the controller lock and save the
- * vault to state after it (only if needed), or rollback to their previous
- * state in case of error.
- *
- * ATTENTION: The callback must **not** alter `controller.state`. Any state
- * change performed by the callback will not be rolled back on error.
+ * Execute the given function after acquiring the controller lock
+ * and save the vault to state after it (only if needed), or rollback to their
+ * previous state in case of error.
  *
- * @param callback - The function to execute. This callback must **not** alter
- * `controller.state`. Any state change performed by the callback will not be
- * rolled back on error.
+ * @param callback - The function to execute.
  * @returns The result of the function.
  */
 async function _KeyringController_persistOrRollback(callback) {
@@ -1801,13 +1714,16 @@ async function _KeyringController_persistOrRollback(callback) {
 async function _KeyringController_withRollback(callback) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withControllerLock).call(this, async ({ releaseLock }) => {
         const currentSerializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
-        const currentPassword = __classPrivateFieldGet(this, _KeyringController_password, "f");
+        const currentEncryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.exported;
+        const currentEncryptionSalt = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.salt;
         try {
             return await callback({ releaseLock });
         }
         catch (e) {
-            // Keyrings and password are restored to their previous state
-            __classPrivateFieldSet(this, _KeyringController_password, currentPassword, "f");
+            // Keyrings and encryption credentials are restored to their previous state
+            if (currentEncryptionKey && currentEncryptionSalt) {
+                __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_useEncryptionKey).call(this, currentEncryptionKey, currentEncryptionSalt);
+            }
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_restoreSerializedKeyrings).call(this, currentSerializedKeyrings);
             throw e;
         }