passbolt-browser-extension 3.0.6 → 4.6.2

package/src/all/background_page/service/account/getLegacyAccountService.js

@@ -0,0 +1,67 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.6.0
+ */
+
+import Keyring from "../../model/keyring";
+import {Uuid} from "../../utils/uuid";
+import AccountEntity from "../../model/entity/account/accountEntity";
+import User from "../../model/user";
+import BuildApiClientOptionsService from "./buildApiClientOptionsService";
+import UserModel from "../../model/user/userModel";
+
+class GetLegacyAccountService {
+  /**
+   * Get the account associated with this extension.
+   * @param {Object} option The option to add more data in the account
+   * @return {Promise<AccountEntity>}
+   * @throw {Error} if no account yet associated with this extension.
+   */
+  static async get(option = {}) {
+    const keyring = new Keyring();
+    const user = await User.getInstance().get();
+    const serverPublicKeyInfo = keyring.findPublic(Uuid.get(user.settings.domain));
+    const userPublicKeyInfo = keyring.findPublic(user.id);
+    const userPrivateKeyInfo = keyring.findPrivate();
+
+    // Add in the account the role name if the option object have role (only for authenticated user)
+    let userEntity;
+    if (option?.role) {
+      // Load the application settings, necessary to validate the account username.
+      const apiClientOptions = await BuildApiClientOptionsService.buildFromDomain(user.settings.domain);
+      userEntity = await (new UserModel(apiClientOptions)).findOne(user.id, {role: true});
+    }
+
+    const accountDto = {
+      domain: user.settings.domain,
+      user_id: user.id,
+      username: user.username,
+      first_name: user.firstname,
+      last_name: user.lastname,
+      server_public_armored_key: serverPublicKeyInfo.armoredKey,
+      user_key_fingerprint: userPublicKeyInfo.fingerprint.toUpperCase(),
+      user_public_armored_key: userPublicKeyInfo.armoredKey,
+      user_private_armored_key: userPrivateKeyInfo.armoredKey,
+      security_token: user.settings.securityToken,
+      role_name: userEntity?.role?.name || null
+    };
+
+    /*
+     * Do not validate the username. This validation can happen only when the application settings are loaded as the
+     * username validation can be customized. The application settings are not retrieved at this stage to not add a time
+     * penalty on all the flows that require the account.
+     */
+    return new AccountEntity(accountDto, {validateUsername: false});
+  }
+}
+
+export default GetLegacyAccountService;

package/src/all/background_page/service/account/updateSsoCredentialsService.js

@@ -0,0 +1,88 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.9.0
+ */
+import OrganizationSettingsModel from "../../model/organizationSettings/organizationSettingsModel";
+import SsoSettingsModel from "../../model/sso/ssoSettingsModel";
+import SsoDataStorage from "../indexedDB_storage/ssoDataStorage";
+import GenerateSsoKitService from "../sso/generateSsoKitService";
+import SsoKitServerPartModel from "../../model/sso/ssoKitServerPartModel";
+import EntityValidationError from "passbolt-styleguide/src/shared/models/entity/abstract/entityValidationError";
+
+class UpdateSsoCredentialsService {
+  constructor(apiClientOption) {
+    this.organisationSettingsModel = new OrganizationSettingsModel(apiClientOption);
+    this.ssoSettingsModel = new SsoSettingsModel(apiClientOption);
+    this.ssoKitServerPartModel = new SsoKitServerPartModel(apiClientOption);
+  }
+
+  /**
+   * Clean the SSO kit then regenerate a new one
+   * @param {string} passphrase
+   * @returns {Promise<ApiClientOptions>}
+   */
+  async forceUpdateSsoKit(passphrase) {
+    await SsoDataStorage.flush();
+    await this.updateSsoKitIfNeeded(passphrase);
+  }
+
+  /**
+   * Updates the current's user SSO kit:
+   * - Flush it if one exists and SSO plutin is disabled or the feature is not configured
+   * - Creates a new one if none exists and SSO plugin is enabled
+   * @param {string} passphrase
+   * @returns {Promise<void>}
+   */
+  async updateSsoKitIfNeeded(passphrase) {
+    const localSsoKit = await SsoDataStorage.get();
+    const organizationSettings = await this.organisationSettingsModel.getOrFind();
+    if (!organizationSettings.isPluginEnabled("sso")) {
+      /*
+       * If the plugin is disabled there is no reason to keep an SSO kit
+       * Plus, if we have an SSO kit locally, the login page will continue display the SSO login
+       */
+      if (localSsoKit) {
+        await SsoDataStorage.flush();
+      }
+      return;
+    }
+
+    let currentSsoSettings;
+    try {
+      currentSsoSettings = await this.ssoSettingsModel.getCurrent();
+    } catch (e) {
+      if (e instanceof EntityValidationError) {
+        /*
+         * It might happen that the browser extension is on an older version than the server.
+         * If so, the server could be configured with an SSO provider that the browser extension doesn't support.
+         * In such a case, the SsoSettingsEntity will crash at the validation and could block the recover, setup or login steps.
+         */
+        console.error(e);
+        return;
+      }
+      // In other cases, it's an unexpected error that should be thrown like usual
+      throw e;
+    }
+
+    if (!currentSsoSettings?.provider && localSsoKit) {
+      /*
+       * if we have a local SSO kit but the plugin is not configured
+       * it means it has been disabled and there is no point to keep it
+       */
+      await SsoDataStorage.flush();
+    } else if (currentSsoSettings?.provider && !localSsoKit) {
+      await GenerateSsoKitService.generate(passphrase, currentSsoSettings.provider);
+    }
+  }
+}
+
+export default UpdateSsoCredentialsService;

package/src/all/background_page/service/accountRecovery/buildApprovedAccountRecoveryUserSettingEntityService.js

@@ -0,0 +1,115 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.6.0
+ */
+
+import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
+import EncryptMessageService from "../crypto/encryptMessageService";
+import AccountRecoveryOrganizationPolicyEntity from "../../model/entity/accountRecovery/accountRecoveryOrganizationPolicyEntity";
+import secrets from 'secrets-passbolt';
+import AccountRecoveryPrivateKeyPasswordEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordEntity";
+import AccountRecoveryPrivateKeyPasswordDecryptedDataEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordDecryptedDataEntity";
+import AccountRecoveryUserSettingEntity from "../../model/entity/accountRecovery/accountRecoveryUserSettingEntity";
+
+// The strength of the secret to use to encrypt the private key.
+const SYMMETRIC_SECRET_BITS = 512;
+
+class BuildApprovedAccountRecoveryUserSettingEntityService {
+  /**
+   * Build accepted account recovery user setting entity.
+   *
+   * @param {AbstractAccountEntity} account The account creating the account recovery user setting.
+   * @param {openpgp.PrivateKey} decryptedPrivateKey The user decrypted private key.
+   * @param {AccountRecoveryOrganizationPolicyEntity} organizationPolicy The organization policy.
+   * @returns {Promise<AccountRecoveryUserSettingEntity>}
+   */
+  static async build(account, decryptedPrivateKey, organizationPolicy) {
+    OpenpgpAssertion.assertDecryptedPrivateKey(decryptedPrivateKey);
+
+    if (!organizationPolicy || !(organizationPolicy instanceof AccountRecoveryOrganizationPolicyEntity)) {
+      throw new Error("The provided organizationPolicy must be a valid AccountRecoveryOrganizationPolicyEntity.");
+    }
+
+    const symmetricSecret = secrets.random(SYMMETRIC_SECRET_BITS);
+    const accountRecoveryPrivateKeyDto = await this._encryptPrivateKey(symmetricSecret, decryptedPrivateKey);
+    const accountRecoveryPrivateKeyPasswordForOrganizationDto = await this._encryptPrivateKeyPasswordsForOrganizationKey(account, symmetricSecret, organizationPolicy, decryptedPrivateKey);
+
+    accountRecoveryPrivateKeyDto.account_recovery_private_key_passwords = [accountRecoveryPrivateKeyPasswordForOrganizationDto];
+
+    const userSettingDto = {
+      user_id: account.userId,
+      status: AccountRecoveryUserSettingEntity.STATUS_APPROVED,
+      account_recovery_private_key: accountRecoveryPrivateKeyDto
+    };
+
+    return new AccountRecoveryUserSettingEntity(userSettingDto);
+  }
+
+  /**
+   * Encrypt the user private key symmetrically.
+   *
+   * @param {string} symmetricSecret The symmetric secret to use to encrypt the private key.
+   * @param {openpgp.PrivateKey} decryptedPrivateKey The user decrypted private key.
+   * @returns {Promise<Object>}
+   */
+  static async _encryptPrivateKey(symmetricSecret, decryptedPrivateKey) {
+    const userPrivateKeySymmetricEncrypted = await EncryptMessageService.encryptSymmetrically(decryptedPrivateKey.armor(), [symmetricSecret], [decryptedPrivateKey]);
+    return {data: userPrivateKeySymmetricEncrypted};
+  }
+
+  /**
+   * Encrypt the user private key passwords for the account recovery contacts defined in the organization policy.
+   *
+   * @param {AbstractAccountEntity} account The account creating the account recovery user setting.
+   * @param {string} symmetricSecret The symmetric secret to use to encrypt the private key.
+   * @param {AccountRecoveryOrganizationPolicyEntity} organizationPolicy The organization policy.
+   * @param {openpgp.PrivateKey} decryptedPrivateKey The user decrypted private key.
+   * @returns {Promise<Object>}
+   * @private
+   */
+  static async _encryptPrivateKeyPasswordsForOrganizationKey(account, symmetricSecret, organizationPolicy, decryptedPrivateKey) {
+    const organizationPublicKey = await OpenpgpAssertion.readKeyOrFail(organizationPolicy.armoredKey);
+    const privateKeyPasswordDecryptedData = this._buildPrivateKeyPasswordDecryptedData(account, symmetricSecret);
+    const serializedPrivateKeyPasswordDecryptedData = JSON.stringify(privateKeyPasswordDecryptedData.toDto());
+    const privateKeyPasswordEncryptedData = await EncryptMessageService.encrypt(serializedPrivateKeyPasswordDecryptedData, organizationPublicKey, [decryptedPrivateKey]);
+
+    return {
+      data: privateKeyPasswordEncryptedData,
+      recipient_foreign_model: AccountRecoveryPrivateKeyPasswordEntity.FOREIGN_MODEL_ORGANIZATION_KEY,
+      recipient_fingerprint: organizationPublicKey.getFingerprint().toUpperCase(),
+    };
+  }
+
+  /**
+   * Encrypt the user private key passwords for the account recovery contacts defined in the organization policy.
+   *
+   * @param {AbstractAccountEntity} account The account creating the account recovery user setting.
+   * @param {string} symmetricSecret The symmetric secret used to encrypt the private key with.
+   * @returns {AccountRecoveryPrivateKeyPasswordDecryptedDataEntity}
+   * @private
+   */
+  static _buildPrivateKeyPasswordDecryptedData(account, symmetricSecret) {
+    const privateLeyPasswordDecryptedDataDto = {
+      domain: account.domain,
+      type: "account-recovery-private-key-password-decrypted-data",
+      version: "v1",
+      private_key_user_id: account.userId,
+      private_key_fingerprint: account.userKeyFingerprint,
+      private_key_secret: symmetricSecret,
+      created: (new Date()).toISOString()
+    };
+
+    return new AccountRecoveryPrivateKeyPasswordDecryptedDataEntity(privateLeyPasswordDecryptedDataDto);
+  }
+}
+
+export default BuildApprovedAccountRecoveryUserSettingEntityService;

package/src/all/background_page/service/accountRecovery/buildApprovedAccountRecoveryUserSettingEntityService.service.test.js

@@ -0,0 +1,83 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.6.0
+ */
+
+import {pgpKeys} from "../../../../../test/fixtures/pgpKeys/keys";
+import BuildApprovedAccountRecoveryUserSettingEntityService from "./buildApprovedAccountRecoveryUserSettingEntityService";
+import {enabledAccountRecoveryOrganizationPolicyDto} from "../../model/entity/accountRecovery/accountRecoveryOrganizationPolicyEntity.test.data";
+import AccountRecoveryOrganizationPolicyEntity from "../../model/entity/accountRecovery/accountRecoveryOrganizationPolicyEntity";
+import DecryptMessageService from "../crypto/decryptMessageService";
+import {defaultAccountDto} from "../../model/entity/account/accountEntity.test.data";
+import AccountEntity from "../../model/entity/account/accountEntity";
+import AccountRecoveryPrivateKeyPasswordDecryptedDataEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordDecryptedDataEntity";
+import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
+
+describe("BuildApprovedAccountRecoveryUserSettingEntityService service", () => {
+  it("Build approved account recovery user setting entity", async() => {
+    const account = new AccountEntity(defaultAccountDto());
+    const organizationPolicyDto = enabledAccountRecoveryOrganizationPolicyDto();
+    const organizationPolicy = new AccountRecoveryOrganizationPolicyEntity(organizationPolicyDto);
+    const decryptedPrivateKey = await OpenpgpAssertion.readKeyOrFail(pgpKeys.ada.private_decrypted);
+    const accountRecoveryUserSetting = await BuildApprovedAccountRecoveryUserSettingEntityService.build(account, decryptedPrivateKey, organizationPolicy);
+
+    expect.assertions(11);
+    expect(accountRecoveryUserSetting.isApproved).toBe(true);
+    expect(accountRecoveryUserSetting.accountRecoveryPrivateKey).not.toBeNull();
+    expect(accountRecoveryUserSetting.accountRecoveryPrivateKey.accountRecoveryPrivateKeyPasswords).not.toBeNull();
+
+    // Ensure the recipient fingerprint is properly set.
+    const privateKeyPasswordRecipientFingerprint = accountRecoveryUserSetting.accountRecoveryPrivateKey.accountRecoveryPrivateKeyPasswords.items[0].recipientFingerprint;
+    const organizationPolicyFingerprint = organizationPolicyDto.account_recovery_organization_public_key.fingerprint.toUpperCase();
+    expect(privateKeyPasswordRecipientFingerprint).toBe(organizationPolicyFingerprint);
+
+    // Ensure the private key password decrypted data match the expected meta.
+    const userPrivateKeyPasswordEncrypted = await OpenpgpAssertion.readMessageOrFail(accountRecoveryUserSetting.accountRecoveryPrivateKey.accountRecoveryPrivateKeyPasswords.items[0].data);
+    const userPrivateKeyPasswordEncryptedData = await OpenpgpAssertion.readMessageOrFail(accountRecoveryUserSetting.accountRecoveryPrivateKey.data);
+    const accountRecoveryPrivateKeyDecrypted = await OpenpgpAssertion.readKeyOrFail(pgpKeys.account_recovery_organization.private_decrypted);
+    const userPrivateKeyPasswordDecryptedSerializedDataDto = await DecryptMessageService.decrypt(userPrivateKeyPasswordEncrypted, accountRecoveryPrivateKeyDecrypted, [decryptedPrivateKey]);
+    const userPrivateKeyPasswordDecryptedData = new AccountRecoveryPrivateKeyPasswordDecryptedDataEntity(JSON.parse(userPrivateKeyPasswordDecryptedSerializedDataDto));
+    expect(userPrivateKeyPasswordDecryptedData.type).toStrictEqual("account-recovery-private-key-password-decrypted-data");
+    expect(userPrivateKeyPasswordDecryptedData.version).toStrictEqual("v1");
+    expect(userPrivateKeyPasswordDecryptedData.privateKeyUserId).toStrictEqual(account.userId);
+    expect(userPrivateKeyPasswordDecryptedData.privateKeyFingerprint).toStrictEqual(account.userKeyFingerprint);
+    expect(userPrivateKeyPasswordDecryptedData.privateKeySecret).toHaveLength(128);
+    expect(Date.parse(userPrivateKeyPasswordDecryptedData.created)).toBeTruthy();
+
+    // Assert the secret can be used to decrypt the escrow.
+    const userPrivateArmoredOpenpgpKeyDecrypted = await DecryptMessageService.decryptSymmetrically(
+      userPrivateKeyPasswordEncryptedData,
+      userPrivateKeyPasswordDecryptedData.privateKeySecret,
+      [decryptedPrivateKey]
+    );
+    expect(userPrivateArmoredOpenpgpKeyDecrypted.trim()).toEqual(pgpKeys.ada.private_decrypted);
+  });
+
+  it("Should throw an error if the provided user private key is not a valid decrypted private pgp key.", async() => {
+    const account = new AccountEntity(defaultAccountDto());
+    const privateKey = await OpenpgpAssertion.readKeyOrFail(pgpKeys.ada.private);
+    const resultPromise = BuildApprovedAccountRecoveryUserSettingEntityService.build(account, privateKey, {});
+
+    expect.assertions(1);
+    await expect(resultPromise).rejects.toThrow("The private key should be decrypted.");
+  });
+
+  it("Should throw an error if the provided organization policy is not a valid AccountRecoveryOrganizationPolicyEntity.", async() => {
+    const account = new AccountEntity(defaultAccountDto());
+    const organizationPolicy = {};
+    const privateKey = await OpenpgpAssertion.readKeyOrFail(pgpKeys.ada.private_decrypted);
+    const resultPromise = BuildApprovedAccountRecoveryUserSettingEntityService.build(account, privateKey, organizationPolicy);
+
+    expect.assertions(1);
+    await expect(resultPromise).rejects.toThrow("The provided organizationPolicy must be a valid AccountRecoveryOrganizationPolicyEntity.");
+  });
+});

package/src/all/background_page/service/accountRecovery/decryptPrivateKeyPasswordDataService.js

@@ -0,0 +1,74 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.6.0
+ */
+import DecryptMessageService from "../../service/crypto/decryptMessageService";
+import AccountRecoveryPrivateKeyPasswordDecryptedDataEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordDecryptedDataEntity";
+import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
+
+
+class DecryptPrivateKeyPasswordDataService {
+  /**
+   * Decrypt the private key password encrypted data.
+   * @param {AccountRecoveryPrivateKeyPasswordEntity} privateKeyPassword The private key password.
+   * @param {openpgp.PrivateKey} decryptionKey The decrypted decryption key.
+   * @param {string} verificationDomain The expected domain the private key password should contain.
+   * @param {string} [verificationUserId] The id of the user who is the owner of the private key encrypted with the private key password.
+   * @param {openpgp.PublicKey} [verificationUserPublicKey] The public key of the user who is the owner of the private key encrypted with the private key password
+   * @return {Promise<AccountRecoveryPrivateKeyPasswordDecryptedDataEntity>}
+   * @throw {Error} If the decryption key fingerprint does not match the private key password recipient fingerprint.
+   * @throw {Error} If the private key password data cannot be decrypted.
+   * @throw {Error} If the decrypted private key password data cannot be parsed.
+   * @throw {EntityValidationError} If the decrypted private key password data cannot be used to create a private key password decrypted data entity.
+   * @throw {Error} If the user id contained in the decrypted private key password data does not match the verification user id.
+   * @throw {Error} If the fingerprint contained in the decrypted private key password data does not match the verification fingerprint.
+   */
+  static async decrypt(privateKeyPassword, decryptionKey, verificationDomain, verificationUserId, verificationUserPublicKey) {
+    let privateKeyPasswordDecryptedDataDto;
+
+    if (decryptionKey.getFingerprint().toUpperCase() !== privateKeyPassword.recipientFingerprint) {
+      throw new Error("The decryption key fingerprint does not match the private key password recipient fingerprint.");
+    }
+
+    // @todo verify the signature on the password: can be the user itself while performing the setup or the admin while rotating the ork.
+    const privateKeyPasswordMessage = await OpenpgpAssertion.readMessageOrFail(privateKeyPassword.data);
+    const privateKeyPasswordDecryptedDataSerialized = await DecryptMessageService.decrypt(privateKeyPasswordMessage, decryptionKey);
+
+    try {
+      privateKeyPasswordDecryptedDataDto = JSON.parse(privateKeyPasswordDecryptedDataSerialized);
+    } catch (error) {
+      throw new Error("Unable to parse the decrypted private key password data.");
+    }
+
+    const privateKeyPasswordDecryptedData = new AccountRecoveryPrivateKeyPasswordDecryptedDataEntity(privateKeyPasswordDecryptedDataDto);
+
+    if (privateKeyPasswordDecryptedData.domain !== verificationDomain) {
+      throw new Error("The domain contained in the private key password data does not match the expected target domain.");
+    }
+
+    if (verificationUserId) {
+      if (privateKeyPasswordDecryptedData.privateKeyUserId !== verificationUserId) {
+        throw new Error("The user id contained in the private key password data does not match the private key target used id.");
+      }
+    }
+
+    if (verificationUserPublicKey) {
+      if (privateKeyPasswordDecryptedData.privateKeyFingerprint !== verificationUserPublicKey.getFingerprint().toUpperCase()) {
+        throw new Error("The private key password data fingerprint should match the user public fingerprint.");
+      }
+    }
+
+    return privateKeyPasswordDecryptedData;
+  }
+}
+
+export default DecryptPrivateKeyPasswordDataService;

package/src/all/background_page/service/accountRecovery/decryptPrivateKeyPasswordDataService.test.js

@@ -0,0 +1,125 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.6.0
+ */
+
+import {v4 as uuidv4} from "uuid";
+import DecryptPrivateKeyPasswordDataService from "./decryptPrivateKeyPasswordDataService";
+import {defaultAccountRecoveryPrivateKeyPasswordDto} from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordEntity.test.data";
+import AccountRecoveryPrivateKeyPasswordEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordEntity";
+import {pgpKeys} from "../../../../../test/fixtures/pgpKeys/keys";
+import EncryptMessageService from "../crypto/encryptMessageService";
+import {defaultAccountRecoveryPrivateKeyPasswordDecryptedDataDto} from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordDecryptedDataEntity.test.data";
+import AccountRecoveryPrivateKeyPasswordDecryptedDataEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordDecryptedDataEntity";
+import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
+
+describe("DecryptPrivateKeyPasswordDataService", () => {
+  describe("DecryptPrivateKeyPasswordDataService:decrypt", () => {
+    const expectedDomain = "https://passbolt.local";
+    const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto());
+    const decryptionArmoredKey = pgpKeys.account_recovery_organization.private_decrypted;
+    const verificationUserId = pgpKeys.ada.userId;
+    const verificationPublicArmoredKey = pgpKeys.ada.public;
+
+    it("should decrypt a private key password data.", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const privateKeyPasswordDecryptedData = await DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(8);
+      expect(privateKeyPasswordDecryptedData).toBeInstanceOf(AccountRecoveryPrivateKeyPasswordDecryptedDataEntity);
+      expect(privateKeyPasswordDecryptedData.type).toStrictEqual("account-recovery-private-key-password-decrypted-data");
+      expect(privateKeyPasswordDecryptedData.version).toStrictEqual("v1");
+      expect(privateKeyPasswordDecryptedData.domain).toStrictEqual(expectedDomain);
+      expect(privateKeyPasswordDecryptedData.privateKeyUserId).toStrictEqual(pgpKeys.ada.userId);
+      expect(privateKeyPasswordDecryptedData.privateKeyFingerprint).toStrictEqual(pgpKeys.ada.fingerprint);
+      expect(privateKeyPasswordDecryptedData.privateKeySecret).toStrictEqual("f7cf1fa06f973a9ecbb5f0e2bc6d1830532e53ad50da231036bd6c8c00dd7c7dc6c07b04004615cd6808bea2cb6a4ce4c46f7f36b8865292c0f7a28cd6f56112");
+      expect(Date.parse(privateKeyPasswordDecryptedData.created)).toBeTruthy();
+    });
+
+    it("should fail if the given decryption key does not match private key password recipient fingerprint", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(pgpKeys.ada.private_decrypted);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowError("The decryption key fingerprint does not match the private key password recipient fingerprint.");
+    });
+
+    it("should fail if the private key password cannot be decrypted.", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const data = "decrypt-me-decrypt-me-decrypt-me";
+      const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto({data}));
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowError("The message should be a valid openpgp message.");
+    });
+
+    it("should fail if the decrypted private key password data cannot be parsed.", async() => {
+      const key = await OpenpgpAssertion.readKeyOrFail(pgpKeys.account_recovery_organization.public);
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const data = await EncryptMessageService.encrypt("decrypt-me-decrypt-me-decrypt-me", key);
+      const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto({data}));
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowError("Unable to parse the decrypted private key password data.");
+    });
+
+    it("should fail if the decrypted private key password data entity cannot be created with the decrypted data.", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const privateKeyPasswordDataDto = defaultAccountRecoveryPrivateKeyPasswordDecryptedDataDto({type: "not-a-valid-decrypted-data-entity-type"});
+      const key = await OpenpgpAssertion.readKeyOrFail(pgpKeys.account_recovery_organization.public);
+      const data = await EncryptMessageService.encrypt(JSON.stringify(privateKeyPasswordDataDto), key);
+      const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto({data}));
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowEntityValidationErrorOnProperties(["type"]);
+    });
+
+    it("should fail if the user id contained in the private key password data does not match the verification user id.", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const privateKeyPasswordDataDto = defaultAccountRecoveryPrivateKeyPasswordDecryptedDataDto({private_key_user_id: uuidv4()});
+      const key = await OpenpgpAssertion.readKeyOrFail(pgpKeys.account_recovery_organization.public);
+      const data = await EncryptMessageService.encrypt(JSON.stringify(privateKeyPasswordDataDto), key);
+      const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto({data}));
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowError("The user id contained in the private key password data does not match the private key target used id.");
+    });
+
+    it("should fail if the domain contained in the private key password data does not match the verification domain.", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const privateKeyPasswordDataDto = defaultAccountRecoveryPrivateKeyPasswordDecryptedDataDto({private_key_user_id: uuidv4()});
+      const key = await OpenpgpAssertion.readKeyOrFail(pgpKeys.account_recovery_organization.public);
+      const data = await EncryptMessageService.encrypt(JSON.stringify(privateKeyPasswordDataDto), key);
+      const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto({data}));
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, "fake domain", verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowError("The domain contained in the private key password data does not match the expected target domain.");
+    });
+
+    it("should fail if the fingerprint contained in the private key password data does not match the verification fingerprint.", async() => {
+      const decryptionKey = await OpenpgpAssertion.readKeyOrFail(decryptionArmoredKey);
+      const verificationPublicKey = await OpenpgpAssertion.readKeyOrFail(verificationPublicArmoredKey);
+      const privateKeyPasswordDataDto = defaultAccountRecoveryPrivateKeyPasswordDecryptedDataDto({private_key_fingerprint: pgpKeys.betty.fingerprint});
+      const key = await OpenpgpAssertion.readKeyOrFail(pgpKeys.account_recovery_organization.public);
+      const data = await EncryptMessageService.encrypt(JSON.stringify(privateKeyPasswordDataDto), key);
+      const privateKeyPassword = new AccountRecoveryPrivateKeyPasswordEntity(defaultAccountRecoveryPrivateKeyPasswordDto({data}));
+      const promise = DecryptPrivateKeyPasswordDataService.decrypt(privateKeyPassword, decryptionKey, expectedDomain, verificationUserId, verificationPublicKey);
+      expect.assertions(1);
+      await expect(promise).rejects.toThrowError("The private key password data fingerprint should match the user public fingerprint.");
+    });
+  });
+});

package/src/all/background_page/service/accountRecovery/decryptResponseDataService.js

@@ -0,0 +1,66 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) 2022 Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         3.6.0
+ */
+
+import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
+import DecryptMessageService from "../../service/crypto/decryptMessageService";
+import AccountRecoveryPrivateKeyPasswordDecryptedDataEntity from "../../model/entity/accountRecovery/accountRecoveryPrivateKeyPasswordDecryptedDataEntity";
+
+
+class DecryptResponseDataService {
+  /**
+   * Decrypt the response encrypted data.
+   * @param {AccountRecoveryResponseEntity} response The response.
+   * @param {openpgp.PrivateKey} decryptionKey The decrypted decryption key.
+   * @param {string} verificationUserId The id of the user who is the owner of the private key encrypted with the private key password.
+   * @param {string}verificationDomain The expected domain to find in the decrypted private key password.
+   * @param {openpgp.PublicKey} [verificationUserPublicKey] (Optional) The public key of the user who is the owner of the private key encrypted with the private key password.
+   * @return {Promise<AccountRecoveryPrivateKeyPasswordDecryptedDataEntity>}
+   * @throws {Error} If the response data cannot be decrypted.
+   * @throws {Error} If the decrypted response data cannot be parsed.
+   * @throws {EntityValidationError} If the decrypted response data cannot be used to create a private key password decrypted data entity.
+   * @throws {Error} If the user id contained in the decrypted response data does not match the verification user id.
+   * @throws {Error} If the fingerprint contained in the decrypted response data does not match the verification fingerprint.
+   */
+  static async decrypt(response, decryptionKey, verificationUserId, verificationDomain, verificationUserPublicKey) {
+    let privateKeyPasswordDecryptedDataDto;
+    const responseDataMessage = await OpenpgpAssertion.readMessageOrFail(response.data);
+    const privateKeyPasswordDecryptedDataSerialized = await DecryptMessageService.decrypt(responseDataMessage, decryptionKey);
+
+    try {
+      privateKeyPasswordDecryptedDataDto = JSON.parse(privateKeyPasswordDecryptedDataSerialized);
+    } catch (error) {
+      throw new Error("Unable to parse the decrypted response data.");
+    }
+
+    const privateKeyPasswordDecryptedData = new AccountRecoveryPrivateKeyPasswordDecryptedDataEntity(privateKeyPasswordDecryptedDataDto);
+
+    if (privateKeyPasswordDecryptedData.privateKeyUserId !== verificationUserId) {
+      throw new Error("The user id contained in the response data does not match the verification user id.");
+    }
+
+    if (privateKeyPasswordDecryptedData.domain !== verificationDomain) {
+      throw new Error("The domain contained in the private key password data does not match the expected target domain.");
+    }
+
+    if (verificationUserPublicKey) {
+      if (privateKeyPasswordDecryptedData.privateKeyFingerprint !== verificationUserPublicKey.getFingerprint().toUpperCase()) {
+        throw new Error("The response data fingerprint should match the verification fingerprint.");
+      }
+    }
+
+    return privateKeyPasswordDecryptedData;
+  }
+}
+
+export default DecryptResponseDataService;