From 58fe3b8b65d060e372a3aa9bf236860d61e3310e Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <iinuwa@bitwarden.com>
Date: Fri, 19 Dec 2025 12:29:33 -0600
Subject: [PATCH] Update passkey-rs and coset libraries

---
 Cargo.lock                                    | 41 ++++++++-----------
 crates/bitwarden-crypto/Cargo.toml            |  2 +-
 crates/bitwarden-crypto/src/cose.rs           | 26 +++++++-----
 .../src/safe/data_envelope.rs                 | 26 +++++++-----
 .../safe/password_protected_key_envelope.rs   | 10 +++--
 crates/bitwarden-fido/Cargo.toml              |  6 +--
 6 files changed, 57 insertions(+), 54 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index e2eef8832..5256d981e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1448,7 +1448,7 @@ version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d2c7947ae4cc3d851207c1adb5b5e260ff0cca11446b1d6d1423788e442257ce"
 dependencies = [
- "heck 0.5.0",
+ "heck",
  "proc-macro2",
  "quote",
  "syn",
@@ -1595,9 +1595,9 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
 [[package]]
 name = "coset"
-version = "0.3.8"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4c8cc80f631f8307b887faca24dcc3abc427cd0367f6eb6188f6e8f5b7ad8fb"
+checksum = "2aeb90e56027edc2a7d7f71cbc500e742e2520bede7a3f8a3bfb1dac7aed623e"
 dependencies = [
  "ciborium",
  "ciborium-io",
@@ -2684,12 +2684,6 @@ dependencies = [
  "hashbrown 0.15.4",
 ]
 
-[[package]]
-name = "heck"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
-
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -3643,7 +3637,7 @@ dependencies = [
 [[package]]
 name = "passkey"
 version = "0.5.0"
-source = "git+https://github.com/bitwarden/passkey-rs?rev=357cc9672340f6ff1f22a0b210a74de64799fa73#357cc9672340f6ff1f22a0b210a74de64799fa73"
+source = "git+https://github.com/bitwarden/passkey-rs?rev=043279e92e2eb5f509bf87eb7fa50987fd377e32#043279e92e2eb5f509bf87eb7fa50987fd377e32"
 dependencies = [
  "passkey-authenticator",
  "passkey-client",
@@ -3654,7 +3648,7 @@ dependencies = [
 [[package]]
 name = "passkey-authenticator"
 version = "0.5.0"
-source = "git+https://github.com/bitwarden/passkey-rs?rev=357cc9672340f6ff1f22a0b210a74de64799fa73#357cc9672340f6ff1f22a0b210a74de64799fa73"
+source = "git+https://github.com/bitwarden/passkey-rs?rev=043279e92e2eb5f509bf87eb7fa50987fd377e32#043279e92e2eb5f509bf87eb7fa50987fd377e32"
 dependencies = [
  "async-trait",
  "coset",
@@ -3667,7 +3661,7 @@ dependencies = [
 [[package]]
 name = "passkey-client"
 version = "0.5.0"
-source = "git+https://github.com/bitwarden/passkey-rs?rev=357cc9672340f6ff1f22a0b210a74de64799fa73#357cc9672340f6ff1f22a0b210a74de64799fa73"
+source = "git+https://github.com/bitwarden/passkey-rs?rev=043279e92e2eb5f509bf87eb7fa50987fd377e32#043279e92e2eb5f509bf87eb7fa50987fd377e32"
 dependencies = [
  "ciborium",
  "coset",
@@ -3685,12 +3679,12 @@ dependencies = [
 [[package]]
 name = "passkey-transports"
 version = "0.1.0"
-source = "git+https://github.com/bitwarden/passkey-rs?rev=357cc9672340f6ff1f22a0b210a74de64799fa73#357cc9672340f6ff1f22a0b210a74de64799fa73"
+source = "git+https://github.com/bitwarden/passkey-rs?rev=043279e92e2eb5f509bf87eb7fa50987fd377e32#043279e92e2eb5f509bf87eb7fa50987fd377e32"
 
 [[package]]
 name = "passkey-types"
 version = "0.5.0"
-source = "git+https://github.com/bitwarden/passkey-rs?rev=357cc9672340f6ff1f22a0b210a74de64799fa73#357cc9672340f6ff1f22a0b210a74de64799fa73"
+source = "git+https://github.com/bitwarden/passkey-rs?rev=043279e92e2eb5f509bf87eb7fa50987fd377e32#043279e92e2eb5f509bf87eb7fa50987fd377e32"
 dependencies = [
  "bitflags 2.9.1",
  "ciborium",
@@ -4047,7 +4041,7 @@ dependencies = [
 [[package]]
 name = "public-suffix"
 version = "0.1.3"
-source = "git+https://github.com/bitwarden/passkey-rs?rev=357cc9672340f6ff1f22a0b210a74de64799fa73#357cc9672340f6ff1f22a0b210a74de64799fa73"
+source = "git+https://github.com/bitwarden/passkey-rs?rev=043279e92e2eb5f509bf87eb7fa50987fd377e32#043279e92e2eb5f509bf87eb7fa50987fd377e32"
 
 [[package]]
 name = "quick-error"
@@ -5174,23 +5168,22 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
 [[package]]
 name = "strum"
-version = "0.25.0"
+version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125"
+checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
 dependencies = [
  "strum_macros",
 ]
 
 [[package]]
 name = "strum_macros"
-version = "0.25.3"
+version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0"
+checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7"
 dependencies = [
- "heck 0.4.1",
+ "heck",
  "proc-macro2",
  "quote",
- "rustversion",
  "syn",
 ]
 
@@ -5901,7 +5894,7 @@ dependencies = [
  "fs-err",
  "glob",
  "goblin",
- "heck 0.5.0",
+ "heck",
  "indexmap 2.12.1",
  "once_cell",
  "serde",
@@ -5981,7 +5974,7 @@ version = "0.29.4"
 source = "git+https://github.com/mozilla/uniffi-rs?rev=6d46b3f756dde3213357c477d86771a0fc5da7b4#6d46b3f756dde3213357c477d86771a0fc5da7b4"
 dependencies = [
  "anyhow",
- "heck 0.5.0",
+ "heck",
  "indexmap 2.12.1",
  "tempfile",
  "uniffi_internal_macros",
@@ -6164,7 +6157,7 @@ version = "0.24.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ef06db404cbaed87cb25fd2ca3a62502af485f43383c9641ffcf1479d02fffd"
 dependencies = [
- "heck 0.5.0",
+ "heck",
  "proc-macro2",
  "quote",
  "syn",
diff --git a/crates/bitwarden-crypto/Cargo.toml b/crates/bitwarden-crypto/Cargo.toml
index aa235548d..42345fd82 100644
--- a/crates/bitwarden-crypto/Cargo.toml
+++ b/crates/bitwarden-crypto/Cargo.toml
@@ -37,7 +37,7 @@ bitwarden-uniffi-error = { workspace = true, optional = true }
 cbc = { version = ">=0.1.2, <0.2", features = ["alloc", "zeroize"] }
 chacha20poly1305 = { version = "0.10.1" }
 ciborium = { version = ">=0.2.2, <0.3" }
-coset = { version = ">=0.3.8, <0.4" }
+coset = { version = ">=0.3.8, <0.5" }
 ed25519-dalek = { workspace = true, features = ["rand_core"] }
 generic-array = { version = ">=0.14.7, <1.0", features = ["zeroize"] }
 hkdf = ">=0.12.3, <0.13"
diff --git a/crates/bitwarden-crypto/src/cose.rs b/crates/bitwarden-crypto/src/cose.rs
index 2fcc408c3..7d8107cce 100644
--- a/crates/bitwarden-crypto/src/cose.rs
+++ b/crates/bitwarden-crypto/src/cose.rs
@@ -110,17 +110,21 @@ pub(crate) fn decrypt_xchacha20_poly1305(
         return Err(CryptoError::WrongCoseKeyId);
     }
 
-    let decrypted_message = msg.decrypt(&[], |data, aad| {
-        let nonce = msg.unprotected.iv.as_slice();
-        crate::xchacha20::decrypt_xchacha20_poly1305(
-            nonce
-                .try_into()
-                .map_err(|_| CryptoError::InvalidNonceLength)?,
-            &(*key.enc_key).into(),
-            data,
-            aad,
-        )
-    })?;
+    let decrypted_message = msg.decrypt_ciphertext(
+        &[],
+        || CryptoError::MissingField("ciphertext"),
+        |data, aad| {
+            let nonce = msg.unprotected.iv.as_slice();
+            crate::xchacha20::decrypt_xchacha20_poly1305(
+                nonce
+                    .try_into()
+                    .map_err(|_| CryptoError::InvalidNonceLength)?,
+                &(*key.enc_key).into(),
+                data,
+                aad,
+            )
+        },
+    )?;
 
     if should_pad_content(&content_format) {
         // Unpad the data to get the original plaintext
diff --git a/crates/bitwarden-crypto/src/safe/data_envelope.rs b/crates/bitwarden-crypto/src/safe/data_envelope.rs
index d2ef3f751..3720177c0 100644
--- a/crates/bitwarden-crypto/src/safe/data_envelope.rs
+++ b/crates/bitwarden-crypto/src/safe/data_envelope.rs
@@ -224,17 +224,21 @@ impl DataEnvelope {
 
         // Decrypt the message
         let decrypted_message = msg
-            .decrypt(&[], |data, aad| {
-                let nonce = msg.unprotected.iv.as_slice();
-                crate::xchacha20::decrypt_xchacha20_poly1305(
-                    nonce
-                        .try_into()
-                        .map_err(|_| CryptoError::InvalidNonceLength)?,
-                    &(*cek.enc_key).into(),
-                    data,
-                    aad,
-                )
-            })
+            .decrypt_ciphertext(
+                &[],
+                || CryptoError::MissingField("ciphertext"),
+                |data, aad| {
+                    let nonce = msg.unprotected.iv.as_slice();
+                    crate::xchacha20::decrypt_xchacha20_poly1305(
+                        nonce
+                            .try_into()
+                            .map_err(|_| CryptoError::InvalidNonceLength)?,
+                        &(*cek.enc_key).into(),
+                        data,
+                        aad,
+                    )
+                },
+            )
             .map_err(|_| DataEnvelopeError::DecryptionError)?;
 
         let unpadded_message =
diff --git a/crates/bitwarden-crypto/src/safe/password_protected_key_envelope.rs b/crates/bitwarden-crypto/src/safe/password_protected_key_envelope.rs
index 6568cd0cf..fcbe55f4e 100644
--- a/crates/bitwarden-crypto/src/safe/password_protected_key_envelope.rs
+++ b/crates/bitwarden-crypto/src/safe/password_protected_key_envelope.rs
@@ -26,7 +26,7 @@ use thiserror::Error;
 use wasm_bindgen::convert::FromWasmAbi;
 
 use crate::{
-    BitwardenLegacyKeyBytes, ContentFormat, CoseKeyBytes, EncodedSymmetricKey, KeyIds,
+    BitwardenLegacyKeyBytes, ContentFormat, CoseKeyBytes, CryptoError, EncodedSymmetricKey, KeyIds,
     KeyStoreContext, SymmetricCryptoKey,
     cose::{
         ALG_ARGON2ID13, ARGON2_ITERATIONS, ARGON2_MEMORY, ARGON2_PARALLELISM, ARGON2_SALT,
@@ -185,9 +185,11 @@ impl PasswordProtectedKeyEnvelope {
 
         let key_bytes = self
             .cose_encrypt
-            .decrypt(&[], |data, aad| {
-                xchacha20::decrypt_xchacha20_poly1305(&nonce, &envelope_key, data, aad)
-            })
+            .decrypt_ciphertext(
+                &[],
+                || CryptoError::MissingField("ciphertext"),
+                |data, aad| xchacha20::decrypt_xchacha20_poly1305(&nonce, &envelope_key, data, aad),
+            )
             // If decryption fails, the envelope-key is incorrect and thus the password is incorrect
             // since the KDF parameters & salt are guaranteed to be correct
             .map_err(|_| PasswordProtectedKeyEnvelopeError::WrongPassword)?;
diff --git a/crates/bitwarden-fido/Cargo.toml b/crates/bitwarden-fido/Cargo.toml
index a08abb3cf..d3542c625 100644
--- a/crates/bitwarden-fido/Cargo.toml
+++ b/crates/bitwarden-fido/Cargo.toml
@@ -24,11 +24,11 @@ bitwarden-crypto = { workspace = true }
 bitwarden-encoding = { workspace = true }
 bitwarden-vault = { workspace = true }
 chrono = { workspace = true }
-coset = ">=0.3.7, <0.4"
+coset = ">=0.3.7, <0.5"
 itertools = ">=0.13.0, <0.15"
 p256 = ">=0.13.2, <0.14"
-passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "357cc9672340f6ff1f22a0b210a74de64799fa73" }
-passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "357cc9672340f6ff1f22a0b210a74de64799fa73", features = [
+passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "043279e92e2eb5f509bf87eb7fa50987fd377e32" }
+passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "043279e92e2eb5f509bf87eb7fa50987fd377e32", features = [
     "android-asset-validation",
 ] }
 reqwest = { workspace = true }