[PM-5693] KeyStore implementation

crates/bitwarden-crypto/src/error.rs

@@ -23,6 +23,10 @@ pub enum CryptoError {
     MissingKey(Uuid),
     #[error("The item was missing a required field: {0}")]
     MissingField(&'static str),
+    #[error("Missing Key for Id: {0}")]
+    MissingKeyId(String),
+    #[error("Crypto store is read-only")]
+    ReadOnlyKeyStore,
 
     #[error("Insufficient KDF parameters")]
     InsufficientKdfParameters,

crates/bitwarden-crypto/src/lib.rs

@@ -80,6 +80,10 @@ mod util;
 pub use util::{generate_random_alphanumeric, generate_random_bytes, pbkdf2};
 mod wordlist;
 pub use wordlist::EFF_LONG_WORD_LIST;
+mod store;
+pub use store::{KeyStore, KeyStoreContext};
+mod traits;
+pub use traits::{Decryptable, Encryptable, IdentifyKey, KeyId, KeyIds};
 pub use zeroizing_alloc::ZeroAlloc as ZeroizingAllocator;
 
 #[cfg(feature = "uniffi")]

crates/bitwarden-crypto/src/store/backend/implementation/basic.rs

@@ -0,0 +1,49 @@
+use zeroize::ZeroizeOnDrop;
+
+use crate::{store::backend::StoreBackend, KeyId};
+
+/// This is a basic key store backend that stores keys in a HashMap memory.
+/// No protections are provided for the keys stored in this backend, beyond enforcing
+/// zeroization on drop.
+pub(crate) struct BasicBackend<Key: KeyId> {
+    keys: std::collections::HashMap<Key, Key::KeyValue>,
+}
+
+impl<Key: KeyId> BasicBackend<Key> {
+    pub fn new() -> Self {
+        Self {
+            keys: std::collections::HashMap::new(),
+        }
+    }
+}
+
+impl<Key: KeyId> StoreBackend<Key> for BasicBackend<Key> {
+    fn upsert(&mut self, key_id: Key, key: <Key as KeyId>::KeyValue) {
+        self.keys.insert(key_id, key);
+    }
+
+    fn get(&self, key_id: Key) -> Option<&<Key as KeyId>::KeyValue> {
+        self.keys.get(&key_id)
+    }
+
+    fn remove(&mut self, key_id: Key) {
+        self.keys.remove(&key_id);
+    }
+
+    fn clear(&mut self) {
+        self.keys.clear();
+    }
+
+    fn retain(&mut self, f: fn(Key) -> bool) {
+        self.keys.retain(|k, _| f(*k));
+    }
+}
+
+/// [KeyId::KeyValue] already implements [ZeroizeOnDrop],
+/// so we only need to ensure the map is cleared on drop.
+impl<Key: KeyId> ZeroizeOnDrop for BasicBackend<Key> {}
+impl<Key: KeyId> Drop for BasicBackend<Key> {
+    fn drop(&mut self) {
+        self.clear();
+    }
+}

crates/bitwarden-crypto/src/store/backend/implementation/mod.rs

@@ -0,0 +1,28 @@
+use super::StoreBackend;
+use crate::store::KeyId;
+
+mod basic;
+
+/// Initializes a key store backend with the best available implementation for the current platform
+pub fn create_store<Key: KeyId>() -> Box<dyn StoreBackend<Key>> {
+    Box::new(basic::BasicBackend::<Key>::new())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::{traits::tests::TestSymmKey, SymmetricCryptoKey};
+
+    #[test]
+    fn test_creates_a_valid_store() {
+        let mut store = create_store::<TestSymmKey>();
+
+        let key = SymmetricCryptoKey::generate(rand::thread_rng());
+        store.upsert(TestSymmKey::A(0), key.clone());
+
+        assert_eq!(
+            store.get(TestSymmKey::A(0)).unwrap().to_base64(),
+            key.to_base64()
+        );
+    }
+}

crates/bitwarden-crypto/src/store/backend/mod.rs

@@ -0,0 +1,38 @@
+use zeroize::ZeroizeOnDrop;
+
+use crate::store::KeyId;
+
+mod implementation;
+
+pub use implementation::create_store;
+
+/// This trait represents a platform that can store and return keys. If possible,
+/// it will try to enable as many security protections on the keys as it can.
+/// The keys themselves implement [ZeroizeOnDrop], so the store will only need to make sure
+/// that the keys are dropped when they are no longer needed.
+///
+/// The default implementation is a basic in-memory store that does not provide any security
+/// guarantees.
+///
+/// We have other implementations in testing using `mlock` and `memfd_secret` for protecting keys in
+/// memory.
+///
+/// Other implementations could use secure enclaves, HSMs or OS provided keychains.
+pub trait StoreBackend<Key: KeyId>: ZeroizeOnDrop + Send + Sync {
+    /// Inserts a key into the store. If the key already exists, it will be replaced.
+    fn upsert(&mut self, key_id: Key, key: Key::KeyValue);
+
+    /// Retrieves a key from the store.
+    fn get(&self, key_id: Key) -> Option<&Key::KeyValue>;
+
+    #[allow(unused)]
+    /// Removes a key from the store.
+    fn remove(&mut self, key_id: Key);
+
+    /// Removes all keys from the store.
+    fn clear(&mut self);
+
+    /// Retains only the elements specified by the predicate.
+    /// In other words, remove all keys for which `f` returns false.
+    fn retain(&mut self, f: fn(Key) -> bool);
+}