simpler pin validation

mzieniukbw · mzieniukbw · commit 7a162ede377f · 2025-12-22T10:55:14.000+01:00
diff --git a/crates/bitwarden-core/src/auth/auth_client.rs b/crates/bitwarden-core/src/auth/auth_client.rs
@@ -162,14 +162,15 @@ impl AuthClient {
     }
 
     /// Validates a PIN against a PIN-protected user key envelope.
-    /// Returns `false` if the PIN fails to decrypt the envelope.
-    /// Requires the user key to be present in the client, otherwise returns
-    /// [`AuthValidateError::NotAuthenticated`].
+    ///
+    /// Returns `false` if validation fails for any reason:
+    /// - The PIN is incorrect
+    /// - The envelope is corrupted or malformed
     pub fn validate_pin_protected_user_key_envelope(
         &self,
         pin: String,
         pin_protected_user_key_envelope: PasswordProtectedKeyEnvelope,
-    ) -> Result<bool, AuthValidateError> {
+    ) -> bool {
         validate_pin_protected_user_key_envelope(&self.client, pin, pin_protected_user_key_envelope)
     }
 
diff --git a/crates/bitwarden-core/src/auth/pin.rs b/crates/bitwarden-core/src/auth/pin.rs
@@ -1,4 +1,5 @@
 use bitwarden_crypto::{EncString, PinKey, safe::PasswordProtectedKeyEnvelope};
+use tracing::info;
 
 use crate::{
     Client, NotAuthenticatedError,
@@ -42,28 +43,20 @@ pub(crate) fn validate_pin(
     }
 }
 
+/// Validates a PIN-protected user key envelope by attempting to unseal it with the provided PIN.
 pub(crate) fn validate_pin_protected_user_key_envelope(
     client: &Client,
     pin: String,
     pin_protected_user_key_envelope: PasswordProtectedKeyEnvelope,
-) -> Result<bool, AuthValidateError> {
+) -> bool {
     let key_store = client.internal.get_key_store();
     let mut ctx = key_store.context();
 
-    if let Ok(decrypted_key_id) = pin_protected_user_key_envelope.unseal(pin.as_str(), &mut ctx) {
-        #[allow(deprecated)]
-        let Ok(decrypted_user_key) = ctx.dangerous_get_symmetric_key(decrypted_key_id) else {
-            return Ok(false);
-        };
-
-        #[allow(deprecated)]
-        let user_key = ctx
-            .dangerous_get_symmetric_key(SymmetricKeyId::User)
-            .map_err(|_| NotAuthenticatedError)?;
-
-        Ok(*user_key == *decrypted_user_key)
+    if let Err(e) = pin_protected_user_key_envelope.unseal(pin.as_str(), &mut ctx) {
+        info!("Validating PIN-protected user key envelope failed: {e:?}");
+        false
     } else {
-        Ok(false)
+        true
     }
 }
 
@@ -136,7 +129,7 @@ mod tests {
     }
 
     #[test]
-    fn test_validate_pin_protected_user_key_envelope_valid() {
+    fn test_validate_pin_protected_user_key_envelope_valid_pin() {
         let pin = "1234";
         let client = init_client();
 
@@ -147,8 +140,7 @@ mod tests {
 
         // Validate with the correct PIN
         let result = validate_pin_protected_user_key_envelope(&client, pin.to_string(), envelope);
-        assert!(result.is_ok());
-        assert!(result.unwrap());
+        assert!(result);
     }
 
     #[test]
@@ -166,28 +158,31 @@ mod tests {
         // Validate with the wrong PIN
         let result =
             validate_pin_protected_user_key_envelope(&client, wrong_pin.to_string(), envelope);
-        assert!(result.is_ok());
-        assert!(!result.unwrap());
+        assert!(!result);
     }
 
     #[test]
-    fn test_validate_pin_protected_user_key_envelope_not_authenticated() {
+    fn test_validate_pin_protected_user_key_malformed_envelope() {
         let pin = "1234";
 
-        // Create an envelope from a properly initialized client
-        let initialized_client = init_client();
-        let key_store = initialized_client.internal.get_key_store();
+        let client = init_client();
+
+        // Create a PIN-protected envelope with the correct PIN
+        let key_store = client.internal.get_key_store();
         let ctx = key_store.context();
         let envelope = PasswordProtectedKeyEnvelope::seal(SymmetricKeyId::User, pin, &ctx).unwrap();
 
+        let mut envelope_bytes: Vec<u8> = (&envelope).into();
+        // Corrupt some bytes
+        envelope_bytes[50] ^= 0xFF;
+
+        let envelope: PasswordProtectedKeyEnvelope =
+            PasswordProtectedKeyEnvelope::try_from(&envelope_bytes).unwrap();
+
         let client = Client::new(None);
 
         // Validate should fail because no user key is present in this client
         let result = validate_pin_protected_user_key_envelope(&client, pin.to_string(), envelope);
-        assert!(result.is_err());
-        assert!(matches!(
-            result.unwrap_err(),
-            AuthValidateError::NotAuthenticated(_)
-        ));
+        assert!(!result);
     }
 }
diff --git a/crates/bitwarden-uniffi/src/auth/mod.rs b/crates/bitwarden-uniffi/src/auth/mod.rs
@@ -117,22 +117,22 @@ impl AuthClient {
         Ok(self.0.auth().validate_pin(pin, pin_protected_user_key)?)
     }
 
-    /// Validate the user PIN
+    /// Validates a PIN against a PIN-protected user key envelope.
     ///
-    /// To validate the user PIN, you need to have the user's `pin_protected_user_key_envelope`.
-    /// This key is obtained when enabling PIN unlock on the account with the `enroll_pin` method.
+    /// The `pin_protected_user_key_envelope` key is obtained when enabling PIN unlock on the
+    /// account with the [bitwarden_core::key_management::CryptoClient::enroll_pin] method.
     ///
-    /// This works by comparing the decrypted user key with the current user key, so the client must
-    /// be unlocked.
+    /// Returns `false` if validation fails for any reason:
+    /// - The PIN is incorrect
+    /// - The envelope is corrupted or malformed
     pub fn validate_pin_protected_user_key_envelope(
         &self,
         pin: String,
         pin_protected_user_key_envelope: PasswordProtectedKeyEnvelope,
-    ) -> Result<bool> {
-        Ok(self
-            .0
+    ) -> bool {
+        self.0
             .auth()
-            .validate_pin_protected_user_key_envelope(pin, pin_protected_user_key_envelope)?)
+            .validate_pin_protected_user_key_envelope(pin, pin_protected_user_key_envelope)
     }
 
     /// Initialize a new auth request
